By year
Vulnerabilities disclosed in 2026
CVEs published in 2026 with SEC.co analysis.
1678 published vulnerabilities · page 15 of 17
- CVE-2026-8382MEDIUM 5.3
The Advanced Custom Fields (ACF) plugin for WordPress contains a flaw that allows anyone on the internet to modify the title and content of posts that use ACF forms, without needing to log in or have any special permissions. An attacker can inject malicious values into form fields to alter published content, potentially leading to defacement, misinformation, or reputational damage. All versions up to 6.8.1 are affected.
- CVE-2026-8474MEDIUM 5.3
A reflected cross-site scripting (XSS) vulnerability exists in the login API of Stormshield Network Security (SNS) appliances. An attacker can craft a malicious link or inject code that, when accessed by a user, executes arbitrary JavaScript in their browser. This could allow theft of session cookies, capture of credentials, or redirection to phishing sites. The vulnerability affects versions 4.3.0–4.3.41, 4.8.0–4.8.15, and 5.0.0–5.0.5.
- CVE-2026-9091MEDIUM 5.3
Casdoor is an open-source identity and access management platform. A logic flaw in its social login binding feature allows attackers to bypass multi-factor authentication (MFA) requirements. When users authenticate through the social login binding flow, the application fails to check whether MFA is enabled, granting them access without completing the second authentication factor. This affects Casdoor versions 2.362.0 and earlier.
- CVE-2026-9189MEDIUM 5.3
The Contact Form 7 – PayPal & Stripe Add-on WordPress plugin contains a payment validation flaw that allows attackers to mark high-value orders as completed without paying the correct amount. An attacker can make a small legitimate PayPal payment, then submit a forged payment notification (IPN) that references a different, expensive order. Because the plugin fails to verify that the payment amount and recipient email match the target order, the attacker's notification is accepted and the high-value order is incorrectly marked as paid. This affects all versions up to and including 2.4.9.
- CVE-2026-9590MEDIUM 5.3
Devolutions Server versions up to and including 2026.1.19 contain an access control weakness that allows authenticated users with permission to edit entries to modify asset information beyond their intended scope. An attacker with entry edit privileges can bypass the permission validation checks and alter assets they shouldn't be able to access, potentially compromising the integrity of credential and asset data within the server.
- CVE-2026-9794MEDIUM 5.3
Keycloak contains an information disclosure vulnerability in its SAML ECP (Enhanced Client or Proxy) endpoint. An unauthenticated attacker can send specially crafted SOAP requests with different client IDs to the endpoint and observe the error messages returned. By analyzing these responses, an attacker can infer whether a given client uses SAML or another protocol. While this doesn't grant direct access to sensitive data or systems, it reveals organizational configuration details that could inform further reconnaissance or targeted attacks.
- CVE-2026-9803MEDIUM 5.3
Keycloak's client registration endpoint contains a flaw that allows unauthenticated attackers to crash the service by sending malformed authentication headers. When an attacker sends a specially crafted POST request with a broken 'Authorization: Bearer' header to the client registration endpoint, the server throws an exception and returns an error, effectively taking the service offline temporarily. No data is stolen or modified—this is purely a denial of service issue.
- CVE-2026-9985MEDIUM 5.3
A flaw in Google Chrome and ChromeOS allows an attacker who has already compromised the browser's renderer process to read sensitive data from the browser's memory by tricking a user into viewing a malicious webpage. The vulnerability stems from insufficient validation of media-related input. While this requires an initial renderer compromise, it can expose information that should have remained private within the browser process.
- CVE-2026-45682MEDIUM 5.1
OpenTelemetry's eBPF Instrumentation agent for Java contains a memory leak in its TLS connection state tracking. When Java applications handle repeated connection churn (connections opening and closing), the instrumentation fails to properly clean up its internal tracking queue, causing heap memory to grow indefinitely until the application runs out of memory and crashes. This affects long-running production JVMs where connection pools are regularly recycled. The issue is resolved in version 0.9.0.
- CVE-2025-60477MEDIUM 5.0
CVE-2025-60477 is a crash vulnerability in GPAC's MP4Box multimedia processing tool. A specially crafted file can trigger a program crash when processed by a local or authenticated user, disrupting media encoding and processing workflows. The vulnerability does not leak data or enable privilege escalation, but it can be weaponized to interrupt legitimate operations or degrade service availability.
- CVE-2026-10010MEDIUM 5.0
Google Chrome on Android versions prior to 148.0.7778.216 contain a vulnerability in input handling that allows an attacker who has already compromised Chrome's renderer process to bypass site isolation protections through a specially crafted HTML page. Site isolation is a critical Chrome security boundary designed to keep sensitive data from different websites separate in memory. This flaw undermines that protection, though it requires the attacker to have already gained code execution within the browser engine itself.
- CVE-2026-10275MEDIUM 5.0
A buffer overflow vulnerability exists in OpenSC versions up to 0.26.1 within the pkcs11-tool component's key generation functionality. The flaw allows an attacker to overflow a buffer during certificate writing operations, potentially enabling remote code execution or data corruption. Exploitation requires user interaction and specific conditions, making it moderately difficult to weaponize, though a proof-of-concept has already been disclosed.
- CVE-2026-10533MEDIUM 5.0
A vulnerability in OpenShift Container Platform allows non-privileged users to circumvent resource quota enforcement by creating pods with a never-restart policy. These pods and their associated Kubernetes events are not counted against quota limits, enabling an attacker to flood the cluster's event database (etcd) with activity. The resulting accumulation degrades API server performance across the entire cluster, affecting all users and workloads.
