By year

Vulnerabilities disclosed in 2026

CVEs published in 2026 with SEC.co analysis.

1364 published vulnerabilities · page 13 of 14

  • CVE-2026-33462MEDIUM 4.6

    A path traversal flaw in Kibana's dashboard management allows an authenticated user with basic permissions to craft a malicious dashboard identifier. When an administrator deletes this dashboard, the deletion request bypasses security controls and targets unintended internal endpoints—potentially destroying user accounts or other critical resources. The vulnerability requires an administrator to take action on the malicious object, making it a privilege-escalation path rather than a self-executing exploit.

  • CVE-2026-36174MEDIUM 4.6

    GNCC GP5 devices running version 7.1.76 transmit sensitive wireless network credentials in readable form to the serial console during normal operation. An attacker with physical access to the device's serial port can intercept these credentials, compromising network security. This is a localized but consequential exposure for organizations operating these devices in shared or less-controlled physical environments.

  • CVE-2026-36178MEDIUM 4.6

    A flaw in the factory reset process of GNCC GP5 v7.1.76 leaves sensitive cryptographic keys and related data intact on the device's storage partition even after a factory reset is performed. An attacker with physical access to the device could potentially recover this material and use it to decrypt or impersonate the original user's configuration and encrypted content.

  • CVE-2026-36180MEDIUM 4.6

    GNCC GP5 version 7.1.76 has a security weakness that allows an attacker with physical access to the machine to temporarily modify read-only system files and binaries during a single boot session. The vulnerability exploits bind-mount mechanisms—a Linux/Unix filesystem technique—to circumvent protections meant to keep critical system files locked down. While the attacker needs to be physically present and the changes only persist until reboot, this represents a meaningful integrity risk for systems in shared, controlled, or potentially hostile physical environments.

  • CVE-2026-45153MEDIUM 4.6

    Nextcloud Files app on Android has a PIN bypass vulnerability affecting versions 33.0.0 through 33.0.x. An attacker with physical access to an unlocked Android device can use the back button to circumvent the app's PIN protection and gain unauthorized access to files stored in the Nextcloud app. This is a local attack requiring the device to already be unlocked, but it effectively neutralizes the app-level security control that would normally protect sensitive files even if the phone falls into the wrong hands.

  • CVE-2026-45284MEDIUM 4.6

    Nextcloud's OIDC (OpenID Connect) user authentication module contains a flaw that allows deleted LDAP users to continue authenticating to the system. When an organization uses both LDAP and OIDC for user management, deletion of a user from LDAP does not properly prevent that user from logging in via OIDC. This creates an unintended persistence of access for users who should no longer have system privileges. The issue affects Nextcloud versions 1.3.6 through 8.3.x and has been resolved in version 8.4.0.

  • CVE-2026-10814MEDIUM 4.5

    Milvus, a popular vector database, contains a weakness in how it generates hash identifiers for grantee access control. An attacker with local access and sufficient privileges could exploit weak cryptographic hashing in the Grantee ID Hash Handler to potentially forge or predict access control identifiers, leading to unauthorized data access or modification. The vulnerability requires high technical complexity to exploit and is rated as medium severity.

  • CVE-2026-44640MEDIUM 4.5

    NanoMQ is an edge messaging platform that implements the MQTT protocol for lightweight IoT and edge device communication. A type confusion bug exists in versions before 0.24.14 in how the broker handles QUIC connection objects during the dialing and closing lifecycle. When the broker initiates a QUIC connection (dialing), it stores a pointer as one type (nni_quic_conn), but later during cleanup, the code misinterprets that same pointer as a different type (ex_quic_conn). This mismatch causes the broker to read and operate on invalid memory, resulting in hangs or crashes when closing connections. The issue requires local access and user interaction to trigger.

  • CVE-2026-10100MEDIUM 4.4

    The Simple Custom Login Page plugin for WordPress contains a security flaw that allows administrators to inadvertently inject malicious code into the login page viewed by all users. When a site admin configures colors for the login page through the plugin's settings, an attacker with admin access can craft CSS injection payloads in those color fields. Because the plugin doesn't properly validate these inputs before displaying them, an attacker can break out of the intended styling context and insert arbitrary CSS rules. This enables phishing attacks—for example, by hiding the real login form or overlaying a fake one to steal credentials.

  • CVE-2026-3620MEDIUM 4.4

    The Word Replacer plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability affecting all versions through 0.4. An attacker with administrator-level access can inject malicious scripts through the plugin's 'replacement' parameter. These scripts persist in the WordPress database and execute whenever any user visits an affected page, potentially allowing credential theft, session hijacking, or defacement. The vulnerability stems from inadequate input validation and output encoding in the plugin code.

  • CVE-2026-45279MEDIUM 4.4

    Nextcloud Server contains a path traversal vulnerability that allows non-admin users to copy files into their own Nextcloud directories in certain scenarios. The vulnerability exists in specific versions and depends on underlying Unix file system permissions. An attacker would need already-elevated user privileges within Nextcloud to exploit this issue, limiting the practical threat surface.

  • CVE-2026-45702MEDIUM 4.4

    OP-TEE, a security-focused component running on Arm processors, contains a type confusion flaw when handling memory-sharing requests from the normal operating system. The vulnerability only affects specific OP-TEE configurations used to manage secure applications (when both SPMC mode and secure partition features are enabled). An attacker with high system privileges can trigger a denial of service, though the flaw does not expose sensitive data or allow code execution. Upgrading to OP-TEE version 4.11.0 or later resolves the issue.

