By year

Vulnerabilities disclosed in 2026

CVEs published in 2026 with SEC.co analysis.

1678 published vulnerabilities · page 16 of 17

  • CVE-2026-10855MEDIUM 4.3

    MISP, a threat intelligence platform, contained an authorization flaw in its event template import feature. When an authenticated user attempted to overwrite an existing event template, the system verified that a template with that name existed but failed to check whether the importing user's organization actually owned it. This allowed users from one organization to forcibly overwrite event templates belonging to other organizations. The flaw only affected non-administrator users; site administrators retained the ability to manage templates across organizational boundaries by design. The vulnerability has been remediated by adding an ownership verification step before permitting any template overwrite operation.

  • CVE-2026-10864MEDIUM 4.3

    A flaw in MISP's dashboard widgets allows authenticated users with low-level access to bypass field restrictions and view sensitive information they shouldn't have access to. By manipulating which data fields the New Users and New Organisations widgets display, attackers can circumvent settings designed to hide user email addresses and other restricted organization metadata. The vulnerability stems from how the application processes field filtering—if redaction leaves the field list empty, it falls back to returning unfiltered data instead of enforcing safe defaults.

  • CVE-2026-11031MEDIUM 4.3

    Google Chrome's Password Manager fails to properly validate input from network traffic before displaying it to users. An attacker can craft malicious network data that tricks the Password Manager interface into showing fake or misleading information—for example, a phishing prompt that looks legitimate. This affects Chrome versions before 149.0.7827.53 on Windows, macOS, and Linux.

  • CVE-2026-24756MEDIUM 4.3

    Kiteworks, a platform for secure data sharing and management, contains a flaw that allows authenticated users to modify data belonging to other users. The vulnerability stems from the application failing to properly verify that a user should have access to resources they're attempting to change. An attacker with valid credentials could exploit this to alter forms, templates, or other shared resources without authorization. The fix requires upgrading to version 9.3.0 or later.

  • CVE-2026-28511MEDIUM 4.3

    eLabFTW, an open-source electronic lab notebook platform, contains an information disclosure vulnerability affecting versions before 5.4.2. When an authenticated user performs a numeric search or reference lookup, the system may return resource titles that the user should not have access to view. The actual content of those resources remains protected—only the titles are exposed. This is particularly concerning because titles may contain sensitive information such as project names, patient identifiers, or regulated data that could constitute unauthorized disclosure.

  • CVE-2026-32250MEDIUM 4.3

    NamelessMC, a website platform used for Minecraft server management, contains a reflected cross-site scripting (XSS) vulnerability in version 2.2.4. The flaw exists in how the application handles the `id` parameter on the user queries endpoint. An attacker can embed malicious JavaScript in a specially crafted URL; when a user clicks that link, the script runs in their browser with access to the site's session and data. This could enable attackers to steal session cookies, redirect users to phishing pages, or modify page content to deceive users.

  • CVE-2026-32906MEDIUM 4.3

    OpenClaw versions prior to 2026.5.12 contain a privilege escalation flaw in their Slack plugin approval system. Users who hold limited exec approval permissions can manipulate the approval workflow to bypass intended authorization checks, allowing them to approve plugin actions that should require additional oversight or operator configuration. The vulnerability requires an authenticated user to exploit, reducing but not eliminating risk in environments with permissive access controls.

  • CVE-2026-34193MEDIUM 4.3

    CVE-2026-34193 describes a logic error in GPU memory address translation that allows a compromised kernel running inside a virtual machine to send malformed commands to the GPU firmware, causing it to write data to unintended locations in firmware memory. The vulnerability requires local access and an already-compromised kernel to exploit, but once triggered, it can corrupt GPU firmware state without authorization.

  • CVE-2026-36602MEDIUM 4.3

    A Mercusys AC12G (EU) V1 router running firmware AC12G(EU)_V1_200909 has a flaw in its UPnP service that exposes internal kernel memory addresses to anyone on the same network segment. An attacker can query the router's UPnP interface to extract a raw MIPS kernel pointer, effectively creating a roadmap of how the router's operating system is laid out in memory. While this doesn't directly compromise the device, it removes a significant barrier to follow-up attacks by revealing memory layout details that are normally hidden.

  • CVE-2026-36613MEDIUM 4.3

    Mercusys AC12G (EU) V1 routers running firmware AC12G(EU)_V1_200909 leak sensitive internal memory to unauthenticated attackers on the same network. When an attacker sends HTTP POST requests to non-existent paths on the router's web interface, the device inadvertently returns 128 bytes of uninitialized buffer memory. This exposed data may contain router state information, configuration details, or other sensitive runtime values. The vulnerability requires physical or network adjacency—an attacker must be on the same local network segment—but no authentication or user interaction is needed to trigger it.