- CVE-2026-43979MEDIUM 5.0
Local Deep Research versions before 1.6.0 contain a vulnerability where user-supplied search queries and metadata are inserted directly into HTML without proper escaping before being converted to PDF. An authenticated user can inject HTML tags that trick the server into making unauthorized web requests (SSRF), bypassing existing security controls. The vulnerability requires valid credentials but poses moderate risk due to potential confidentiality impact.
- CVE-2026-46526MEDIUM 5.0
Local Deep Research versions before 1.6.10 contain a Server-Side Request Forgery (SSRF) vulnerability caused by inconsistent URL validation logic. The application attempts to block malicious URLs using one parsing method but actually sends requests using a different method, creating a gap that attackers can exploit. An authenticated user can craft a specially formatted URL that passes the security checks but reaches an unintended internal or restricted server when the request is actually sent.
- CVE-2026-46561MEDIUM 5.0
pyLoad, a popular open-source download manager, contains a vulnerability that allows authenticated users to bypass security controls designed to prevent access to internal networks. Specifically, an attacker can craft a specially designed URL that initially appears safe but redirects to a private IP address after the security check passes. This lets the attacker potentially access or interact with systems on the internal network that should be off-limits. The issue affects versions prior to 0.5.0b3.dev100 and has been resolved in that release.
- CVE-2026-49138MEDIUM 5.0
Nanobot versions prior to 0.2.1 contain a server-side request forgery (SSRF) vulnerability in its web_fetch tool. An attacker with login credentials can trick the application into making requests to internal or private network systems by providing a URL that redirects to a loopback address (like 127.0.0.1) or private IP range. The vulnerability exploits how the underlying httpx library automatically follows HTTP redirects—the application validates the initial URL but not the final destination after redirects are followed, allowing attackers to reach internal services that should not be accessible from the internet.
- CVE-2026-49433MEDIUM 5.0
DeepAI's email change endpoint lacks CSRF (Cross-Site Request Forgery) protection, allowing attackers to hijack user accounts. An attacker who tricks a logged-in user into visiting a malicious link can silently change that user's email address, potentially locking the legitimate owner out and enabling account takeover. The vulnerability was patched on May 20, 2026.
- CVE-2026-6891MEDIUM 5.0
A vulnerability in My Image Garden for macOS version 3.6.8 and earlier allows a logged-in user to manipulate the installer through specially crafted symbolic links, potentially gaining permission changes to files they shouldn't normally access. This is a local privilege escalation risk that requires both system access and user interaction during installation.
- CVE-2026-6892MEDIUM 5.0
A flaw in Canon's CUPS printer driver installers for macOS allows a local attacker who has login access to a machine to manipulate symbolic links during the installation process. By crafting a malicious symbolic link, an attacker can trick the installer into changing file permissions on directories they shouldn't normally be able to modify. This is a local-only attack that requires an attacker to already have user-level access to the system.
- CVE-2026-9903MEDIUM 5.0
Google Chrome versions prior to 148.0.7778.216 contain a vulnerability in Site Isolation, a security feature designed to prevent malicious websites from accessing data from other sites you visit. An attacker who has already compromised Chrome's renderer process—the part that interprets web content—can craft a specially designed MHTML file (a web archive format) that bypasses this protection. This requires the attacker to have gained initial access to the renderer process and the user to open the malicious file, but if successful, it could allow unauthorized access to sensitive information across site boundaries.
- CVE-2026-9942MEDIUM 5.0
CVE-2026-9942 is a memory safety issue in ANGLE, the graphics abstraction layer used by Google Chrome. When a remote attacker has already compromised Chrome's renderer process, they can exploit this uninitialized memory condition to break out of Chrome's site isolation sandbox using a specially crafted HTML page. Site isolation is Chrome's primary defense against cross-site data theft; bypassing it allows an attacker to read data from other websites the user is visiting. This requires the renderer process to be already compromised, meaning it is a post-compromise escalation rather than an entry point.
- CVE-2026-9979MEDIUM 5.0
CVE-2026-9979 is a site isolation bypass vulnerability in Google Chrome that allows an attacker to escape the security boundary between different websites if they have already compromised Chrome's rendering engine. An attacker would need to trick a user into visiting a malicious HTML page while the renderer process is already under their control. Site isolation is Chrome's core defense mechanism that prevents one website's scripts from accessing another website's data; this vulnerability undermines that protection in a limited but serious scenario.
- CVE-2026-9980MEDIUM 5.0
Google Chrome versions before 148.0.7778.216 contain a flaw in how it validates input when printing documents. An attacker who has already compromised Chrome's rendering engine can exploit this to bypass Site Isolation, a security boundary that separates data between websites. This requires both a prior compromise of the renderer process and user interaction, making it a secondary attack in a chain rather than a standalone entry point.
- CVE-2026-10039MEDIUM 4.9
The Frontend Admin plugin for WordPress contains a SQL injection vulnerability that allows authenticated administrators to extract sensitive data from the website's database. The flaw exists in how the plugin processes the 'order' parameter—it fails to properly escape user input before inserting it into database queries. An attacker with administrator privileges can craft a malicious request containing both 'order' and 'orderby' parameters to inject additional SQL commands and retrieve unauthorized information. This vulnerability affects all versions up to and including 3.28.28.
- CVE-2026-10074MEDIUM 4.9
DreamMaker, a product developed by Interinfo, contains a vulnerability that allows authenticated administrators or privileged users with local access to read arbitrary files from the system. An attacker with elevated privileges can exploit a path traversal flaw to access sensitive system files they shouldn't normally be able to retrieve, potentially exposing configuration data, credentials, or other protected information.
