By year

Vulnerabilities disclosed in 2026

CVEs published in 2026 with SEC.co analysis.

1364 published vulnerabilities · page 14 of 14

  • CVE-2026-10804LOW 3.6

    Streamlit versions up to 1.53.0 contain a weak cryptographic hashing vulnerability in its palette handler component. An attacker with local system access and authenticated user privileges can manipulate the hashing function to produce predictable or non-unique hash values, potentially allowing them to bypass integrity checks or cause minor application disruptions. The attack is complex and requires deep knowledge of the affected code path, making opportunistic exploitation unlikely. However, the vulnerability is not currently tracked as an active threat on CISA's Known Exploited Vulnerabilities catalog.

  • CVE-2026-10812LOW 3.6

    GPTCache versions up to 0.1.44 contain a weakness in how it hashes image data used for cache key generation. An attacker with local access to a system running vulnerable GPTCache can manipulate image input parameters to exploit weak cryptographic hashing, potentially causing data integrity issues. The attack requires elevated complexity to execute and is not considered an immediate threat to most deployments, but organizations using GPTCache for image processing should monitor for patches.

  • CVE-2026-10813LOW 3.6

    LMCache versions up to 0.4.6 contain a cryptographic weakness in the KV Cache Handler component, specifically in how it converts hash values to integers. An attacker with local system access could manipulate this weak hash function to potentially compromise data integrity or availability. However, exploiting this requires significant technical complexity and local access privileges, limiting its practical risk in most environments.

  • CVE-2026-10228LOW 3.5

    A cross-site scripting (XSS) vulnerability exists in the raisulislamg4 student_management_system_by_php project. The flaw resides in the admission_form_check.php file, where user input passed through the Message parameter is not properly sanitized before being reflected in the web response. An authenticated attacker can craft malicious input that, when viewed by another user, executes arbitrary JavaScript in their browser. The vulnerability requires user interaction (clicking a malicious link) and affects only the integrity of data, not confidentiality or availability. Public exploit details are available, though the CVSS 3.5 score reflects the relatively constrained attack scenario requiring authentication and browser-based execution.

  • CVE-2026-10234LOW 3.5

    Mettle sendportal versions up to 3.0.1 contain a cross-site scripting (XSS) vulnerability in the Campaign Handler component. An authenticated attacker can inject malicious scripts through the content parameter in the /webview/ endpoint, potentially allowing them to steal session cookies, perform actions on behalf of users, or redirect users to malicious sites. The vulnerability requires user interaction to be effective and does not grant direct administrative access. Exploit code is publicly available, elevating practical risk despite the low CVSS score.

  • CVE-2026-10244LOW 3.5

    SourceCodester Pharmacy Sales and Inventory System version 1.0 contains a cross-site scripting (XSS) vulnerability in the medicine name creation function. An authenticated user can inject malicious script code through the medicine_name parameter, which executes in the context of other users' browsers. The vulnerability requires user interaction (clicking a link or visiting a page) to trigger, and an attacker must have valid login credentials to exploit it. Public exploits are now available.

  • CVE-2026-10245LOW 3.5

    SourceCodester Pharmacy Sales and Inventory System version 1.0 contains a cross-site scripting (XSS) vulnerability in its supplier creation functionality. An authenticated user can inject malicious code through the company name field when creating a supplier record. This code executes in the browsers of other users who view the supplier information, potentially allowing attackers to steal session tokens, redirect users to malicious sites, or perform unauthorized actions on their behalf. Public exploits for this vulnerability are already available.

  • CVE-2026-10246LOW 3.5

    A stored cross-site scripting (XSS) vulnerability exists in SourceCodester Pharmacy Sales and Inventory System version 1.0. An authenticated user can inject malicious scripts through the medicine presentation creation function, which are then executed in the browsers of other users who view that data. The attack requires user interaction and does not grant elevated privileges, but can be used to steal session tokens, redirect users, or perform actions on their behalf within the application.