  • CVE-2019-25717MEDIUM 4.3

    Dräger's Infinity Delta, Delta XL, and Kappa patient monitors expose sensitive log files to unauthenticated attackers on the local network. An attacker with network access can retrieve device internals, location data, and network configuration without needing credentials. This is a network-adjacent threat that discloses operational details but does not enable direct device compromise or manipulation.

  • CVE-2024-47273MEDIUM 4.3

    Synology Hyper Backup versions before 4.1.2-4036 contain a path traversal vulnerability in the Backup Task feature that allows an authenticated user to write files outside their intended directory. An attacker with valid credentials could exploit this to place files in restricted locations on the system, potentially compromising system integrity or enabling lateral movement.

  • CVE-2025-52606MEDIUM 4.3

    HCL iControl contains a weakness in how it validates user input during its security architecture implementation. The application fails to properly check that incoming data matches the expected type before processing it, allowing an authenticated attacker to submit malformed input that the system does not adequately verify. This can lead to unintended modifications of application state or data.

  • CVE-2025-53346MEDIUM 4.3

    CVE-2025-53346 is a missing authorization flaw in ThimPress Thim Core that allows authenticated users to modify data or settings they should not have access to. The vulnerability stems from inadequate access control checks, meaning the application fails to properly verify whether a logged-in user has permission to perform specific actions. While an attacker must already have valid login credentials, the weakness could allow them to escalate privileges or tamper with configuration or content outside their intended scope.

  • CVE-2026-10028MEDIUM 4.3

    CVE-2026-10028 is a denial-of-service vulnerability in glib-networking that can be triggered when an attacker presents a maliciously crafted certificate chain containing circular issuer relationships. When an application using glib-networking with GnuTLS backend processes such a chain, the certificate verification logic enters an infinite loop, consuming CPU resources until the process becomes unresponsive. The attack requires user interaction (such as visiting a malicious website or accepting a connection) and affects only the targeted process, not the wider system.

  • CVE-2026-10113MEDIUM 4.3

    Open5GS, an open-source 5G core network software suite, contains a vulnerability in its Shared NF-profile Parser component that can be exploited to disrupt service availability. An attacker with network access and valid authentication credentials can trigger a denial of service condition by manipulating the NF-profile parsing logic. The vulnerability affects Open5GS versions up to 2.7.7, and public exploit information is available, increasing the risk of active exploitation.

  • CVE-2026-10114MEDIUM 4.3

    Open5GS versions up to 2.7.7 contain a flaw in how they parse shared NF profile information. When processing certain malformed input, the application writes data beyond the intended memory boundary, potentially crashing the service. While an attacker must have valid network credentials to exploit this, the vulnerability has been publicly disclosed, increasing the likelihood it will be weaponized.

  • CVE-2026-10115MEDIUM 4.3

    Open5GS, an open-source 5G core network implementation, contains a flaw in how it parses network function profiles. An authenticated attacker can send a specially crafted request that causes the affected service to become unresponsive, disrupting normal operations. The vulnerability requires valid credentials to exploit and does not lead to data theft or unauthorized access—only temporary unavailability. Versions up to 2.7.7 are affected.

  • CVE-2026-10116MEDIUM 4.3

    A vulnerability in Open5GS, a popular open-source 5G core network implementation, allows authenticated users to trigger a denial-of-service condition by manipulating the UE authentication endpoint. The flaw resides in timer transaction handling code and can be exploited remotely by anyone with legitimate access to the authentication service. Public exploit code is available, increasing the practical risk of abuse.

  • CVE-2026-10117MEDIUM 4.3

    Open5GS, an open-source 5G core network implementation, contains a vulnerability in its HTTP/2 server library that can be exploited to cause a denial of service. An attacker with valid credentials can remotely trigger the issue by manipulating specific inputs to the pool allocation function, causing the application to become unresponsive or crash. Versions up to 2.7.7 are affected. Public exploit code exists, increasing the risk of opportunistic attacks.

  • CVE-2026-10153MEDIUM 4.3

    A cross-site scripting (XSS) vulnerability has been identified in westboy CicadasCMS. The flaw exists in the Search function and can be exploited by manipulating a specific argument to inject malicious scripts. An attacker can send a crafted request to a vulnerable instance to execute arbitrary JavaScript in the context of other users' browsers, potentially stealing session data, credentials, or performing actions on their behalf. Exploitation requires user interaction (such as clicking a malicious link) but does not require authentication. A proof-of-concept has already been published, increasing practical risk.

  • CVE-2026-10154MEDIUM 4.3

    Dolibarr ERP CRM versions 23.0.0, 23.0.1, and 23.0.2 contain an authorization bypass vulnerability in the user messaging module. An authenticated attacker can manipulate the ID parameter in htdocs/user/messaging.php to access or view information they should not have permission to see. The vulnerability requires valid login credentials but allows a logged-in user to circumvent access controls. Upgrading to version 23.0.3 resolves the issue.

  • CVE-2026-10156MEDIUM 4.3

    Open5GS, a popular open-source 5G core network implementation, contains a denial-of-service vulnerability in versions up to 2.7.7. An authenticated attacker can manipulate how the system manages network function instance information, causing the application to consume excessive resources and become unresponsive. The vulnerability has been publicly disclosed, but a patch is already available. This is a moderate-severity issue requiring prioritization for 5G infrastructure operators and anyone running affected Open5GS deployments.

  • CVE-2026-10173MEDIUM 4.3

    Orthanc Explorer 2 versions up to 1.12.0 contain a reflected cross-site scripting (XSS) vulnerability in the StudyList component. An attacker can craft a malicious URL with a specially crafted 'remote-source' parameter that, when visited by a user, executes arbitrary JavaScript in their browser within the context of the Orthanc application. This allows theft of session tokens, modification of data, or unauthorized actions performed on behalf of the victim. The vulnerability requires user interaction—a victim must click a malicious link—but can be exploited remotely without authentication.