- CVE-2026-41412MEDIUM 4.9
alf.io is an open-source ticketing platform used by conferences and events to manage reservations. The vulnerability lies in how alf.io sandboxes custom extensions (plugins) that users can write to extend functionality. The sandbox was designed to safely run untrusted extension code, but it failed to protect file access. Specifically, extensions have access to an HTTP client tool that includes a method for uploading files. This method does not validate or restrict which files can be read—a malicious extension can read any file that the alf.io application has permission to access on the server, then send that file's contents to an attacker's server. An attacker would need to either write a malicious extension or trick an administrator into installing one, but once active, the extension can quietly exfiltrate sensitive data like configuration files, database credentials, or user records.
- CVE-2026-44917MEDIUM 4.9
A vulnerability in OpenStack Ironic before version 35.0.2 allows authenticated project administrators or managers to read sensitive files directly from the Ironic conductor server through a specially crafted PXE template. This is a credential-required attack where an insider with project admin or manager privileges can exploit the template processing mechanism to access files they shouldn't be able to retrieve, potentially exposing configuration secrets, credentials, or other sensitive data stored on the conductor.
- CVE-2026-45684MEDIUM 4.9
OpenTelemetry eBPF Instrumentation versions 0.7.0 through 0.8.x contain a buffer handling flaw in the log enricher component. When log injection is enabled, attackers can craft a multi-segment write operation that tricks the instrumentation into reading beyond the intended buffer boundary, potentially overwriting memory. This could lead to information disclosure, data corruption, or application instability on systems using the affected versions.
- CVE-2026-45731MEDIUM 4.9
WWBN AVideo, an open-source video hosting platform, contains a file-read vulnerability in its database migration feature. An authenticated administrator can manipulate the migration process to read sensitive text files from the server's filesystem. This requires existing admin access, so it poses a targeted insider risk rather than a mass-exploitation threat, but it can expose configuration files, credentials, or other data to a compromised or malicious admin account.
- CVE-2026-49198MEDIUM 4.9
CVE-2026-49198 is a medium-severity access control flaw in Acer Predator Connect W6X MQTT brokers that allows high-privileged users to subscribe to wildcard topics, inadvertently gaining visibility into all MQTT traffic flowing through the system. While the vulnerability requires authenticated access with elevated permissions, once exploited it enables an insider or compromised admin account to eavesdrop on sensitive IoT communication without additional authorization constraints. This is a confidentiality risk with no impact to system availability or integrity.
- CVE-2026-50219MEDIUM 4.9
libexpat, a widely-used XML parsing library, contains a use-after-free vulnerability in versions before 2.8.2. The flaw occurs when certain XML parsing functions (XML_GetBuffer, XML_Parse, XML_ParseBuffer, XML_ParserFree, or XML_ParserReset) are called from within event handlers without proper depth tracking. This can lead to memory safety violations and potentially allow attackers to crash applications or, in some scenarios, execute arbitrary code. The vulnerability requires local access and specific conditions to trigger, making it a moderate-risk issue rather than a widespread internet-facing threat.
- CVE-2026-50224MEDIUM 4.9
The Acer Connect M6E 5G router's web administration panel is configured to listen on all public IPv6 addresses on port 8080, without built-in firewall protections. This means the internal API endpoints used to manage the device can be reached directly over the internet by anyone who knows the device exists and its IPv6 address, potentially allowing unauthorized access to sensitive configuration and status information.
- CVE-2026-9801MEDIUM 4.9
Keycloak has a vulnerability that allows a high-privileged attacker—such as a realm administrator or someone who has compromised an upstream LDAP server—to crash the Keycloak service by sending a specially crafted LDAP password policy response. When triggered during authentication, this causes the Java process to run out of memory and shut down, knocking the service offline for all users on that node. The attack requires either legitimate administrative access to configure a malicious LDAP directory or prior compromise of an existing LDAP backend.
- CVE-2026-10057MEDIUM 4.8
ITS Intelligent SCADA System contains a stored cross-site scripting (XSS) vulnerability that allows authenticated users with elevated privileges to inject malicious JavaScript code into the application. Once injected, this code persists in the system and executes automatically whenever other users load affected pages in their browsers. This is distinct from reflected XSS because the payload remains embedded in the application, posing a sustained risk to all users who access the compromised content.
- CVE-2026-10058MEDIUM 4.8
ITS Intelligent SCADA System contains a stored cross-site scripting (XSS) flaw that lets high-privilege attackers inject malicious JavaScript into the system. When other users load affected pages, that injected code runs in their browsers automatically. This is a persistence threat—the malicious script stays in the system until removed, affecting anyone who accesses the compromised page.
- CVE-2026-34127MEDIUM 4.8
A stored cross-site scripting (XSS) vulnerability exists in TP-Link's TL-SG108PE v5 managed switch web interface. When an administrator imports a configuration file containing malicious code in the SYSNAM parameter, that code is stored without proper sanitization. The next time an administrator accesses the web management interface, the injected script executes in their browser. This could allow an attacker (who must already have administrator credentials) to steal session cookies, modify switch settings, or extract sensitive information from the management interface.
- CVE-2026-36460MEDIUM 4.8
Dovestones Software's ADPhonebook application before version 4.0.1.1 contains a Cross-Site Scripting (XSS) vulnerability in its administrative configuration API. An authenticated administrator can inject malicious JavaScript code into various system configuration sections, which is then stored and executed in the browsers of other users who access those settings. This requires both admin privileges and user interaction (a victim must view the affected configuration), limiting but not eliminating the risk.