  • CVE-2026-36615MEDIUM 4.3

    The Mercusys AC12G (EU) router running firmware version AC12G(EU)_V1_200909 contains an unauthenticated information disclosure vulnerability. An attacker on the same local network can access a hidden endpoint (/agileconfigreset) that leaks internal buffer contents without requiring any credentials or user interaction. This information could be used to further compromise the device or the network it serves.

  • CVE-2026-36618MEDIUM 4.3

    The Mercusys AC12G (EU) router with firmware version AC12G(EU)_V1_200909 has a configuration issue that allows anyone on the local network to discover which version of the DNS resolver software (unbound 1.22.0) is running on the device. An attacker can query the router for this information and use it to identify known vulnerabilities affecting that specific DNS software version, making targeted attacks easier. This is a local network exposure only—an attacker would need network access to the router or its subnet to exploit it.

  • CVE-2026-4071MEDIUM 4.3

    The BirdSeed WordPress plugin contains a Cross-Site Request Forgery (CSRF) vulnerability that allows attackers to change the plugin's authentication token without the site administrator's knowledge. An attacker can craft a malicious link or webpage that, when clicked by an admin, silently modifies the BirdSeed token stored in the site's database. This breaks the trust chain between your WordPress site and the BirdSeed service. The vulnerability affects all versions up to and including 2.2.0 and requires social engineering—tricking an administrator into clicking a link—but no authentication or special privileges are needed from the attacker's side.

  • CVE-2026-40914MEDIUM 4.3

    Apache Artemis has a flaw in how it enforces permissions when users communicate via the STOMP protocol. A user with permission to send or receive messages on a particular address can trick the system into accepting messages with a message routing-type that the address doesn't normally support. This bypasses an important security boundary: only administrators with explicit createAddress permission should be able to change an address's routing-type capabilities. An attacker could exploit this to send or consume messages in ways that violate the intended security policy, even though their basic send/consume permissions are legitimate.

  • CVE-2026-41014MEDIUM 4.3

    Apache Airflow contains an authorization bypass in its UI that allows authenticated users to view information about data pipeline runs (DAGs) they shouldn't have access to. Specifically, a user with broad asset-level read permissions can see partition run states, scheduling details, and data connections for DAGs restricted to other teams or users. This affects only deployments that intentionally segment DAG access by user or role while granting wider asset visibility. The vulnerability requires an existing user account and network access to the Airflow UI or API.

  • CVE-2026-41115MEDIUM 4.3

    Apache Kafka contains an authorization mismatch in its consumer group metadata API. The CONSUMER_GROUP_DESCRIBE operation checks for DESCRIBE permission on groups, but Kafka's documentation and the relevant design specification (KIP-848) incorrectly state it should check for READ permission. This inconsistency between code behavior and documentation can lead to misconfigured access controls—either granting unintended READ access to users who only have DESCRIBE permissions, or blocking legitimate access for users who rely on documentation-based ACL configurations. The vulnerability is not a code flaw but a documentation gap that can cause real-world security postures to diverge from intent.

  • CVE-2026-41160MEDIUM 4.3

    EspoCRM contains a logic flaw that allows lower-privileged users to pin notes they don't have permission to edit. The vulnerability stems from a timing issue in the API backend: the system modifies the note in the database before checking whether the user is actually authorized to do so. Even though the server returns an error message afterward, the damage is already done—the note remains pinned. This affects EspoCRM versions before 9.3.5.

  • CVE-2026-42540MEDIUM 4.3

    IRIS is a collaborative web platform used by incident response teams to share and document technical details during security investigations. A vulnerability in versions before 2.4.28 allows authenticated users to modify database records through specially crafted API requests, potentially corrupting or altering incident investigation data. The issue requires valid login credentials to exploit and affects data integrity rather than confidentiality.

  • CVE-2026-42543MEDIUM 4.3

    IRIS, a web-based platform used by incident responders to collaborate and share technical details during investigations, contains a cross-site request forgery (CSRF) vulnerability in versions prior to 2.4.28. The vulnerability exists because the platform uses HTTP GET requests to perform state-changing actions on the server—a design flaw that allows an attacker to trick authenticated users into unknowingly executing unwanted actions. An attacker could craft a malicious link or webpage that, when visited by an IRIS user, silently modifies data or settings without the user's knowledge or consent.