  • CVE-2026-10215MEDIUM 4.3

    A flaw in Dolibarr ERP CRM's Leave Request REST API fails to properly check whether users have permission to access specific leave request objects. An authenticated attacker can remotely exploit this to view leave data they should not be able to see. The vulnerability affects versions up to 23.0.1, and Dolibarr has released version 23.0.2 as a fix. Because the exploit has been publicly disclosed, this poses an active risk despite its moderate CVSS score.

  • CVE-2026-10282MEDIUM 4.3

    Bottelet DaybydayCRM versions up to 2.2.1 contain an authorization flaw in the Documents controller that allows authenticated users to access files they shouldn't be able to view. An attacker with valid login credentials can exploit this remotely to read sensitive documents beyond their intended access scope. The vulnerability is rated MEDIUM severity and requires patching.

  • CVE-2026-10289MEDIUM 4.3

    A cross-site scripting (XSS) vulnerability exists in Hotel and Tourism Reservation System version 1.0. An attacker can inject malicious scripts by manipulating parameters in the reservation form—specifically the name, email, people count, or booking number fields in the /ht/tour.php file. When a victim visits a crafted link or page, the injected script executes in their browser, potentially allowing session hijacking, credential theft, or defacement. Public exploits are available, increasing active exploitation risk.

  • CVE-2026-10291MEDIUM 4.3

    Enderfga's claw-orchestrator contains a flaw in how it validates regular expressions in the Session Grep Endpoint. An authenticated attacker can supply a maliciously crafted regex pattern that forces excessive CPU consumption, potentially slowing or freezing the service. This is a medium-severity issue affecting versions up to 3.7.0 and is remedied by upgrading to 3.7.1.

  • CVE-2026-10294MEDIUM 4.3

    PackageKit, a system library for package management on Linux, contains an authorization bypass vulnerability in versions up to 1.3.5. An authenticated attacker can manipulate the frontend-socket parameter in the API to gain unauthorized access to sensitive information. The vulnerability requires an existing user account to exploit but does not require user interaction. While the attack surface is somewhat limited by authentication requirements, the unauthorized information disclosure poses a real security concern for systems relying on PackageKit.

  • CVE-2026-10301MEDIUM 4.3

    A reflected cross-site scripting (XSS) vulnerability exists in itsourcecode Fees Management System version 1.0. An attacker can craft a malicious URL containing JavaScript code in the 'page' parameter of index.php. When a user visits this link, the script executes in their browser, potentially allowing theft of session cookies, credential capture, or malware redirection. The vulnerability requires user interaction (clicking a link) but poses a meaningful risk to organizations running this system, especially those handling sensitive fee or financial data.

  • CVE-2026-10616MEDIUM 4.3

    GoClaw, a component of nextlevelbuilder, contains a flaw in how it validates permissions when completing team tasks. An authenticated attacker can manipulate the Team Task Completion Handler to bypass authorization checks, potentially modifying task records they shouldn't have access to. The vulnerability requires a valid login and network access, and affects versions up to 3.11.3. While the issue carries a medium risk profile, the public availability of exploit details increases practical attack likelihood.

  • CVE-2026-10624MEDIUM 4.3

    CVE-2026-10624 is a moderate-severity vulnerability in SourceCodester Human Resource Management version 1.0 that allows authenticated users to access employee information they should not be able to view. The flaw exists in the Employee View Page component and stems from improper handling of the 'employeeid' parameter, which an attacker can manipulate to bypass access controls. Because exploit code has been publicly disclosed, this vulnerability poses a realistic risk to organizations running affected systems.

  • CVE-2026-10661MEDIUM 4.3

    A vulnerability in the blender-mcp project allows an authenticated attacker to inject malicious input through the input_image_url parameter in the Open function of src/blender_mcp/server.py. Because authentication is required and the vulnerability only exposes limited information (not enabling code execution or system availability impact), the overall risk is moderate. However, the public disclosure means exploitation techniques are now accessible to threat actors.

  • CVE-2026-10691MEDIUM 4.3

    A vulnerability in wonderwhy-er DesktopCommanderMCP through version 0.2.38 allows an authenticated user to trigger a denial-of-service condition by crafting malicious search result data that causes inefficient regular expression processing. The flaw is in the search-manager component and can be exploited remotely by any logged-in user. The vendor has released version 0.2.39 with a fix.

  • CVE-2026-10692MEDIUM 4.3

    A flaw exists in code-index-mcp versions up to 2.14.0 that allows authenticated users to cause performance degradation through specially crafted regular expressions. By submitting a malicious regex pattern to the search_code_advanced function, an attacker can trigger inefficient regex processing that consumes excessive CPU resources, leading to application slowdown or unresponsiveness. This is a denial-of-service weakness that requires login credentials to exploit but does not compromise confidentiality or data integrity.

  • CVE-2026-10702MEDIUM 4.3

    A flaw in Firefox's JavaScript Just-In-Time (JIT) compiler can cause it to miscompile code in certain circumstances. When a user visits a malicious website, the affected browser may crash or become unstable due to incorrect code generation during compilation. This is not a memory corruption issue and does not allow attackers to steal data or take control of the system, but it does impact availability and user experience.

  • CVE-2026-10802MEDIUM 4.3

    A resource consumption vulnerability exists in KeystoneJS, an open-source headless CMS and GraphQL API framework. The flaw resides in the GraphQL API endpoint handler and can be exploited by authenticated users to exhaust server resources, potentially causing a denial-of-service condition. The vulnerability affects KeystoneJS versions up to March 19, 2026. Exploitation requires valid credentials but can be performed remotely over the network.