  • CVE-2026-10247LOW 3.5

    A cross-site scripting (XSS) vulnerability exists in SourceCodester Pharmacy Sales and Inventory System version 1.0. An authenticated attacker can inject malicious scripts through the generic_name parameter in the create_generic_name function, which the application will then execute in users' browsers. This could allow the attacker to steal session cookies, hijack user accounts, or manipulate pharmacy data. The vulnerability requires user interaction to trigger and an authenticated account to exploit, limiting its immediate impact, but public exploit code is now available.

  • CVE-2026-10264LOW 3.5

    CVE-2026-10264 is a path traversal vulnerability in lharries whatsapp-mcp version 0.0.1, located in the SendMessageRequest function of the Send API Endpoint. An attacker with local access and user privileges can manipulate the mediaPath argument to traverse the file system and read sensitive files, though exploitation impact is limited to information disclosure. The vulnerability has been publicly disclosed.

  • CVE-2026-10567LOW 3.5

    A stored cross-site scripting (XSS) vulnerability exists in 1Panel-dev CordysCRM versions up to 1.4.1. An authenticated attacker can inject malicious JavaScript into the Description field of the ModuleFormController, which will execute in the browsers of other users who view the affected module form. The vulnerability requires user interaction (viewing the crafted form) to trigger, and does not grant the attacker direct access to sensitive data or system functions. Upgrading to version 1.7.0 resolves the issue.

  • CVE-2026-45159LOW 3.5

    Nextcloud's end-to-end encrypted file drop feature contained a logic flaw that allowed a user with drop-link access to place files into other encrypted folders owned by the share recipient—without being able to read or modify existing files. The vulnerability affects multiple version lines and has been patched across all active branches.

  • CVE-2026-45266LOW 3.5

    A flaw in Nextcloud allows any authenticated user to remotely mute other participants' microphones during calls, but only when the deployment lacks a High-performance Backend configuration. This is a low-severity integrity issue that affects call participants' ability to communicate via audio.

  • CVE-2026-48190LOW 3.5

    OTRS has a permission-handling flaw in its External Interface and ConfigItem List module that allows authenticated customers to access Configuration Item (CI) information they shouldn't be able to see. The vulnerability only manifests when both CMDB is enabled and CustomerGroupSupport is configured, meaning organizations using default or simpler OTRS setups may not be affected. An attacker would need valid customer credentials and user interaction to exploit this issue.

  • CVE-2026-48191LOW 3.5

    A permissions bug in OTRS and STORM-powered OTRS allows authenticated users to discover metadata about configuration items (CIs), SLA levels, and services—such as how many are affected—without having actual access to view or modify them. An attacker needs valid login credentials and must interact with the Document Search Article Meta Filters modules to extract this information. While the exposure is limited to metadata disclosure rather than data access, it can provide reconnaissance value to an insider threat or compromised account holder.

  • CVE-2025-48616LOW 3.3

    CVE-2025-48616 is a logic error in Android's KeyguardViewMediator that allows a local attacker with basic user privileges to bypass lockdown mode when screen pinning is active, potentially exposing sensitive information on the device. The vulnerability requires no user interaction and poses a localized risk to data confidentiality on affected Android devices.

  • CVE-2025-62338LOW 3.3

    CVE-2025-62338 is a low-severity vulnerability in HCL BigFix Cloud Lifecycle Management caused by insufficient input validation. An authenticated local user can exploit this flaw to bypass security controls and access sensitive information they shouldn't have permission to view. The issue does not allow attackers to modify data or crash the system, only to read information they're not authorized to access.

  • CVE-2026-0016LOW 3.3

    A permissions validation flaw in Android's credential management system allows a local attacker with limited user privileges to read sensitive information across other user accounts without special permissions or user interaction. The vulnerability resides in how the system handles credential provider updates when services are removed, creating a bypass that exposes data intended to be isolated between users.

  • CVE-2026-0050LOW 3.3

    CVE-2026-0050 is a local information disclosure vulnerability in Android's Bluetooth adapter service. A malicious app with basic user-level permissions can bypass security checks in the handleBondStateChanged function to read sensitive Bluetooth-related information without requiring additional privileges or user interaction. The impact is limited to information disclosure; the attacker cannot modify data or crash the system.