  • CVE-2026-45264MEDIUM 4.3

    Nextcloud versions spanning 17.0.0 through 21.0.3 contain a permission bypass vulnerability that allows users with read and create access—but explicitly not update access—to rename files within team folders. This unintended capability undermines the granular permission model Nextcloud enforces, potentially enabling unauthorized modification of file metadata and organizational disruption. The issue affects a broad version range and has been patched across all active release lines.

  • CVE-2026-45286MEDIUM 4.3

    An authenticated user on a Nextcloud instance can discover other users' identities by abusing the Calendar app's attendee-suggestion feature. The vulnerability exists because this endpoint bypasses the access controls that Nextcloud applies elsewhere. An attacker already logged into the system can systematically enumerate valid usernames, potentially laying groundwork for targeted attacks like password spraying or social engineering. The flaw affects Nextcloud versions 5.5.13 through 5.5.16 and 6.2.0 through 6.2.2.

  • CVE-2026-45544MEDIUM 4.3

    Nextcloud Tables, a collaborative document and data management component, contains an information disclosure vulnerability affecting versions 0.8.0 through 1.0.3. The issue allows users with read-only access to view filter criteria—potentially including sensitive column names, field definitions, or search logic—that should have been restricted to higher-privilege users. This represents a low-severity data exposure that could leak operational details about table structure and content filtering strategies. The vulnerability has been resolved in Nextcloud Tables versions 1.0.4 and 2.0.0.

  • CVE-2026-45729MEDIUM 4.3

    ThorVG, a vector graphics rendering engine, contains a flaw that can crash applications using it when they process malicious SVG files. An attacker can craft a specially formatted SVG document as small as 6 bytes that triggers an application crash when the affected code path is invoked. This is a denial-of-service vulnerability affecting availability but not data confidentiality or integrity. The issue was introduced in earlier versions and is resolved in ThorVG 1.0.5.

  • CVE-2026-46605MEDIUM 4.3

    Apache ActiveMQ has an authorization flaw that allows authenticated users to delete message queues and topics they shouldn't be able to modify. An attacker with valid credentials to your messaging system could disrupt operations by removing critical destinations, even if permission controls suggest they shouldn't have that ability. This affects ActiveMQ versions before 5.19.7 and 6.0.0 through 6.2.5.

  • CVE-2026-46764MEDIUM 4.3

    Apache Airflow contains an authorization bypass flaw in its audit-log API endpoints. An authenticated user with read access to audit logs for one workflow (Dag) can bypass per-Dag scoping restrictions and view audit-log entries from any other Dag in the same Airflow deployment by directly requesting specific event log IDs. The vulnerability stems from inconsistent permission enforcement: the collection endpoint properly restricts results by Dag, but the detail endpoint applies only a generic audit-log permission check without verifying the requester has access to the specific Dag whose logs are being retrieved. This allows low-privileged users to enumerate and read sensitive audit trails across Dags they should not be able to access.

  • CVE-2026-47675MEDIUM 4.3

    Hono, a JavaScript web framework, contains a flaw in how it sanitizes cookie options. While the framework validates certain cookie parameters (domain and path) to prevent malicious characters from breaking the Set-Cookie header, it fails to apply the same checks to sameSite and priority options. If an application passes user-controlled input directly into these parameters, an attacker could inject additional cookie attributes into the response header, potentially manipulating cookie behavior or setting unintended security policies.

  • CVE-2026-47696MEDIUM 4.3

    WWBN AVideo, an open-source video hosting platform, contains a payment processing vulnerability in versions 29.0 and earlier. When both the AuthorizeNet and YPTWallet plugins are active, any logged-in user can artificially inflate their account wallet balance without actually paying. The vulnerable endpoint accepts a user-supplied amount parameter and immediately credits the wallet without verifying that a real payment transaction occurred through Authorize.Net. This is a financial manipulation flaw that bypasses payment authentication entirely.

  • CVE-2026-48810MEDIUM 4.3

    FreeScout, a free help desk platform built on Laravel, contains an authorization flaw in version 1.8.220 and earlier. A user with conversation editing permissions who authored a message in one mailbox can edit that message's content even after an administrator removes them from that mailbox. The vulnerability exploits a gap in access controls: the system verifies the user created the message and has the global edit permission, but fails to confirm the user still belongs to the mailbox where the conversation lives. This allows former mailbox members to alter thread history and potentially mislead team members or customers.

  • CVE-2026-48811MEDIUM 4.3

    FreeScout, an open-source helpdesk and shared inbox platform, contains a flaw that allows former team members to permanently delete internal notes—even after their access to the mailbox has been revoked. A non-admin user who previously created private threads in a conversation can return and destroy those notes without authorization, because the system fails to verify whether the user still belongs to the mailbox. This affects FreeScout versions before 1.8.221.