- CVE-2026-47673MEDIUM 4.8
Hono, a JavaScript Web application framework, contains a flaw in its JWT authentication middleware that fails to enforce the Bearer scheme requirement. Prior to version 4.12.21, the jwt and jwk middlewares accept any two-part Authorization header value—regardless of whether it uses Bearer, Basic, Token, or any other scheme name—and proceed directly to JWT verification if the token is valid. This means an attacker could authenticate by presenting a valid JWT under an incorrect scheme (like Basic auth) and gain the same access as a properly formatted Bearer token request. The vulnerability is fixed in version 4.12.21.
- CVE-2026-6324MEDIUM 4.8
libsoup, a widely-used HTTP client library, contains a logic error in how it processes chunked HTTP request bodies. An attacker can craft a malicious HTTP request that exploits an unsigned-to-signed integer conversion flaw in the chunked encoding handler. The vulnerability is most likely to be triggered in proxy scenarios—when libsoup is deployed behind a third-party proxy or acting as a proxy itself. Successful attacks can lead to cache poisoning, security control bypass, or unauthorized access to backend systems.
- CVE-2026-10070MEDIUM 4.7
A flaw in macrozheng mall versions up to 1.0.3 allows an authenticated administrator with high privileges to bypass authorization controls on the super admin password update endpoint. An attacker with admin credentials could manipulate requests to the /admin/update/ path and gain unauthorized access to sensitive administrative functions. The vulnerability requires valid admin-level authentication and cannot be exploited anonymously from the network.
- CVE-2026-10155MEDIUM 4.7
A SQL injection vulnerability exists in Bdtask Multi-Store Inventory Management System version 1.0 within the Accounts Report Handler. An authenticated attacker can manipulate the 'dtpToDate' parameter in the accounts report search function to inject malicious SQL commands. While the vulnerability requires high privileges to exploit, successful attacks could leak sensitive financial data, modify account records, or disrupt reporting functionality. Public exploit code is available, increasing real-world risk.
- CVE-2026-10171MEDIUM 4.7
A SQL injection vulnerability exists in code-projects Online Music Site version 1.0 that allows authenticated administrators to manipulate the ID parameter in the album update functionality. An attacker with admin credentials can inject malicious SQL commands through the /Administrator/PHP/AdminUpdateAlbum.php endpoint, potentially compromising database integrity and confidentiality. The vulnerability has been publicly disclosed and exploit code is available, increasing the likelihood of active exploitation.
- CVE-2026-10237MEDIUM 4.7
A SQL injection vulnerability was identified in SourceCodester Water Billing Management System version 1.0. An authenticated administrator can manipulate the ID parameter in the user management interface to inject malicious SQL commands, potentially reading or modifying sensitive database records. The vulnerability requires administrative privileges to exploit but poses a risk to data integrity and confidentiality within billing systems. Public proof-of-concept code exists, elevating the practical risk of exploitation.
- CVE-2026-10248MEDIUM 4.7
SourceCodester's Pharmacy Sales and Inventory System version 1.0 and earlier contains a CSV injection vulnerability in its supplier creation interface. An authenticated attacker with high privileges can inject malicious CSV formulas through the Address or Company Name fields when exporting supplier data, potentially causing data corruption, formula execution, or information disclosure when a user opens the exported file in a spreadsheet application.
- CVE-2026-10583MEDIUM 4.7
A server-side request forgery (SSRF) vulnerability exists in nextlevelbuilder GoClaw versions up to 3.11.3. The flaw is located in the TTS Configuration Endpoint's Import function, which fails to properly validate or restrict outbound HTTP requests. An authenticated attacker with high privileges can exploit this to make the affected server initiate requests to internal or external systems on their behalf, potentially accessing sensitive internal resources or launching further attacks. The vulnerability has been publicly disclosed.
- CVE-2026-42329MEDIUM 4.7
Iris, a web platform used by incident responders to collaborate and share technical details during security investigations, contains an open redirect vulnerability in versions before 2.4.28. An attacker can craft a malicious link within the application that tricks users into visiting an external website under the attacker's control. This is a social engineering risk rather than a direct system compromise—the attack depends on user interaction and targets the trust users place in links shared within their incident response platform.
- CVE-2026-45366MEDIUM 4.7
The @utcp/http package in typescript-utcp contains a blind Server-Side Request Forgery (SSRF) vulnerability that allows an attacker to trick the software into making requests to internal services. The flaw stems from inconsistent validation: while manual URL registration checks that URLs are HTTPS or localhost, the tool invocation pathway skips this validation and directly uses URLs from attacker-controlled OpenAPI specifications. An attacker can host a malicious OpenAPI spec on a legitimate HTTPS endpoint that declares internal server addresses (like http://127.0.0.1:9090 or AWS metadata endpoints), and the affected software will create tools that point to those internal targets. Versions prior to 1.1.2 are vulnerable.
- CVE-2026-45614MEDIUM 4.7
OP-TEE, a Trusted Execution Environment for Arm systems, fails to validate that ECDH public keys lie on the correct elliptic curve before deriving shared secrets. An attacker with local access can craft approximately 30-40 malformed public keys and submit them through TEE_DeriveKey calls to leak fragments of the private key. By collecting these leaks and applying the Chinese Remainder Theorem, the attacker can reconstruct the full private key. This breaks the confidentiality of ECDH operations and affects systems relying on OP-TEE for cryptographic operations prior to version 4.11.0.
- CVE-2026-46159MEDIUM 4.7
A race condition in the Linux kernel's btrfs filesystem driver can leak uninitialized kernel memory to unprivileged local users. The vulnerability exists in the ioctl handler that reports storage space information. When block groups are concurrently removed by the system during the space query operation, the kernel copies more data to userspace than it actually wrote, exposing sensitive kernel memory. An attacker with local access can exploit this timing window to read information that should not be accessible.