  • CVE-2026-0056LOW 3.3

    CVE-2026-0056 is a memory safety issue in Android's ResourceTypes.cpp component where an incorrect bounds check allows a local process to read data outside intended memory boundaries. This flaw exposes sensitive information resident in adjacent memory to any app with basic local access—no special permissions, elevated privileges, or user interaction required. The vulnerability is classified as low severity due to its limited scope and local-only nature.

  • CVE-2026-10197LOW 3.3

    Assimp, a widely-used open-source 3D model import library, contains a flaw in its glTF2 file handler that can cause the application to crash when processing maliciously crafted glTF2 files with embedded textures. An attacker with local file system access can trigger a null pointer dereference by supplying a crafted glTF2 file, leading to denial of service. The vulnerability affects versions up to and including 6.0.4. A fix exists in pending pull request form but has not yet been merged into a stable release.

  • CVE-2026-10198LOW 3.3

    Assimp, a popular open-source 3D model import library, contains a flaw in its glTF file import handler that can cause the application to crash. The vulnerability stems from improper handling of certain glTF mesh data, leading to a null pointer dereference when the ImportMeshes function processes malformed or specially crafted files. An attacker with local access to a system running a vulnerable version of Assimp could trigger this crash, resulting in denial of service. The issue affects Assimp versions up to and including 6.0.4.

  • CVE-2026-10199LOW 3.3

    Assimp, a popular 3D asset library, contains a null pointer dereference vulnerability in its glTF2 parsing code. An attacker with local access can craft a malicious glTF2 file that triggers a crash when processed, causing a denial of service. The vulnerability affects Assimp versions up to 6.0.4 and has been publicly disclosed, though it requires local interaction and low privileges to exploit.

  • CVE-2026-10201LOW 3.3

    CVE-2026-10201 is a divide-by-zero flaw in Assimp (Asset Importer Library), a widely-used 3D model processing library. The defect exists in the UV Channel Handler component, specifically within the FBXExporter::WriteObjects function in FBXExporter.cpp. When a user with local access supplies specially crafted input, the vulnerability triggers a division-by-zero error that crashes the application. Because this is a local-only attack requiring user-level privileges and the impact is availability-focused (denial of service via crash), the risk is classified as low. However, the fact that proof-of-concept code has been publicly released means defenders should not assume this will remain a theoretical concern.

  • CVE-2026-10233LOW 3.3

    Assimp, a popular open-source 3D model importing library, contains an out-of-bounds read vulnerability in its Half-Life 1 MDL file loader. When processing specially crafted MDL files, the vulnerability allows an attacker with local access to read memory outside intended boundaries. While the issue has been publicly disclosed, the impact is limited to information disclosure with no ability to modify or crash systems. This vulnerability requires local file system access and authenticated user privileges to trigger.

  • CVE-2026-10267LOW 3.3

    A flaw in the Janet programming language (version 1.41.0 and earlier) allows a local user to read memory beyond intended boundaries in the debug frame handling code. The vulnerability requires local system access and valid user credentials to exploit, but poses a confidentiality risk by enabling unauthorized disclosure of sensitive data in memory.

  • CVE-2026-10268LOW 3.3

    A vulnerability exists in Janet language versions up to 1.41.0 that allows an integer overflow when processing serialized fiber data. An attacker with local system access can exploit this condition to cause a denial of service by crashing the affected application. The vulnerability is not critical but represents a real risk in environments where untrusted users have local access to systems running vulnerable Janet versions.

  • CVE-2026-10295LOW 3.3

    CVE-2026-10295 is a low-severity denial-of-service vulnerability in SourceCodester Customer Review App version 1.0. By manipulating the 'name' or 'comment' parameters in the review submission functions, an attacker with local access can crash or degrade the application's availability. While an exploit has been published, the attack surface is limited because local authentication is required—this is not a remote vulnerability that can be exploited from the internet.