  • CVE-2026-4888MEDIUM 4.3

    Everest Forms, a popular WordPress form-building plugin, contains a security flaw that allows low-privilege logged-in users to send emails from your website to anyone they choose. Any user with Subscriber access or higher can exploit this by calling an internal email-testing function without proper permission checks. This doesn't require clicking malicious links or advanced technical skills—just authenticated access to your WordPress admin panel.

  • CVE-2026-49140MEDIUM 4.3

    Nanobot versions before 0.2.1 have a denial-of-service flaw in how they handle media downloads from Matrix chat rooms. An authenticated user in a room can deliberately send specially crafted media events with missing or wrong size information, causing the system to download large files without properly checking their declared sizes first. By sending many of these malicious requests at once, an attacker can force the Nanobot process to consume excessive memory and bandwidth until the service becomes slow or unresponsive. The attacker must already be a member of the room to exploit this.

  • CVE-2026-49322MEDIUM 4.3

    The 2025 Indian Motorcycle Scout Bobber + Tech model contains a flaw in its wireless control system that allows someone with access to the motorcycle's internal network to steal the owner's PIN unlock code by observing just a single authentication attempt. Instead of using proper cryptographic security, the system performs simple mathematical operations that can be reversed to recover the PIN, completely bypassing the bike's primary security lock.

  • CVE-2026-49323MEDIUM 4.3

    The 2025 Indian Motorcycle Scout Bobber + Tech model contains a flaw in how its wireless control module authenticates with the engine control module. An attacker positioned on the vehicle's internal network can intercept a single authentication exchange and reverse-engineer the motorcycle's immobilizer secret—the cryptographic key that prevents unauthorized engine starts. Once recovered, the attacker can bypass the immobilizer entirely and start the engine without the key fob.

  • CVE-2026-49369MEDIUM 4.3

    JetBrains YouTrack versions before 2026.1.13162 contained a flaw that allowed authenticated users to access sensitive information about other users and groups they shouldn't be able to see. The vulnerability is limited to the Users and Groups administrative pages and requires valid login credentials to exploit. This is a straightforward authorization issue where the application failed to properly restrict who could view certain user and group data.

  • CVE-2026-49377MEDIUM 4.3

    JetBrains TeamCity contains a configuration flaw where default agent parameters inadvertently expose sensitive data to authenticated users. An attacker with valid login credentials can access information through TeamCity's agent configuration that should remain restricted. This is a network-accessible issue affecting TeamCity deployments before version 2025.11.2, though the vulnerability requires prior authentication to exploit.

  • CVE-2026-49378MEDIUM 4.3

    JetBrains TeamCity contained a vulnerability where stored credentials could be inadvertently exposed through the parameter autocompletion feature. When users typed in parameter fields, the system would suggest previously stored credential values, potentially revealing sensitive authentication data to anyone with access to the TeamCity interface. This issue affects TeamCity versions prior to 2026.1 and requires an authenticated user to interact with the affected feature. The exposure is limited to local disclosure within the TeamCity environment rather than remote exfiltration.

  • CVE-2026-7526MEDIUM 4.3

    The PDF Embedder plugin for WordPress contains a flaw that allows authenticated users with basic contributor permissions or higher to access sensitive configuration information. If the premium add-on is installed with a saved license key, that key can be exposed; on free installations, the exposure is limited to non-sensitive viewer settings like dimensions and toolbar options. An attacker would need valid WordPress login credentials at the contributor level or above to exploit this, but no user interaction or network complexity is required once authenticated.

  • CVE-2026-7533MEDIUM 4.3

    The Easy Digital Downloads plugin for WordPress contains a security flaw that allows attackers to hijack a store's Square payment processing account. An attacker can send a malicious link to a WordPress administrator; if clicked while logged in, the link silently changes the store's Square payment credentials to attacker-controlled ones, redirecting future payments to the attacker. The vulnerability exists because the plugin does not verify that payment configuration requests come from legitimate, authorized actions—a standard web security practice called CSRF protection.

  • CVE-2026-7621MEDIUM 4.3

    The SMTP2GO for WordPress plugin contains an authorization flaw that allows any logged-in user with subscriber-level permissions or higher to delete all SMTP email logs from the database or export sensitive email records to CSV format. This affects all versions up to 1.16.0 and exposes recipient addresses, sender information, message subjects, and API response data. An attacker with basic user access can perform these destructive and data-exfiltration actions without additional authentication checks.

  • CVE-2026-8422MEDIUM 4.3

    The Remove meta boxes per user role WordPress plugin contains a security flaw that allows attackers to change how meta boxes (content panels) are hidden or shown for different user roles on a WordPress site. An attacker can't do this directly, but by tricking a site administrator into clicking a malicious link, the attacker can force the admin's browser to make unauthorized changes to these visibility settings. The vulnerability affects all versions up to and including 1.01.