  • CVE-2026-10810MEDIUM 4.3

    A cross-site scripting (XSS) vulnerability exists in itsourcecode Fees Management System version 1.0 and earlier. The flaw is located in the /navbar.php file, where unsanitized input in the 'page' parameter allows an attacker to inject malicious scripts. An attacker can craft a malicious URL and trick a user into clicking it, causing the injected script to execute in the victim's browser. This could lead to session hijacking, credential theft, or malware distribution. Public exploit code is available, increasing the risk of opportunistic attacks.

  • CVE-2026-10854MEDIUM 4.3

    CVE-2026-10854 is a visibility control flaw in MISP's event template creation feature that allowed unauthorized users to see private galaxy data from other organizations. When creating an event template, the system listed all enabled galaxies without checking whether the user's organization owned them or whether they were marked private. This exposed sensitive metadata like galaxy type and description to users who shouldn't have access. The vulnerability requires authentication to exploit and affects only information disclosure—no data modification or denial of service is possible. MISP has patched the issue by filtering galaxy visibility based on organization ownership and distribution settings.

  • CVE-2026-10855MEDIUM 4.3

    MISP, a threat intelligence platform, contained an authorization flaw in its event template import feature. When an authenticated user attempted to overwrite an existing event template, the system verified that a template with that name existed but failed to check whether the importing user's organization actually owned it. This allowed users from one organization to forcibly overwrite event templates belonging to other organizations. The flaw only affected non-administrator users; site administrators retained the ability to manage templates across organizational boundaries by design. The vulnerability has been remediated by adding an ownership verification step before permitting any template overwrite operation.

  • CVE-2026-10864MEDIUM 4.3

    A flaw in MISP's dashboard widgets allows authenticated users with low-level access to bypass field restrictions and view sensitive information they shouldn't have access to. By manipulating which data fields the New Users and New Organisations widgets display, attackers can circumvent settings designed to hide user email addresses and other restricted organization metadata. The vulnerability stems from how the application processes field filtering—if redaction leaves the field list empty, it falls back to returning unfiltered data instead of enforcing safe defaults.

  • CVE-2026-11031MEDIUM 4.3

    Google Chrome's Password Manager fails to properly validate input from network traffic before displaying it to users. An attacker can craft malicious network data that tricks the Password Manager interface into showing fake or misleading information—for example, a phishing prompt that looks legitimate. This affects Chrome versions before 149.0.7827.53 on Windows, macOS, and Linux.

  • CVE-2026-24756MEDIUM 4.3

    Kiteworks, a platform for secure data sharing and management, contains a flaw that allows authenticated users to modify data belonging to other users. The vulnerability stems from the application failing to properly verify that a user should have access to resources they're attempting to change. An attacker with valid credentials could exploit this to alter forms, templates, or other shared resources without authorization. The fix requires upgrading to version 9.3.0 or later.

  • CVE-2026-28511MEDIUM 4.3

    eLabFTW, an open-source electronic lab notebook platform, contains an information disclosure vulnerability affecting versions before 5.4.2. When an authenticated user performs a numeric search or reference lookup, the system may return resource titles that the user should not have access to view. The actual content of those resources remains protected—only the titles are exposed. This is particularly concerning because titles may contain sensitive information such as project names, patient identifiers, or regulated data that could constitute unauthorized disclosure.

  • CVE-2026-32250MEDIUM 4.3

    NamelessMC, a website platform used for Minecraft server management, contains a reflected cross-site scripting (XSS) vulnerability in version 2.2.4. The flaw exists in how the application handles the `id` parameter on the user queries endpoint. An attacker can embed malicious JavaScript in a specially crafted URL; when a user clicks that link, the script runs in their browser with access to the site's session and data. This could enable attackers to steal session cookies, redirect users to phishing pages, or modify page content to deceive users.

  • CVE-2026-32906MEDIUM 4.3

    OpenClaw versions prior to 2026.5.12 contain a privilege escalation flaw in their Slack plugin approval system. Users who hold limited exec approval permissions can manipulate the approval workflow to bypass intended authorization checks, allowing them to approve plugin actions that should require additional oversight or operator configuration. The vulnerability requires an authenticated user to exploit, reducing but not eliminating risk in environments with permissive access controls.

  • CVE-2026-34193MEDIUM 4.3

    CVE-2026-34193 describes a logic error in GPU memory address translation that allows a compromised kernel running inside a virtual machine to send malformed commands to the GPU firmware, causing it to write data to unintended locations in firmware memory. The vulnerability requires local access and an already-compromised kernel to exploit, but once triggered, it can corrupt GPU firmware state without authorization.

  • CVE-2026-36602MEDIUM 4.3

    A Mercusys AC12G (EU) V1 router running firmware AC12G(EU)_V1_200909 has a flaw in its UPnP service that exposes internal kernel memory addresses to anyone on the same network segment. An attacker can query the router's UPnP interface to extract a raw MIPS kernel pointer, effectively creating a roadmap of how the router's operating system is laid out in memory. While this doesn't directly compromise the device, it removes a significant barrier to follow-up attacks by revealing memory layout details that are normally hidden.

  • CVE-2026-36613MEDIUM 4.3

    Mercusys AC12G (EU) V1 routers running firmware AC12G(EU)_V1_200909 leak sensitive internal memory to unauthenticated attackers on the same network. When an attacker sends HTTP POST requests to non-existent paths on the router's web interface, the device inadvertently returns 128 bytes of uninitialized buffer memory. This exposed data may contain router state information, configuration details, or other sensitive runtime values. The vulnerability requires physical or network adjacency—an attacker must be on the same local network segment—but no authentication or user interaction is needed to trigger it.