  • CVE-2026-10298LOW 3.3

    A null pointer dereference vulnerability exists in whisper.cpp versions up to 1.8.2, specifically in the model loading function. An attacker with local system access can trigger this flaw to cause the application to crash or become unavailable. The vulnerability requires user privileges to exploit and does not directly compromise data confidentiality or integrity. Public exploit code is available, though the impact remains limited to denial of service on the affected system.

  • CVE-2026-10528LOW 3.3

    Orthanc DICOM Server versions up to 1.12.11 contain a stack-based buffer overflow vulnerability in the DCMTK parser component. The flaw exists in the DcmItem::read function and can be triggered through malicious DICOM file manipulation. An attacker with local system access can exploit this to cause a denial of service condition. The vulnerability has been publicly disclosed with working exploit code available.

  • CVE-2026-10722LOW 3.3

    A local integer overflow vulnerability exists in Cilium eBPF's BTF (BPF Type Format) loading functionality. An attacker with local system access can manipulate offset parameters during eBPF collection loading, causing the application to miscalculate memory boundaries. While the impact is limited to denial of service on the affected system, the public disclosure means exploitation tools may become available. This is a localized threat requiring prior system access but warrants patching to maintain system stability.

  • CVE-2026-28586LOW 3.3

    CVE-2026-28586 is a local information disclosure vulnerability in Android's AppOpsService that allows an already-authenticated user to bypass permission checks and read sensitive data they shouldn't have access to. The flaw requires the attacker to already have a local account on the device; there's no way to exploit it remotely. The exposure is classified as low-severity because the data leaked is limited and no system functions are disrupted.

  • CVE-2026-45277LOW 3.3

    Nextcloud's approval workflow feature contains an information disclosure flaw that allows authenticated users to determine whether arbitrary files are connected to specific approval processes. An attacker with valid credentials can probe the system to learn if particular files have approval workflows attached, potentially revealing organizational file structures and approval dependencies that should remain confidential. The issue affects versions prior to 2.7.2 and does not require user interaction to exploit.

  • CVE-2026-45278LOW 3.3

    Nextcloud's user OIDC (OpenID Connect) module contains an open redirect vulnerability that allows attackers to craft malicious login links. When users click these links to authenticate via OIDC, they are redirected to attacker-controlled websites after logging in. This affects Nextcloud versions 6.1.0 through 8.2.1. The vulnerability has a low CVSS score because it requires user interaction and does not directly compromise confidentiality or availability.

  • CVE-2026-45324LOW 3.3

    Rizin, a reverse engineering framework used for binary analysis and code inspection, contains a double free vulnerability in its search functionality. This occurs when the same memory location is freed twice, potentially causing application crashes or unexpected behavior. The vulnerability requires physical access to the system and user interaction to trigger, making it a lower-risk issue in most operational environments.

  • CVE-2026-45613LOW 3.3

    Rizin, a reverse engineering framework used by security researchers and analysts, contains a heap buffer overflow vulnerability in its OMF (Object Module Format) file parsing code. An attacker could craft a malicious OMF binary file that, when opened by a user in Rizin, could read small amounts of sensitive data from the program's memory. This requires local access and user interaction—the user must deliberately open a malicious file.

  • CVE-2026-47327LOW 3.3

    CVE-2026-47327 is a denial-of-service vulnerability in Ubuntu Linux affecting versions 6.8, 6.17, and 7.0. A NULL pointer dereference in the AppArmor notification handling code allows any unprivileged local user to crash the kernel without authentication or special permissions. The attack requires only local system access and can be triggered with a single action, causing a kernel oops that disrupts availability but does not compromise confidentiality or integrity.

  • CVE-2026-47329LOW 3.3

    Ubuntu Linux versions 6.8, 6.17, and 7.0 contain a flaw in SAUCE patches that handle AppArmor security notifications. The vulnerability stems from improper validation of the name field size in these notifications. An unprivileged local user can exploit this by sending crafted AppArmor responses that bypass validation checks, potentially leading to unexpected behavior in the kernel's handling of these security-related messages. This is a local-only issue with low severity impact.