  • CVE-2026-8682MEDIUM 4.3

    The 3D Viewer – 3D Model Viewer – Augmented Reality – Virtual Try On WordPress plugin contains a flaw that allows users with basic subscriber access to change critical plugin settings they should not be able to modify. An authenticated attacker can bypass authorization checks to write arbitrary data directly to the plugin's configuration stored in the database, potentially affecting how the 3D viewer and virtual try-on features function across the site.

  • CVE-2026-8689MEDIUM 4.3

    The Visualizer: Tables and Charts Manager WordPress plugin contains an authorization bypass flaw that allows logged-in users with minimal privileges (Subscriber level and above) to create chart posts without proper permission checks and to view or modify charts belonging to other users, including site administrators. The vulnerability affects all versions through 3.11.14 and stems from missing capability validation in two critical AJAX functions. While the flaw requires an authenticated account, the low barrier to entry and potential for unauthorized data access make it a meaningful risk for multi-user WordPress installations.

  • CVE-2026-8995MEDIUM 4.3

    The Poll Maker – Versus Polls plugin for WordPress has a flaw that lets logged-in users see sensitive account information they shouldn't access, including password hashes. The vulnerability stems from an AJAX endpoint that returns the entire WordPress user object without proper security checks. Any subscriber or higher can call this endpoint and retrieve not just their own data, but potentially others' account details including email addresses, registration dates, roles, and capabilities. While the exposure doesn't immediately compromise an account, the password hash data could be targeted by offline cracking attempts.

  • CVE-2026-9015MEDIUM 4.3

    The Equalize Digital Accessibility Checker plugin for WordPress contains a flaw that allows users with basic subscriber access to modify accessibility audit findings they shouldn't be able to touch. An authenticated attacker can change whether issues are marked as ignored, alter the reason for ignoring them, and add comments to any accessibility finding on the site. In some cases, they can perform bulk modifications across multiple related findings at once. This means someone with minimal privileges could systematically hide or dismiss accessibility compliance problems, undermining the integrity of WCAG and ADA audit records without proper authorization.

  • CVE-2026-9048MEDIUM 4.3

    Slider Revolution, a popular WordPress plugin, contains a vulnerability that allows authenticated users with basic contributor privileges to view sensitive social media API credentials through a specific AJAX action. An attacker with contributor-level access or higher can call the 'slider.get.full' AJAX action to retrieve raw API tokens and keys—including Instagram OAuth tokens, Flickr API keys, YouTube Data API credentials, and Facebook App IDs—that have been configured within slider settings. This exposure affects plugin versions 7.0.0 through 7.0.14.

  • CVE-2026-9050MEDIUM 4.3

    Slider Revolution, a popular WordPress plugin, contains a flaw that allows contributors and higher-privileged users to disable any plugin on a WordPress site without proper authorization checks. An attacker with basic contributor access—a common account level in multi-author sites—can leverage this to shut down security plugins, backup solutions, or other critical extensions. The vulnerability affects versions 6.0.0 through 6.7.55 and 7.0.0 through 7.0.14.

  • CVE-2026-9228MEDIUM 4.3

    A WordPress plugin called Timetable and Event Schedule by MotoPress has a flaw that allows users with contributor-level access or higher to see confidential information they shouldn't have access to. Specifically, they can view drafts, pending reviews, and private event posts created by other users, including the content, excerpts, and author information. The vulnerability stems from the plugin failing to properly validate user input when retrieving event data, making it possible to directly access posts by guessing or enumerating their IDs.

  • CVE-2026-9234MEDIUM 4.3

    The JTL-Connector for WooCommerce plugin contains authorization flaws that allow low-privileged WordPress users (Subscriber level and above) to perform administrative actions without proper permission checks. Specifically, attackers can change plugin configuration, download sensitive log files containing developer information, and delete those logs. This bypasses WordPress's built-in permission model and could lead to configuration tampering or information disclosure.

  • CVE-2026-9241MEDIUM 4.3

    The FOX – Currency Switcher Professional for WooCommerce plugin contains a flaw that lets authenticated users trick the system into thinking they have higher privileges than they actually do. By manipulating a request parameter, a subscriber-level user can impersonate a wholesale customer or administrator to access pricing they shouldn't be able to see. This only matters if your store uses the fixed user-role pricing feature and has set special prices for privileged customer types.