  • CVE-2026-36615MEDIUM 4.3

    The Mercusys AC12G (EU) router running firmware version AC12G(EU)_V1_200909 contains an unauthenticated information disclosure vulnerability. An attacker on the same local network can access a hidden endpoint (/agileconfigreset) that leaks internal buffer contents without requiring any credentials or user interaction. This information could be used to further compromise the device or the network it serves.

  • CVE-2026-36618MEDIUM 4.3

    The Mercusys AC12G (EU) router with firmware version AC12G(EU)_V1_200909 has a configuration issue that allows anyone on the local network to discover which version of the DNS resolver software (unbound 1.22.0) is running on the device. An attacker can query the router for this information and use it to identify known vulnerabilities affecting that specific DNS software version, making targeted attacks easier. This is a local network exposure only—an attacker would need network access to the router or its subnet to exploit it.

  • CVE-2026-4071MEDIUM 4.3

    The BirdSeed WordPress plugin contains a Cross-Site Request Forgery (CSRF) vulnerability that allows attackers to change the plugin's authentication token without the site administrator's knowledge. An attacker can craft a malicious link or webpage that, when clicked by an admin, silently modifies the BirdSeed token stored in the site's database. This breaks the trust chain between your WordPress site and the BirdSeed service. The vulnerability affects all versions up to and including 2.2.0 and requires social engineering—tricking an administrator into clicking a link—but no authentication or special privileges are needed from the attacker's side.

  • CVE-2026-40914MEDIUM 4.3

    Apache Artemis has a flaw in how it enforces permissions when users communicate via the STOMP protocol. A user with permission to send or receive messages on a particular address can trick the system into accepting messages with a message routing-type that the address doesn't normally support. This bypasses an important security boundary: only administrators with explicit createAddress permission should be able to change an address's routing-type capabilities. An attacker could exploit this to send or consume messages in ways that violate the intended security policy, even though their basic send/consume permissions are legitimate.

  • CVE-2026-41014MEDIUM 4.3

    Apache Airflow contains an authorization bypass in its UI that allows authenticated users to view information about data pipeline runs (DAGs) they shouldn't have access to. Specifically, a user with broad asset-level read permissions can see partition run states, scheduling details, and data connections for DAGs restricted to other teams or users. This affects only deployments that intentionally segment DAG access by user or role while granting wider asset visibility. The vulnerability requires an existing user account and network access to the Airflow UI or API.

  • CVE-2026-41115MEDIUM 4.3

    Apache Kafka contains an authorization mismatch in its consumer group metadata API. The CONSUMER_GROUP_DESCRIBE operation checks for DESCRIBE permission on groups, but Kafka's documentation and the relevant design specification (KIP-848) incorrectly state it should check for READ permission. This inconsistency between code behavior and documentation can lead to misconfigured access controls—either granting unintended READ access to users who only have DESCRIBE permissions, or blocking legitimate access for users who rely on documentation-based ACL configurations. The vulnerability is not a code flaw but a documentation gap that can cause real-world security postures to diverge from intent.

  • CVE-2026-41160MEDIUM 4.3

    EspoCRM contains a logic flaw that allows lower-privileged users to pin notes they don't have permission to edit. The vulnerability stems from a timing issue in the API backend: the system modifies the note in the database before checking whether the user is actually authorized to do so. Even though the server returns an error message afterward, the damage is already done—the note remains pinned. This affects EspoCRM versions before 9.3.5.

  • CVE-2026-42540MEDIUM 4.3

    IRIS is a collaborative web platform used by incident response teams to share and document technical details during security investigations. A vulnerability in versions before 2.4.28 allows authenticated users to modify database records through specially crafted API requests, potentially corrupting or altering incident investigation data. The issue requires valid login credentials to exploit and affects data integrity rather than confidentiality.

  • CVE-2026-42543MEDIUM 4.3

    IRIS, a web-based platform used by incident responders to collaborate and share technical details during investigations, contains a cross-site request forgery (CSRF) vulnerability in versions prior to 2.4.28. The vulnerability exists because the platform uses HTTP GET requests to perform state-changing actions on the server—a design flaw that allows an attacker to trick authenticated users into unknowingly executing unwanted actions. An attacker could craft a malicious link or webpage that, when visited by an IRIS user, silently modifies data or settings without the user's knowledge or consent.

  • CVE-2026-45264MEDIUM 4.3

    Nextcloud versions spanning 17.0.0 through 21.0.3 contain a permission bypass vulnerability that allows users with read and create access—but explicitly not update access—to rename files within team folders. This unintended capability undermines the granular permission model Nextcloud enforces, potentially enabling unauthorized modification of file metadata and organizational disruption. The issue affects a broad version range and has been patched across all active release lines.

  • CVE-2026-45286MEDIUM 4.3

    An authenticated user on a Nextcloud instance can discover other users' identities by abusing the Calendar app's attendee-suggestion feature. The vulnerability exists because this endpoint bypasses the access controls that Nextcloud applies elsewhere. An attacker already logged into the system can systematically enumerate valid usernames, potentially laying groundwork for targeted attacks like password spraying or social engineering. The flaw affects Nextcloud versions 5.5.13 through 5.5.16 and 6.2.0 through 6.2.2.

  • CVE-2026-45544MEDIUM 4.3

    Nextcloud Tables, a collaborative document and data management component, contains an information disclosure vulnerability affecting versions 0.8.0 through 1.0.3. The issue allows users with read-only access to view filter criteria—potentially including sensitive column names, field definitions, or search logic—that should have been restricted to higher-privilege users. This represents a low-severity data exposure that could leak operational details about table structure and content filtering strategies. The vulnerability has been resolved in Nextcloud Tables versions 1.0.4 and 2.0.0.