  • CVE-2026-47330LOW 3.3

    CVE-2026-47330 is a local privilege escalation and cache poisoning vulnerability affecting Ubuntu Linux systems with AppArmor SAUCE patches. An unprivileged user can trigger uninitialized variable handling in AppArmor's notification code, causing incorrect caching of security policy responses. While the CVSS score is low (3.3), the issue undermines AppArmor's integrity by allowing cache corruption that could affect subsequent policy enforcement decisions.

  • CVE-2026-47336LOW 3.3

    Ubuntu Linux 6.8 has a bug in its AppArmor security module that could allow an unprivileged local user to bypass or weaken network socket access controls. The issue stems from an uninitialized variable in the code that mediates AF_INET and AF_INET6 (IPv4 and IPv6) socket access. While the vulnerability requires local access and does not enable data theft or system crashes, it undermines the purpose of AppArmor's fine-grained network policy enforcement, potentially allowing a local user to perform network operations that should have been restricted.

  • CVE-2026-47337LOW 3.3

    A NULL pointer dereference flaw in Ubuntu Linux kernel versions 6.8, 6.17, and 7.0 can be triggered by any unprivileged local user to crash the kernel. The vulnerability exists in socket mediation code that handles both IPv4 and IPv6 traffic. While the flaw itself does not enable data theft or system compromise, it can be exploited to cause a denial of service by forcing a kernel panic, disrupting availability for all users on the affected system.

  • CVE-2026-48156LOW 3.3

    pypdf, a popular open-source Python library for PDF handling, contains a vulnerability that allows an attacker to craft malicious PDF files that cause the library to consume excessive processing time during parsing. The issue stems from how pypdf processes cross-reference streams—a mechanism PDFs use to index internal objects—when they contain specific structural patterns. An attacker would need to trick a user or application into opening a specially crafted PDF, but once opened, the library can hang or freeze during PDF processing, resulting in a denial-of-service condition on that system.

  • CVE-2024-42206LOW 3.1

    HCL iReflection contains third-party components that are vulnerable and outdated, creating a potential integrity risk within the web application. An authenticated user with low privileges could potentially exploit this condition, though the attack surface is constrained by difficult environmental conditions and limited authentication requirements.

  • CVE-2025-52608LOW 3.1

    HCL iControl contains a cookie security misconfiguration that leaves session identifiers and authentication tokens vulnerable to interception and cross-site request forgery attacks. The vulnerability stems from the absence of the Secure and SameSite cookie attributes, combined with an overly permissive cookie path set to root. While the immediate risk is moderate, this configuration flaw can enable attackers to hijack user sessions or trick authenticated users into performing unintended actions.

  • CVE-2025-52611LOW 3.1

    HCL iControl v4.0.0 contains a vulnerability where the application crashes and exposes internal error messages, including stack traces, when certain code paths are triggered. The underlying cause is a programming error where the application attempts to access a property (the 'dashboard key') from an object that hasn't been properly initialized or is missing entirely. While an attacker would need valid login credentials to trigger this issue, the exposure of stack trace information could help them understand the application's internal structure and identify further attack vectors.

  • CVE-2026-10011LOW 3.1

    A flaw in Chrome's Skia graphics library could allow an attacker who has already compromised Chrome's renderer process to extract sensitive data from websites you visit. The attacker would need to serve you a specially crafted web page to perform the attack. While the underlying issue received a High severity rating from Chromium, the overall exploitability is limited because it requires both renderer compromise and user interaction, making it a low-risk vulnerability in practical terms.

  • CVE-2026-10565LOW 3.1

    A race condition vulnerability has been discovered in Open5GS versions up to 2.7.6 that affects the NGAP Handover security mode processing function. The flaw allows an authenticated attacker to trigger a timing-dependent race condition that results in a denial-of-service condition. While a public exploit exists, successful exploitation requires specific conditions and careful timing, making real-world attacks difficult to execute reliably.