- CVE-2026-46187MEDIUM 4.7
The Linux kernel's RSI wireless driver has a race condition in how it shuts down worker threads. The driver uses two different methods to stop these threads: a self-terminating approach and an external stop command. When the self-terminating method completes first and then the external stop is called, the code tries to access a thread that has already been freed from memory—a use-after-free vulnerability. This affects local users with moderate privileges and can cause a system crash or unexpected behavior.
- CVE-2026-46194MEDIUM 4.7
A race condition exists in the Linux kernel's F2FS file system implementation that can cause a kernel crash. When an inode is being dropped from memory, the extent node destruction process does not properly signal that no new extent nodes should be added. Meanwhile, concurrent write-back operations may attempt to insert new extent nodes, creating a collision that triggers a kernel bug check. The vulnerability affects systems using F2FS, particularly in multi-threaded I/O scenarios where inode cleanup and write-back operations overlap.
- CVE-2026-46272MEDIUM 4.7
CVE-2026-46272 is a race condition in the Linux kernel's CoreSight Trace Memory Controller (TMC) Embedded Trace Receiver (ETR) driver. When a system attempts to run both performance tracing (perf) and sysfs-based hardware tracing simultaneously, a timing gap between buffer allocation and hardware enablement in sysfs mode allows the perf mode to initialize its own buffer state. This causes sysfs mode to later detect the unexpected state and trigger a kernel warning, resulting in denial of service through system instability. The vulnerability exists because the sysfs enablement process was split across two separate locking regions, creating a window where perf mode could intervene.
- CVE-2026-33462MEDIUM 4.6
A path traversal flaw in Kibana's dashboard management allows an authenticated user with basic permissions to craft a malicious dashboard identifier. When an administrator deletes this dashboard, the deletion request bypasses security controls and targets unintended internal endpoints—potentially destroying user accounts or other critical resources. The vulnerability requires an administrator to take action on the malicious object, making it a privilege-escalation path rather than a self-executing exploit.
- CVE-2026-36174MEDIUM 4.6
GNCC GP5 devices running version 7.1.76 transmit sensitive wireless network credentials in readable form to the serial console during normal operation. An attacker with physical access to the device's serial port can intercept these credentials, compromising network security. This is a localized but consequential exposure for organizations operating these devices in shared or less-controlled physical environments.
- CVE-2026-36178MEDIUM 4.6
A flaw in the factory reset process of GNCC GP5 v7.1.76 leaves sensitive cryptographic keys and related data intact on the device's storage partition even after a factory reset is performed. An attacker with physical access to the device could potentially recover this material and use it to decrypt or impersonate the original user's configuration and encrypted content.
- CVE-2026-36180MEDIUM 4.6
GNCC GP5 version 7.1.76 has a security weakness that allows an attacker with physical access to the machine to temporarily modify read-only system files and binaries during a single boot session. The vulnerability exploits bind-mount mechanisms—a Linux/Unix filesystem technique—to circumvent protections meant to keep critical system files locked down. While the attacker needs to be physically present and the changes only persist until reboot, this represents a meaningful integrity risk for systems in shared, controlled, or potentially hostile physical environments.
- CVE-2026-45153MEDIUM 4.6
Nextcloud Files app on Android has a PIN bypass vulnerability affecting versions 33.0.0 through 33.0.x. An attacker with physical access to an unlocked Android device can use the back button to circumvent the app's PIN protection and gain unauthorized access to files stored in the Nextcloud app. This is a local attack requiring the device to already be unlocked, but it effectively neutralizes the app-level security control that would normally protect sensitive files even if the phone falls into the wrong hands.
- CVE-2026-45284MEDIUM 4.6
Nextcloud's OIDC (OpenID Connect) user authentication module contains a flaw that allows deleted LDAP users to continue authenticating to the system. When an organization uses both LDAP and OIDC for user management, deletion of a user from LDAP does not properly prevent that user from logging in via OIDC. This creates an unintended persistence of access for users who should no longer have system privileges. The issue affects Nextcloud versions 1.3.6 through 8.3.x and has been resolved in version 8.4.0.
- CVE-2026-49316MEDIUM 4.6
A vulnerability in the 2025 Indian Motorcycle Scout Bobber + Tech model allows someone with access to the motorcycle's wireless network to disable anti-theft protections and operate the vehicle without proper authorization. An attacker can manipulate error messages on the motorcycle's internal communication system (CAN bus) to silence the Wireless Control Module, which normally enforces shutdown commands tied to the immobilizer. Once this module stops communicating, other systems on the motorcycle treat its silence as normal rather than a security event, leaving the bike vulnerable to theft despite the immobilizer lock never being engaged.
- CVE-2026-49324MEDIUM 4.6
A vulnerability in the Wireless Control Module of the 2025 Indian Motorcycle Scout Bobber + Tech allows someone with access to the bike's internal network to permanently disable it. By sending a small number of specially crafted wireless messages, an attacker can trigger a lockout on the motorcycle's immobilizer system—the security mechanism that prevents unauthorized starting. Unlike typical lockouts that reset when you power cycle the device, this one persists even after restarting the bike, leaving owners unable to start their motorcycle until they visit a dealer for service.
- CVE-2026-49325MEDIUM 4.6
Indian Motorcycle's 2025 Scout Bobber + Tech model contains a physical security flaw in its anti-theft system. An attacker with access to the motorcycle's Wireless Control Module (WCM) wiring harness can disconnect a specific wire pair to bypass the PIN-protected shutdown mechanism, leaving the bike fully operational and vulnerable to theft. The vulnerability exploits a gap in how the motorcycle's engine control unit (ECU) validates shutdown signals—it cannot tell the difference between a legitimate shutdown command and a severed wire.