  • CVE-2026-45729MEDIUM 4.3

    ThorVG, a vector graphics rendering engine, contains a flaw that can crash applications using it when they process malicious SVG files. An attacker can craft a specially formatted SVG document as small as 6 bytes that triggers an application crash when the affected code path is invoked. This is a denial-of-service vulnerability affecting availability but not data confidentiality or integrity. The issue was introduced in earlier versions and is resolved in ThorVG 1.0.5.

  • CVE-2026-46605MEDIUM 4.3

    Apache ActiveMQ has an authorization flaw that allows authenticated users to delete message queues and topics they shouldn't be able to modify. An attacker with valid credentials to your messaging system could disrupt operations by removing critical destinations, even if permission controls suggest they shouldn't have that ability. This affects ActiveMQ versions before 5.19.7 and 6.0.0 through 6.2.5.

  • CVE-2026-46764MEDIUM 4.3

    Apache Airflow contains an authorization bypass flaw in its audit-log API endpoints. An authenticated user with read access to audit logs for one workflow (Dag) can bypass per-Dag scoping restrictions and view audit-log entries from any other Dag in the same Airflow deployment by directly requesting specific event log IDs. The vulnerability stems from inconsistent permission enforcement: the collection endpoint properly restricts results by Dag, but the detail endpoint applies only a generic audit-log permission check without verifying the requester has access to the specific Dag whose logs are being retrieved. This allows low-privileged users to enumerate and read sensitive audit trails across Dags they should not be able to access.

  • CVE-2026-47675MEDIUM 4.3

    Hono, a JavaScript web framework, contains a flaw in how it sanitizes cookie options. While the framework validates certain cookie parameters (domain and path) to prevent malicious characters from breaking the Set-Cookie header, it fails to apply the same checks to sameSite and priority options. If an application passes user-controlled input directly into these parameters, an attacker could inject additional cookie attributes into the response header, potentially manipulating cookie behavior or setting unintended security policies.

  • CVE-2026-47696MEDIUM 4.3

    WWBN AVideo, an open-source video hosting platform, contains a payment processing vulnerability in versions 29.0 and earlier. When both the AuthorizeNet and YPTWallet plugins are active, any logged-in user can artificially inflate their account wallet balance without actually paying. The vulnerable endpoint accepts a user-supplied amount parameter and immediately credits the wallet without verifying that a real payment transaction occurred through Authorize.Net. This is a financial manipulation flaw that bypasses payment authentication entirely.

  • CVE-2026-48810MEDIUM 4.3

    FreeScout, a free help desk platform built on Laravel, contains an authorization flaw in version 1.8.220 and earlier. A user with conversation editing permissions who authored a message in one mailbox can edit that message's content even after an administrator removes them from that mailbox. The vulnerability exploits a gap in access controls: the system verifies the user created the message and has the global edit permission, but fails to confirm the user still belongs to the mailbox where the conversation lives. This allows former mailbox members to alter thread history and potentially mislead team members or customers.

  • CVE-2026-48811MEDIUM 4.3

    FreeScout, an open-source helpdesk and shared inbox platform, contains a flaw that allows former team members to permanently delete internal notes—even after their access to the mailbox has been revoked. A non-admin user who previously created private threads in a conversation can return and destroy those notes without authorization, because the system fails to verify whether the user still belongs to the mailbox. This affects FreeScout versions before 1.8.221.

  • CVE-2026-4888MEDIUM 4.3

    Everest Forms, a popular WordPress form-building plugin, contains a security flaw that allows low-privilege logged-in users to send emails from your website to anyone they choose. Any user with Subscriber access or higher can exploit this by calling an internal email-testing function without proper permission checks. This doesn't require clicking malicious links or advanced technical skills—just authenticated access to your WordPress admin panel.

  • CVE-2026-49140MEDIUM 4.3

    Nanobot versions before 0.2.1 have a denial-of-service flaw in how they handle media downloads from Matrix chat rooms. An authenticated user in a room can deliberately send specially crafted media events with missing or wrong size information, causing the system to download large files without properly checking their declared sizes first. By sending many of these malicious requests at once, an attacker can force the Nanobot process to consume excessive memory and bandwidth until the service becomes slow or unresponsive. The attacker must already be a member of the room to exploit this.

  • CVE-2026-48522MEDIUM 4.2

    PyJWT, a widely-used Python library for JSON Web Token handling, has a vulnerability in versions before 2.13.0 where it blindly accepts any URL scheme when fetching public key sets (JWKS). An attacker who can influence the URL used to fetch these keys—through JWT headers, configuration, or OAuth parameters—can trick the application into reading local files, attempting unusual protocol connections (FTP, data URIs), or in certain chained scenarios, forging valid tokens. The vulnerability requires specific conditions: the attacker must control the URL source, and token forgery scenarios require additional application-layer flaws like writable filesystem access.

  • CVE-2024-47263MEDIUM 4.1

    A path traversal flaw in Synology Hyper Backup's web API allows administrators who already have legitimate access to write files outside their intended directory. The vulnerability is constrained to non-sensitive file types, limiting immediate damage, but represents a control-boundary weakness that could enable privilege misuse or lateral movement in environments where admin accounts are compromised or where insider threat is a concern.

  • CVE-2026-10052MEDIUM 4.1

    Quay's configuration tool contains a weakness in how it validates LDAP and SMTP settings. When a configuration editor supplies endpoints for these services, the tool connects to them without restricting which IP addresses or hostnames are allowed. An attacker with config editor privileges can abuse this to make the Quay container reach internal network resources, allowing them to map and discover the organization's internal infrastructure from inside the cluster's network position.