  • CVE-2026-10705LOW 3.1

    Dask, a Python library for parallel computing and distributed data processing, contains a resource exhaustion vulnerability in its HyperLogLog (approximate distinct count) functionality. An authenticated remote attacker can trigger excessive resource consumption through the nunique_approx function, potentially degrading system availability. The flaw requires significant attack complexity and specific preconditions, making real-world exploitation difficult despite being theoretically possible.

  • CVE-2026-35193LOW 3.1

    Django's cache middleware has a flaw that can leak private user data. When Django caches web responses, it's supposed to mark cached data as private (via the `Vary` header) if a request included authentication credentials. In Django 5.2 before version 5.2.15 and 6.0 before version 6.0.6, this protection doesn't work correctly. An attacker can make an unauthenticated request to the same URL a logged-in user visited, and Django may serve the cached private response—revealing sensitive information that should have been protected. Older Django versions (5.0.x, 4.1.x, 3.2.x) haven't been formally evaluated but may have the same problem.

  • CVE-2026-40963LOW 3.1

    Apache Airflow's UI structure_data endpoint was leaking metadata about linked workflows (DAGs) to users who shouldn't see them. An authenticated user with permission to view one workflow could discover the names and dependency relationships of other workflows they weren't authorized to access. This is a read-only information disclosure—no data modification or system disruption occurs—but it can undermine team isolation in multi-tenant Airflow deployments where workflow topology is considered sensitive.

  • CVE-2026-45426LOW 3.1

    Apache Airflow's log server uses a flawed string-matching approach to authorize workers' access to task logs. Instead of checking if a worker's JWT token matches a specific Dag name exactly, the system strips characters from the left side of requested Dag names in a way that can match multiple unintended Dags. An authenticated worker with a token for 'dag_a' could read logs from 'dag_attacker', 'aaaa_target', or '_dag_secret'—any Dag whose name starts with characters found in 'dag_a'. This breaks the intended per-Dag log isolation in multi-team environments.

  • CVE-2026-45739LOW 3.1

    Strawberry GraphQL, a popular library for building GraphQL APIs, has a flaw in its bundled GraphiQL interface (versions 0.288.4 through 0.315.3) where sensitive headers entered by developers are inadvertently exposed in the browser URL. When a developer pastes an authorization token or other credential into the GraphiQL headers editor, that value becomes part of the page URL and persists in browser history, shareable links, and server access logs. This creates a credential leakage risk if someone gains access to those logs or if links are shared. The issue has been patched in version 0.315.4.

  • CVE-2026-48587LOW 3.1

    Django's cache handling function has a flaw where whitespace in HTTP Vary headers isn't properly cleaned up before comparison. An attacker can exploit this by crafting requests that cause the application to serve cached responses intended for different users, potentially leaking sensitive information. The vulnerability affects Django 5.2 before version 5.2.15 and 6.0 before version 6.0.6, though older unsupported versions may also be vulnerable.

  • CVE-2026-10078LOW 2.7

    Quay's config-tool contains a flaw in how it handles GitLab OAuth setup. When administrators configure GitLab as an identity provider, sensitive credentials (client ID and secret) are passed in plaintext within the URL query string of POST requests. This is problematic because these credentials can be logged by web servers, reverse proxies, load balancers, and monitoring systems—anywhere that records HTTP request details. An attacker who gains access to these logs could extract the credentials and impersonate Quay's OAuth client to GitLab, potentially gaining unauthorized access to repositories or other GitLab resources.

  • CVE-2026-44367LOW 2.7

    Klaw, a Kafka topic management and governance platform, contains a vulnerability in how it handles usernames during registration and login. The system doesn't consistently apply case sensitivity rules—treating 'Admin' and 'admin' as different or the same depending on the operation—which allows authenticated users with administrative privileges to deliberately lock out accounts or trigger denial of service conditions. This is a low-severity issue requiring administrative access to exploit, but it can impact operational availability if administrators use it maliciously or if the inconsistency is exploited in targeted attacks. The flaw was fixed in version 2.10.4.