- CVE-2026-10814MEDIUM 4.5
Milvus, a popular vector database, contains a weakness in how it generates hash identifiers for grantee access control. An attacker with local access and sufficient privileges could exploit weak cryptographic hashing in the Grantee ID Hash Handler to potentially forge or predict access control identifiers, leading to unauthorized data access or modification. The vulnerability requires high technical complexity to exploit and is rated as medium severity.
- CVE-2026-44640MEDIUM 4.5
NanoMQ is an edge messaging platform that implements the MQTT protocol for lightweight IoT and edge device communication. A type confusion bug exists in versions before 0.24.14 in how the broker handles QUIC connection objects during the dialing and closing lifecycle. When the broker initiates a QUIC connection (dialing), it stores a pointer as one type (nni_quic_conn), but later during cleanup, the code misinterprets that same pointer as a different type (ex_quic_conn). This mismatch causes the broker to read and operate on invalid memory, resulting in hangs or crashes when closing connections. The issue requires local access and user interaction to trigger.
- CVE-2026-49382MEDIUM 4.5
A vulnerability in JetBrains IntelliJ IDEA's Copyright plugin allows an attacker to execute code on a developer's machine through template injection. The attack requires local access and user interaction—specifically, a developer must open a malicious project or file. While the severity is moderate, this poses a real risk in shared development environments or when developers download untrusted projects.
- CVE-2026-10100MEDIUM 4.4
The Simple Custom Login Page plugin for WordPress contains a security flaw that allows administrators to inadvertently inject malicious code into the login page viewed by all users. When a site admin configures colors for the login page through the plugin's settings, an attacker with admin access can craft CSS injection payloads in those color fields. Because the plugin doesn't properly validate these inputs before displaying them, an attacker can break out of the intended styling context and insert arbitrary CSS rules. This enables phishing attacks—for example, by hiding the real login form or overlaying a fake one to steal credentials.
- CVE-2026-3620MEDIUM 4.4
The Word Replacer plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability affecting all versions through 0.4. An attacker with administrator-level access can inject malicious scripts through the plugin's 'replacement' parameter. These scripts persist in the WordPress database and execute whenever any user visits an affected page, potentially allowing credential theft, session hijacking, or defacement. The vulnerability stems from inadequate input validation and output encoding in the plugin code.
- CVE-2026-45279MEDIUM 4.4
Nextcloud Server contains a path traversal vulnerability that allows non-admin users to copy files into their own Nextcloud directories in certain scenarios. The vulnerability exists in specific versions and depends on underlying Unix file system permissions. An attacker would need already-elevated user privileges within Nextcloud to exploit this issue, limiting the practical threat surface.
- CVE-2026-45702MEDIUM 4.4
OP-TEE, a security-focused component running on Arm processors, contains a type confusion flaw when handling memory-sharing requests from the normal operating system. The vulnerability only affects specific OP-TEE configurations used to manage secure applications (when both SPMC mode and secure partition features are enabled). An attacker with high system privileges can trigger a denial of service, though the flaw does not expose sensitive data or allow code execution. Upgrading to OP-TEE version 4.11.0 or later resolves the issue.
- CVE-2026-7421MEDIUM 4.4
A WordPress plugin called Passeum Ticketing contains a vulnerability that allows site administrators to inadvertently (or maliciously in compromised accounts) inject malicious scripts into a website. The plugin fails to properly validate the shop name setting, allowing an attacker with admin access to point the site to a malicious domain. When this happens, the plugin loads JavaScript and CSS files from that attacker-controlled domain, which then executes on every page of the website for all visitors. This is a stored cross-site scripting (XSS) vulnerability specific to multisite WordPress installations.
- CVE-2026-7430MEDIUM 4.4
The Post Snippets plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability affecting all versions up to 4.0.19. An authenticated administrator can inject malicious code through the plugin's import feature. When that code is imported, it gets embedded unsafely into the post editor's JavaScript, allowing the attacker to execute arbitrary scripts that run whenever any administrator opens a post editor page. This is a privilege-escalation and persistence risk: an attacker with admin access can compromise the experience of other admins and potentially maintain control across sessions.
- CVE-2019-25717MEDIUM 4.3
Dräger's Infinity Delta, Delta XL, and Kappa patient monitors expose sensitive log files to unauthenticated attackers on the local network. An attacker with network access can retrieve device internals, location data, and network configuration without needing credentials. This is a network-adjacent threat that discloses operational details but does not enable direct device compromise or manipulation.
- CVE-2024-47273MEDIUM 4.3
Synology Hyper Backup versions before 4.1.2-4036 contain a path traversal vulnerability in the Backup Task feature that allows an authenticated user to write files outside their intended directory. An attacker with valid credentials could exploit this to place files in restricted locations on the system, potentially compromising system integrity or enabling lateral movement.
- CVE-2025-52606MEDIUM 4.3
HCL iControl contains a weakness in how it validates user input during its security architecture implementation. The application fails to properly check that incoming data matches the expected type before processing it, allowing an authenticated attacker to submit malformed input that the system does not adequately verify. This can lead to unintended modifications of application state or data.
- CVE-2025-53346MEDIUM 4.3
CVE-2025-53346 is a missing authorization flaw in ThimPress Thim Core that allows authenticated users to modify data or settings they should not have access to. The vulnerability stems from inadequate access control checks, meaning the application fails to properly verify whether a logged-in user has permission to perform specific actions. While an attacker must already have valid login credentials, the weakness could allow them to escalate privileges or tamper with configuration or content outside their intended scope.