  • CVE-2026-9599MEDIUM 4.3

    The Tectite Forms plugin for WordPress contains a Cross-Site Request Forgery (CSRF) vulnerability affecting all versions through 1.3. An attacker can trick a site administrator into clicking a malicious link, which then allows the attacker to change the plugin's settings without the administrator's knowledge. This could include modifying the tectite_forms_button option or other plugin configurations. The vulnerability requires social engineering but poses a real risk to WordPress sites using this plugin.

  • CVE-2026-9618MEDIUM 4.3

    The PeachPay plugin for WordPress, which integrates payment processing for Stripe, PayPal, Square, and other providers, contains a cross-site request forgery (CSRF) vulnerability in all versions up to 1.120.46. An attacker can craft a malicious link or webpage that, when clicked by a site administrator, silently deletes all stored Stripe credentials from the site's database without the administrator's knowledge or consent. This disables Stripe payments immediately and requires the administrator to reconfigure the integration. The attack requires social engineering to trick an admin into clicking the link, but requires no special authentication or technical sophistication once the admin takes the bait.

  • CVE-2026-9722MEDIUM 4.3

    The Laiser Tag plugin for WordPress contains a cross-site request forgery (CSRF) vulnerability affecting all versions through 1.2.5. An attacker can craft a malicious link or webpage that, when clicked by a site administrator, silently modifies critical plugin settings without the administrator's knowledge or consent. This includes changes to API keys, tag filtering rules, and tagging behavior—settings that directly control how the plugin functions across the site.

  • CVE-2026-9723MEDIUM 4.3

    The Google Plus One Bottom plugin for WordPress contains a cross-site request forgery (CSRF) flaw that allows attackers to manipulate plugin settings without proper authorization. An attacker can craft a malicious link or web page that, when clicked by a site administrator, will change critical plugin configuration options—such as language preferences, callback functions, and URLs—without the administrator's knowledge or consent. This attack requires social engineering to trick an admin into clicking the malicious link, but requires no authentication or technical exploit code to execute.

  • CVE-2026-9730MEDIUM 4.3

    The Remove NoFollow Commenter URL plugin for WordPress contains a cross-site request forgery (CSRF) vulnerability that allows unauthenticated attackers to change how the plugin displays comments. An attacker can craft a malicious link or webpage that, when clicked by a WordPress site administrator, silently modifies the plugin's comment settings without the administrator's knowledge or consent. This requires social engineering to trick an admin into visiting the attacker's content, but requires no special technical skills to exploit once that condition is met.

  • CVE-2026-9732MEDIUM 4.3

    The EmergencyWP plugin for WordPress has a security flaw that allows attackers to change important plugin settings without authorization. An attacker would need to trick a WordPress site administrator into clicking a malicious link, but if successful, they could alter access controls, email addresses, and other critical configurations. This is a cross-site request forgery (CSRF) vulnerability caused by the plugin failing to properly validate requests before processing them.

  • CVE-2026-9791MEDIUM 4.3

    An authenticated user who belongs to a Keycloak organization can request tokens or access APIs in ways that expose organization metadata, even after an administrator has turned off the Organizations feature. This metadata leakage could cause downstream applications (resource servers) to make incorrect access control decisions based on stale or unintended organization information.

  • CVE-2026-9798MEDIUM 4.3

    Keycloak's account lockout feature, which temporarily disables accounts after repeated failed login attempts, can be bypassed when an attacker possesses valid client credentials. By using the Client-Initiated Backchannel Authentication (CIBA) flow—a legitimate OAuth 2.0 feature—attackers can circumvent the lockout and continue attempting to authenticate or obtain tokens. This undermines brute-force protection and creates a secondary path for unauthorized access once the attacker has obtained initial client credentials.

  • CVE-2026-9807MEDIUM 4.3

    GitLab has patched a flaw in its Community and Enterprise editions where a Project Access Token that was supposed to be blocked could still access private project resources. This happened because the authorization checks weren't applied correctly when a token was revoked or blocked. An authenticated user with permissions to create or manage tokens could potentially exploit this before the fix was released, though the vulnerability requires prior login access and the attacker would need knowledge of or ability to create a blocked token.

  • CVE-2026-9907MEDIUM 4.3

    A memory read vulnerability in Google Chrome's Dawn graphics component allows attackers to access sensitive data from different website origins. An attacker can craft a malicious web page that, when visited by a user, tricks Chrome into reading memory beyond intended boundaries and leaking information from other websites the user may have open. This affects Windows systems running Chrome versions prior to 148.0.7778.216.