  • CVE-2026-37700MEDIUM 4.1

    MaxSite CMS version 109.2 contains a cross-site scripting (XSS) vulnerability in its backend file upload feature that allows authenticated attackers to inject malicious scripts. When an administrator performs a file upload through the admin page endpoint, an attacker with login credentials could craft a request that executes JavaScript in the victim's browser, potentially exposing sensitive information displayed during the upload process.

  • CVE-2026-42401MEDIUM 4.1

    CVE-2026-42401 is a stored HTML injection vulnerability in Kibana that allows an attacker with write access to an Elasticsearch index to inject malicious markup. When other users view the affected Kibana dashboard or visualization, the injected code is not properly sanitized before rendering in their browser. This can enable unauthorized UI changes and cause the victim's browser to make unintended outbound network requests on their behalf.

  • CVE-2019-25723MEDIUM 4.0

    Dräger Perseus A500 ventilators running software versions 2.00 through 2.02 are vulnerable to a denial-of-service attack. An attacker on the network can send malformed data through the Medibus medical interface to crash the device's processor, forcing a warm restart. During this restart—which lasts several seconds—ventilation pressure drops to ambient level, temporarily interrupting therapy delivery before the device recovers. This is a network-accessible vulnerability with no authentication required, making it a genuine concern for clinical environments.

  • CVE-2019-25734MEDIUM 4.0

    Contact Form by WD version 1.13.1 has a security flaw that combines two weaknesses: a cross-site request forgery (CSRF) vulnerability and local file inclusion (LFI). An unauthenticated attacker can craft a malicious web form that, when visited by an admin, tricks the admin's browser into loading arbitrary files from the server using directory traversal sequences. This bypasses the normal authentication checks on certain WordPress AJAX actions, potentially exposing sensitive files.

  • CVE-2021-4479MEDIUM 4.0

    Dräger Atlan A350 patient monitoring devices running firmware versions 1.00 through 1.01 are vulnerable to a denial-of-service attack delivered through the Medibus network interface. An attacker can send malformed data packets that the device fails to validate properly, causing the internal processor to become overloaded. Over several hours, this degradation manifests as loss of data transmission capability, delays in displaying vital sign curves, and discrepancies between measured airway pressure and displayed values—conditions that could compromise clinical decision-making in critical care settings.

  • CVE-2026-10099MEDIUM 4.0

    XX-Net V5.16.6 has a flaw in how it processes WebSocket communications that causes data corruption. When a client sends WebSocket frames without proper masking, the server incorrectly interprets the first 4 bytes of the message as a mask key (even when masking wasn't used), then mangles the rest of the data by applying the wrong decryption. This results in corrupted data being processed by the application. The vulnerability affects local attack scenarios and has medium severity.

  • CVE-2026-10998MEDIUM 4.0

    CVE-2026-10998 is a memory safety issue in Google Chrome's media handling code that allows an attacker positioned on the same local network to read data from memory locations they shouldn't have access to. The vulnerability exists in Chrome versions before 149.0.7827.53. An attacker would need to send specially crafted network traffic to trigger an out-of-bounds read, which could potentially expose sensitive information resident in the browser's memory. This is a local-network-only threat, meaning the attacker must be on your network segment to exploit it.

  • CVE-2026-28581MEDIUM 4.0

    A logic error in Android's call processing code allows an application to initiate emergency calls without proper authorization checks. The vulnerability stems from inadequate validation in the CallIntentProcessor when determining the initiating user, potentially enabling an app to trigger emergency dialing functionality that should be restricted. No user interaction is required for exploitation, and the issue affects multiple Android versions.

  • CVE-2026-30963LOW 3.9

    Capsule is a Kubernetes framework that uses webhooks to prevent tenant administrators from hijacking namespaces—essentially taking control of cluster resources they shouldn't own. The framework checks most update requests, but it misses two specific APIs (namespace/status and namespace/finalize subresources) that can also change namespace ownership markers. Before version 0.13.0, a tenant admin with permission to use these subresources could bypass the webhook protection and seize a namespace. Version 0.13.0 patches this gap by ensuring the webhook intercepts both subresource types.

  • CVE-2026-10299LOW 3.8

    CVE-2026-10299 is a resource identifier control vulnerability in code-projects Online Hospital Management System version 1.0. An authenticated attacker with high-level privileges can manipulate the 'delid' parameter in the viewdoctortimings.php file to cause unintended modifications or deletion of data. While the flaw requires administrative or high-privilege access and carries a low CVSS score, the availability of public exploit code warrants attention in environments running this system.

  • CVE-2026-40510LOW 3.8

    OpenSC, a widely-used open-source smart card library, contains a stack buffer overflow flaw in how it processes the Key History Object from PIV (Personal Identity Verification) cards. An attacker with physical access to a system could craft a malicious smart card or USB device that returns an oversized URL field—exceeding 118 bytes—triggering memory corruption. This vulnerability requires the attacker to be physically present at the machine and involves user interaction, limiting its reach but posing a real concern in environments where untrusted hardware may be connected.

  • CVE-2026-40528LOW 3.8

    OpenSC, a widely-used open-source library for working with smart cards and cryptographic tokens, contains a buffer overflow vulnerability in its profile configuration parser. When OpenSC's pkcs15-init tool processes a maliciously crafted configuration file, it can be tricked into copying more data than a buffer can hold, corrupting memory. An attacker would need local access to supply the malicious file and convince a user to run the initialization tool, but successful exploitation could allow memory corruption and potential code execution.

  • CVE-2026-45683LOW 3.8

    OpenTelemetry eBPF Instrumentation versions prior to 0.9.0 contain a memory disclosure vulnerability in the Java TLS monitoring probe. The vulnerability stems from incorrect kernel memory access calls that allow a local attacker to read sensitive kernel memory and exfiltrate it through the instrumentation telemetry pipeline. This is a localized information disclosure risk that requires local process-level access to exploit.