- CVE-2026-10028MEDIUM 4.3
CVE-2026-10028 is a denial-of-service vulnerability in glib-networking that can be triggered when an attacker presents a maliciously crafted certificate chain containing circular issuer relationships. When an application using glib-networking with GnuTLS backend processes such a chain, the certificate verification logic enters an infinite loop, consuming CPU resources until the process becomes unresponsive. The attack requires user interaction (such as visiting a malicious website or accepting a connection) and affects only the targeted process, not the wider system.
- CVE-2026-10113MEDIUM 4.3
Open5GS, an open-source 5G core network software suite, contains a vulnerability in its Shared NF-profile Parser component that can be exploited to disrupt service availability. An attacker with network access and valid authentication credentials can trigger a denial of service condition by manipulating the NF-profile parsing logic. The vulnerability affects Open5GS versions up to 2.7.7, and public exploit information is available, increasing the risk of active exploitation.
- CVE-2026-10114MEDIUM 4.3
Open5GS versions up to 2.7.7 contain a flaw in how they parse shared NF profile information. When processing certain malformed input, the application writes data beyond the intended memory boundary, potentially crashing the service. While an attacker must have valid network credentials to exploit this, the vulnerability has been publicly disclosed, increasing the likelihood it will be weaponized.
- CVE-2026-10115MEDIUM 4.3
Open5GS, an open-source 5G core network implementation, contains a flaw in how it parses network function profiles. An authenticated attacker can send a specially crafted request that causes the affected service to become unresponsive, disrupting normal operations. The vulnerability requires valid credentials to exploit and does not lead to data theft or unauthorized access—only temporary unavailability. Versions up to 2.7.7 are affected.
- CVE-2026-10116MEDIUM 4.3
A vulnerability in Open5GS, a popular open-source 5G core network implementation, allows authenticated users to trigger a denial-of-service condition by manipulating the UE authentication endpoint. The flaw resides in timer transaction handling code and can be exploited remotely by anyone with legitimate access to the authentication service. Public exploit code is available, increasing the practical risk of abuse.
- CVE-2026-10117MEDIUM 4.3
Open5GS, an open-source 5G core network implementation, contains a vulnerability in its HTTP/2 server library that can be exploited to cause a denial of service. An attacker with valid credentials can remotely trigger the issue by manipulating specific inputs to the pool allocation function, causing the application to become unresponsive or crash. Versions up to 2.7.7 are affected. Public exploit code exists, increasing the risk of opportunistic attacks.
- CVE-2026-10153MEDIUM 4.3
A cross-site scripting (XSS) vulnerability has been identified in westboy CicadasCMS. The flaw exists in the Search function and can be exploited by manipulating a specific argument to inject malicious scripts. An attacker can send a crafted request to a vulnerable instance to execute arbitrary JavaScript in the context of other users' browsers, potentially stealing session data, credentials, or performing actions on their behalf. Exploitation requires user interaction (such as clicking a malicious link) but does not require authentication. A proof-of-concept has already been published, increasing practical risk.
- CVE-2026-10154MEDIUM 4.3
Dolibarr ERP CRM versions 23.0.0, 23.0.1, and 23.0.2 contain an authorization bypass vulnerability in the user messaging module. An authenticated attacker can manipulate the ID parameter in htdocs/user/messaging.php to access or view information they should not have permission to see. The vulnerability requires valid login credentials but allows a logged-in user to circumvent access controls. Upgrading to version 23.0.3 resolves the issue.
- CVE-2026-10156MEDIUM 4.3
Open5GS, a popular open-source 5G core network implementation, contains a denial-of-service vulnerability in versions up to 2.7.7. An authenticated attacker can manipulate how the system manages network function instance information, causing the application to consume excessive resources and become unresponsive. The vulnerability has been publicly disclosed, but a patch is already available. This is a moderate-severity issue requiring prioritization for 5G infrastructure operators and anyone running affected Open5GS deployments.
- CVE-2026-10173MEDIUM 4.3
Orthanc Explorer 2 versions up to 1.12.0 contain a reflected cross-site scripting (XSS) vulnerability in the StudyList component. An attacker can craft a malicious URL with a specially crafted 'remote-source' parameter that, when visited by a user, executes arbitrary JavaScript in their browser within the context of the Orthanc application. This allows theft of session tokens, modification of data, or unauthorized actions performed on behalf of the victim. The vulnerability requires user interaction—a victim must click a malicious link—but can be exploited remotely without authentication.
- CVE-2026-10215MEDIUM 4.3
A flaw in Dolibarr ERP CRM's Leave Request REST API fails to properly check whether users have permission to access specific leave request objects. An authenticated attacker can remotely exploit this to view leave data they should not be able to see. The vulnerability affects versions up to 23.0.1, and Dolibarr has released version 23.0.2 as a fix. Because the exploit has been publicly disclosed, this poses an active risk despite its moderate CVSS score.
- CVE-2026-10282MEDIUM 4.3
Bottelet DaybydayCRM versions up to 2.2.1 contain an authorization flaw in the Documents controller that allows authenticated users to access files they shouldn't be able to view. An attacker with valid login credentials can exploit this remotely to read sensitive documents beyond their intended access scope. The vulnerability is rated MEDIUM severity and requires patching.