  • CVE-2026-9911MEDIUM 4.3

    CVE-2026-9911 is a memory safety issue in the ANGLE graphics library used by Google Chrome. When a user visits a specially crafted webpage, an attacker can read small amounts of sensitive data from the browser's memory. The vulnerability requires user interaction—visiting the malicious page—but needs no special permissions or browser configuration to exploit. While the data exposure is limited in scope, it could leak sensitive information like passwords, tokens, or cached credentials stored in memory.

  • CVE-2026-9913MEDIUM 4.3

    A flaw in the ANGLE graphics library component of Google Chrome prior to version 148.0.7778.216 could allow an attacker to access memory outside intended bounds when a user visits a malicious website. The vulnerability requires user interaction (visiting a crafted page) but does not require special privileges. Potential impacts include disclosure of sensitive information, though the attacker cannot modify data or crash the browser directly through this flaw.

  • CVE-2026-9919MEDIUM 4.3

    A WebGL processing flaw in Google Chrome for Android allows attackers to read data they shouldn't have access to by tricking users into visiting a malicious webpage. The vulnerability exists in how Chrome handles certain graphics operations and can leak information across website boundaries, but only affects the Android version of Chrome and requires user interaction to exploit.

  • CVE-2026-9921MEDIUM 4.3

    Google Chrome on Android contains a flaw in its WebGL graphics processing where memory buffers may not be properly initialized before use. An attacker can exploit this by crafting a malicious HTML page that, when visited, allows them to read sensitive information from other websites—a cross-origin data leak. The vulnerability requires user interaction (clicking a link or viewing a page) but does not require special privileges or complex attack setup.

  • CVE-2026-9929MEDIUM 4.3

    A flaw in how Google Chrome on Android handles WebGL—a technology that enables 3D graphics in web browsers—could allow an attacker to trick a user into visiting a malicious webpage and expose data from other websites the user has open. The attacker cannot force this to happen; the user must interact with the page, such as by clicking or scrolling. This is a cross-origin data leak, meaning sensitive information from one domain could become visible to JavaScript code running on an attacker's domain.

  • CVE-2026-9930MEDIUM 4.3

    An out-of-bounds write vulnerability exists in the Dawn graphics component of Google Chrome on macOS. An attacker can craft a malicious HTML page that, when viewed by a user, writes data to memory locations outside the intended bounds of a buffer. This memory corruption could allow an attacker to modify sensitive data or potentially achieve code execution, though the CVSS assessment indicates the integrity impact is limited. The vulnerability requires user interaction—the victim must visit or be directed to the malicious page—and affects Chrome versions prior to 148.0.7778.216 on macOS.

  • CVE-2026-9935MEDIUM 4.3

    CVE-2026-9935 is a memory safety issue in Google Chrome's ANGLE graphics library that allows attackers to steal sensitive data from other websites. When you visit a malicious webpage, an attacker can craft it to leak information that should be isolated to other sites you have open. The vulnerability requires user interaction—you must visit the attack page—but the bar for exploitation is otherwise low. Google has classified this as High severity internally, though the CVSS score reflects a more limited scope.

  • CVE-2026-9943MEDIUM 4.3

    A memory access flaw in Google Chrome's WebGL implementation on Android allows attackers to read data from other websites through a specially crafted web page. When a user visits the malicious page, the attacker can extract information (such as authentication tokens, session cookies, or sensitive content) from sites the user is logged into. This is a cross-origin data leak—meaning the attacker can access information meant to be isolated to other domains.

  • CVE-2026-9955MEDIUM 4.3

    A vulnerability in Google Chrome on iOS versions before 148.0.7778.216 allows attackers to extract sensitive information from websites the user visits. An attacker would craft a malicious webpage and trick a user into visiting it; the page can then read data intended to be private to other websites. This is a cross-origin data leak—a violation of the browser's same-origin policy that normally prevents websites from accessing each other's information.

  • CVE-2026-48522MEDIUM 4.2

    PyJWT, a widely-used Python library for JSON Web Token handling, has a vulnerability in versions before 2.13.0 where it blindly accepts any URL scheme when fetching public key sets (JWKS). An attacker who can influence the URL used to fetch these keys—through JWT headers, configuration, or OAuth parameters—can trick the application into reading local files, attempting unusual protocol connections (FTP, data URIs), or in certain chained scenarios, forging valid tokens. The vulnerability requires specific conditions: the attacker must control the URL source, and token forgery scenarios require additional application-layer flaws like writable filesystem access.

  • CVE-2026-9986MEDIUM 4.2

    CVE-2026-9986 is a UI spoofing vulnerability in Google Chrome's OptimizationGuide component that could let an attacker deceive users about what they're seeing on a webpage. The vulnerability requires the attacker to have already compromised Chrome's rendering process—the engine that draws web content. While this limits the immediate attack scope, it represents a meaningful escalation risk for adversaries who have achieved code execution in that sandboxed component. The flaw stems from inadequate validation of user-supplied input before it's used to generate on-screen elements.