  • CVE-2025-52609LOW 3.7

    HCL iControl is missing HTTP security headers that would instruct modern web browsers to block cross-site scripting (XSS) attacks. Without these headers—such as Content-Security-Policy or X-XSS-Protection—the application relies on older browser XSS filters that are inconsistently implemented and increasingly deprecated. An attacker could craft malicious input that, when processed by iControl, gets reflected in responses without proper sanitization, potentially allowing script execution in users' browsers.

  • CVE-2026-10169LOW 3.7

    A weakness in the password recovery feature of OUSL-GROUP-BrinaryBrains School Student Management System allows an attacker to manipulate the email parameter in the forgot password function, potentially leading to unauthorized password resets or account takeover. The vulnerability exists in the Login.php controller's ajax_forgot_password endpoint. While exploitable remotely, the attack requires specific conditions and is considered of low severity. Exploit code is publicly available, increasing risk of opportunistic attacks.

  • CVE-2026-10216LOW 3.7

    A vulnerability has been discovered in unitedbyai droidclaw version 0.5.3 and earlier that weakens authentication security on the claim endpoint. The flaw allows attackers to bypass rate limiting or account lockout protections during login attempts, potentially enabling brute-force attacks to guess user credentials. While a public exploit exists, the attack requires specific conditions and technical skill to execute successfully. The vendor has been notified but has not yet released a fix.

  • CVE-2026-10300LOW 3.7

    SGLang version 0.5.10.post1 contains a vulnerability in its inference HTTP endpoint that can be triggered by manipulating the lora_path argument. When an attacker provides a specially crafted lora_path value, the system reaches an assertion condition that causes the service to become unavailable. This is a remote vulnerability requiring network access, though the attack is complex to execute and not trivial to exploit in practice.

  • CVE-2026-24761LOW 3.7

    CVE-2026-24761 is an authorization flaw in Kiteworks Secure Data Forms that allows authenticated users to view metadata belonging to other users. Because the system doesn't properly verify who owns a resource before allowing access, a legitimate user can craft requests to retrieve information about files and documents they shouldn't see. The vulnerability requires an attacker to already have valid credentials and involves a higher complexity of exploitation, which limits its risk profile. This affects Kiteworks versions before 9.3.0.

  • CVE-2026-44546LOW 3.7

    Daphne, a popular ASGI server for Django applications, contains a header parsing vulnerability that allows attackers to inject additional HTTP headers into requests under specific conditions. The issue arises from a mismatch in how Daphne and the underlying WebSocket library (autobahn) interpret certain whitespace characters as line separators. By crafting requests with specific byte sequences in header values, an attacker can inject headers that the application receives, potentially leading to security bypasses depending on application logic. Daphne versions before 4.2.2 are affected. The vulnerability has a low CVSS score (3.7) and requires specific conditions to exploit, but organizations running affected versions should still apply the patch.

  • CVE-2026-48524LOW 3.7

    PyJWT, a widely-used Python library for handling JSON Web Tokens (JWTs), contains a weakness in how it fetches public signing keys. When a JWT arrives with an unfamiliar key identifier (kid), the library will make a fresh HTTP request to retrieve the correct signing key—without any protection against repeated requests for the same unknown identifier. An attacker can exploit this by sending JWTs with different fake kid values, forcing the library to make outbound requests for each one. While the actual impact depends on whether the signing-key endpoint has its own rate limiting or becomes saturated, the vulnerability allows an attacker to potentially cause a denial-of-service condition through request amplification. This issue is resolved in PyJWT 2.13.0 and later.

  • CVE-2026-10766LOW 3.6

    MLRun versions up to 1.12.0-rc3 contain a weakness in how they hash dataframes. The vulnerable function in mlrun/utils/helpers.py uses cryptographic methods that are considered inadequate for security purposes. An attacker with local access to a system running MLRun could potentially manipulate or forge data integrity checks, though doing so requires significant technical effort and local privileges. The vulnerability is not currently listed as actively exploited in the wild, but proof-of-concept details have been publicly disclosed.

  • CVE-2026-10775LOW 3.6

    CVE-2026-10775 is a denial-of-service vulnerability in SGLang's cache handling mechanism. An attacker with local system access and user-level privileges can trigger a crash or service interruption by exploiting the data_hash function in the cache handler. The attack requires specific knowledge of the system's cache internals, making it moderately difficult to execute, though proof-of-concept code has been publicly disclosed.

  • CVE-2026-10800LOW 3.6

    PaddlePaddle FastDeploy versions up to 2.4.1 contain a weakness in how the MultimodalHasher component generates hashes for multimodal features. An attacker with local system access and user-level privileges could manipulate the hash_features function to use cryptographically weak hashing, potentially allowing them to forge or predict hash values. This is a low-severity issue that requires both local access and significant technical effort to exploit.

  • CVE-2026-10801LOW 3.6

    A weakness in how ModelScope's ms-swift library (versions up to 4.2.0) hashes cached PIL images creates a local integrity risk. An attacker with local system access and user-level privileges could manipulate image cache validation, potentially leading to cache poisoning or image substitution. The vulnerability requires significant technical effort to exploit and poses limited immediate threat in most environments, but should be addressed before deployment in sensitive workflows.

  • CVE-2026-10803LOW 3.6

    MLflow versions up to 3.10.0 contain a cryptographic weakness in the Dataset Digest Computation module. The vulnerability uses an insufficiently strong hash function for dataset digest operations, which could allow an attacker with local system access and user-level privileges to tamper with dataset integrity checks or trigger application errors. Exploitation requires significant technical effort and local presence on the affected machine.