- CVE-2026-10289MEDIUM 4.3
A cross-site scripting (XSS) vulnerability exists in Hotel and Tourism Reservation System version 1.0. An attacker can inject malicious scripts by manipulating parameters in the reservation form—specifically the name, email, people count, or booking number fields in the /ht/tour.php file. When a victim visits a crafted link or page, the injected script executes in their browser, potentially allowing session hijacking, credential theft, or defacement. Public exploits are available, increasing active exploitation risk.
- CVE-2026-10291MEDIUM 4.3
Enderfga's claw-orchestrator contains a flaw in how it validates regular expressions in the Session Grep Endpoint. An authenticated attacker can supply a maliciously crafted regex pattern that forces excessive CPU consumption, potentially slowing or freezing the service. This is a medium-severity issue affecting versions up to 3.7.0 and is remedied by upgrading to 3.7.1.
- CVE-2026-10294MEDIUM 4.3
PackageKit, a system library for package management on Linux, contains an authorization bypass vulnerability in versions up to 1.3.5. An authenticated attacker can manipulate the frontend-socket parameter in the API to gain unauthorized access to sensitive information. The vulnerability requires an existing user account to exploit but does not require user interaction. While the attack surface is somewhat limited by authentication requirements, the unauthorized information disclosure poses a real security concern for systems relying on PackageKit.
- CVE-2026-10301MEDIUM 4.3
A reflected cross-site scripting (XSS) vulnerability exists in itsourcecode Fees Management System version 1.0. An attacker can craft a malicious URL containing JavaScript code in the 'page' parameter of index.php. When a user visits this link, the script executes in their browser, potentially allowing theft of session cookies, credential capture, or malware redirection. The vulnerability requires user interaction (clicking a link) but poses a meaningful risk to organizations running this system, especially those handling sensitive fee or financial data.
- CVE-2026-10616MEDIUM 4.3
GoClaw, a component of nextlevelbuilder, contains a flaw in how it validates permissions when completing team tasks. An authenticated attacker can manipulate the Team Task Completion Handler to bypass authorization checks, potentially modifying task records they shouldn't have access to. The vulnerability requires a valid login and network access, and affects versions up to 3.11.3. While the issue carries a medium risk profile, the public availability of exploit details increases practical attack likelihood.
- CVE-2026-10624MEDIUM 4.3
CVE-2026-10624 is a moderate-severity vulnerability in SourceCodester Human Resource Management version 1.0 that allows authenticated users to access employee information they should not be able to view. The flaw exists in the Employee View Page component and stems from improper handling of the 'employeeid' parameter, which an attacker can manipulate to bypass access controls. Because exploit code has been publicly disclosed, this vulnerability poses a realistic risk to organizations running affected systems.
- CVE-2026-10661MEDIUM 4.3
A vulnerability in the blender-mcp project allows an authenticated attacker to inject malicious input through the input_image_url parameter in the Open function of src/blender_mcp/server.py. Because authentication is required and the vulnerability only exposes limited information (not enabling code execution or system availability impact), the overall risk is moderate. However, the public disclosure means exploitation techniques are now accessible to threat actors.
- CVE-2026-10691MEDIUM 4.3
A vulnerability in wonderwhy-er DesktopCommanderMCP through version 0.2.38 allows an authenticated user to trigger a denial-of-service condition by crafting malicious search result data that causes inefficient regular expression processing. The flaw is in the search-manager component and can be exploited remotely by any logged-in user. The vendor has released version 0.2.39 with a fix.
- CVE-2026-10692MEDIUM 4.3
A flaw exists in code-index-mcp versions up to 2.14.0 that allows authenticated users to cause performance degradation through specially crafted regular expressions. By submitting a malicious regex pattern to the search_code_advanced function, an attacker can trigger inefficient regex processing that consumes excessive CPU resources, leading to application slowdown or unresponsiveness. This is a denial-of-service weakness that requires login credentials to exploit but does not compromise confidentiality or data integrity.
- CVE-2026-10702MEDIUM 4.3
A flaw in Firefox's JavaScript Just-In-Time (JIT) compiler can cause it to miscompile code in certain circumstances. When a user visits a malicious website, the affected browser may crash or become unstable due to incorrect code generation during compilation. This is not a memory corruption issue and does not allow attackers to steal data or take control of the system, but it does impact availability and user experience.
- CVE-2026-10802MEDIUM 4.3
A resource consumption vulnerability exists in KeystoneJS, an open-source headless CMS and GraphQL API framework. The flaw resides in the GraphQL API endpoint handler and can be exploited by authenticated users to exhaust server resources, potentially causing a denial-of-service condition. The vulnerability affects KeystoneJS versions up to March 19, 2026. Exploitation requires valid credentials but can be performed remotely over the network.
- CVE-2026-10810MEDIUM 4.3
A cross-site scripting (XSS) vulnerability exists in itsourcecode Fees Management System version 1.0 and earlier. The flaw is located in the /navbar.php file, where unsanitized input in the 'page' parameter allows an attacker to inject malicious scripts. An attacker can craft a malicious URL and trick a user into clicking it, causing the injected script to execute in the victim's browser. This could lead to session hijacking, credential theft, or malware distribution. Public exploit code is available, increasing the risk of opportunistic attacks.
- CVE-2026-10854MEDIUM 4.3
CVE-2026-10854 is a visibility control flaw in MISP's event template creation feature that allowed unauthorized users to see private galaxy data from other organizations. When creating an event template, the system listed all enabled galaxies without checking whether the user's organization owned them or whether they were marked private. This exposed sensitive metadata like galaxy type and description to users who shouldn't have access. The vulnerability requires authentication to exploit and affects only information disclosure—no data modification or denial of service is possible. MISP has patched the issue by filtering galaxy visibility based on organization ownership and distribution settings.