  • CVE-2026-45076LOW 2.7

    Synapse, an open-source Matrix homeserver implementation used for federated messaging, contains a flaw in how it handles room history in cross-server deployments. Malicious homeservers can craft specially formed room events that cause Synapse instances to withhold historical messages from clients requesting older conversation data. Users may see incomplete chat histories or missing messages when paginating through room archives. This is a low-severity issue because it requires a compromised or malicious federated peer and affects data availability rather than confidentiality or integrity.

  • CVE-2026-45154LOW 2.6

    Nextcloud, an open-source content collaboration platform, contains a flaw affecting versions 2.6.0 through 4.2.x that allows guest users to retrieve deleted collaborative pages from the trash when the parent collective is shared in view-only mode. An attacker with guest access could circumvent intended deletion by directly accessing removed content, though the exposure is limited to information disclosure and requires prior access to the shared collective. The vulnerability has been resolved in version 4.3.0.

  • CVE-2026-45155LOW 2.6

    Nextcloud Server contains a flaw in its circles feature that allows authenticated users to add unknown circles to other circles by directly referencing their IDs, potentially enabling membership tracking. While circle IDs are designed with high complexity (62^15 combinations), if an attacker obtains a valid circle ID through other means, they could exploit this missing access control. The vulnerability requires an authenticated session and user interaction to exploit, making opportunistic attacks unlikely but targeted attacks possible if circle IDs are discovered.

  • CVE-2026-10783LOW 2.5

    A weakness in Gradio 6.14.0's audio caching function allows a local user with limited privileges to potentially access confidential information through use of a weak cryptographic hash. The attack is technically difficult to execute and requires hands-on access to the system. While a public exploit exists, real-world exploitation remains unlikely due to high complexity requirements and low impact scope.

  • CVE-2026-10112LOW 2.4

    CVE-2026-10112 is a stored or reflected cross-site scripting (XSS) vulnerability in the Dashboard Page component of STUDENT-MANAGEMENT-SYSTEM version 1.0. An attacker with high privileges can inject malicious scripts through the Name parameter, which are then executed in the browsers of users who view the affected page. The vulnerability requires user interaction and has a low CVSS score of 2.4, but exploitation has already been disclosed publicly.

  • CVE-2026-10514LOW 2.4

    A cross-site scripting (XSS) vulnerability exists in CordysCRM versions up to 1.6.2. The flaw is located in a request parameter handling component and allows attackers with administrative privileges to inject malicious scripts that execute in users' browsers. While public exploit code is available, the attack requires both high-level credentials and user interaction (such as clicking a malicious link), significantly limiting real-world risk. Upgrading to version 1.7.0 resolves the issue.

  • CVE-2026-10529LOW 2.4

    A cross-site scripting (XSS) vulnerability has been discovered in westboy CicadasCMS affecting the Task Scheduling Management Module. The flaw exists in the ScheduleJobController component and can be triggered by an authenticated user with elevated privileges through a specially crafted request. While the vulnerability requires administrative or high-privilege access to exploit, the presence of user interaction (rendering) combined with public availability of exploit details elevates attention. The CMS uses a rolling release model, making definitive version tracking difficult, though the affected commit hash has been identified.

  • CVE-2026-45403LOW 2.0

    AnythingLLM versions before 1.13.0 contain a path traversal vulnerability in the agent filesystem copy tool. When copying files, the application only validates the top-level source and destination directories but fails to validate nested files or reject symbolic links. An attacker with high privileges could create or exploit a symlink nested within an allowed source directory to read files outside the intended filesystem boundaries and copy them to an allowed destination, potentially exposing sensitive data. The vulnerability requires high user privileges, complex conditions, and user interaction to exploit, making practical real-world abuse unlikely despite the core weakness.

  • CVE-2026-47713LOW 2.0

    AnythingLLM versions before 1.13.0 contain a token persistence flaw that can leak sensitive data when administrators migrate from single-user to multi-user mode. A mobile device token issued in single-user mode may remain valid after the migration, allowing it to bypass user-scoping controls and access workspaces and chat content belonging to other users. The vulnerability requires an attacker to have had a legitimate mobile device token before the migration, then exploit it post-migration in the multi-user environment.