  • CVE-2024-47263MEDIUM 4.1

    A path traversal flaw in Synology Hyper Backup's web API allows administrators who already have legitimate access to write files outside their intended directory. The vulnerability is constrained to non-sensitive file types, limiting immediate damage, but represents a control-boundary weakness that could enable privilege misuse or lateral movement in environments where admin accounts are compromised or where insider threat is a concern.

  • CVE-2026-10052MEDIUM 4.1

    Quay's configuration tool contains a weakness in how it validates LDAP and SMTP settings. When a configuration editor supplies endpoints for these services, the tool connects to them without restricting which IP addresses or hostnames are allowed. An attacker with config editor privileges can abuse this to make the Quay container reach internal network resources, allowing them to map and discover the organization's internal infrastructure from inside the cluster's network position.

  • CVE-2026-37700MEDIUM 4.1

    MaxSite CMS version 109.2 contains a cross-site scripting (XSS) vulnerability in its backend file upload feature that allows authenticated attackers to inject malicious scripts. When an administrator performs a file upload through the admin page endpoint, an attacker with login credentials could craft a request that executes JavaScript in the victim's browser, potentially exposing sensitive information displayed during the upload process.

  • CVE-2026-42401MEDIUM 4.1

    CVE-2026-42401 is a stored HTML injection vulnerability in Kibana that allows an attacker with write access to an Elasticsearch index to inject malicious markup. When other users view the affected Kibana dashboard or visualization, the injected code is not properly sanitized before rendering in their browser. This can enable unauthorized UI changes and cause the victim's browser to make unintended outbound network requests on their behalf.

  • CVE-2019-25723MEDIUM 4.0

    Dräger Perseus A500 ventilators running software versions 2.00 through 2.02 are vulnerable to a denial-of-service attack. An attacker on the network can send malformed data through the Medibus medical interface to crash the device's processor, forcing a warm restart. During this restart—which lasts several seconds—ventilation pressure drops to ambient level, temporarily interrupting therapy delivery before the device recovers. This is a network-accessible vulnerability with no authentication required, making it a genuine concern for clinical environments.

  • CVE-2019-25734MEDIUM 4.0

    Contact Form by WD version 1.13.1 has a security flaw that combines two weaknesses: a cross-site request forgery (CSRF) vulnerability and local file inclusion (LFI). An unauthenticated attacker can craft a malicious web form that, when visited by an admin, tricks the admin's browser into loading arbitrary files from the server using directory traversal sequences. This bypasses the normal authentication checks on certain WordPress AJAX actions, potentially exposing sensitive files.

  • CVE-2021-4479MEDIUM 4.0

    Dräger Atlan A350 patient monitoring devices running firmware versions 1.00 through 1.01 are vulnerable to a denial-of-service attack delivered through the Medibus network interface. An attacker can send malformed data packets that the device fails to validate properly, causing the internal processor to become overloaded. Over several hours, this degradation manifests as loss of data transmission capability, delays in displaying vital sign curves, and discrepancies between measured airway pressure and displayed values—conditions that could compromise clinical decision-making in critical care settings.

  • CVE-2026-10099MEDIUM 4.0

    XX-Net V5.16.6 has a flaw in how it processes WebSocket communications that causes data corruption. When a client sends WebSocket frames without proper masking, the server incorrectly interprets the first 4 bytes of the message as a mask key (even when masking wasn't used), then mangles the rest of the data by applying the wrong decryption. This results in corrupted data being processed by the application. The vulnerability affects local attack scenarios and has medium severity.

  • CVE-2026-10998MEDIUM 4.0

    CVE-2026-10998 is a memory safety issue in Google Chrome's media handling code that allows an attacker positioned on the same local network to read data from memory locations they shouldn't have access to. The vulnerability exists in Chrome versions before 149.0.7827.53. An attacker would need to send specially crafted network traffic to trigger an out-of-bounds read, which could potentially expose sensitive information resident in the browser's memory. This is a local-network-only threat, meaning the attacker must be on your network segment to exploit it.

  • CVE-2026-28581MEDIUM 4.0

    A logic error in Android's call processing code allows an application to initiate emergency calls without proper authorization checks. The vulnerability stems from inadequate validation in the CallIntentProcessor when determining the initiating user, potentially enabling an app to trigger emergency dialing functionality that should be restricted. No user interaction is required for exploitation, and the issue affects multiple Android versions.

  • CVE-2026-30963LOW 3.9

    Capsule is a Kubernetes framework that uses webhooks to prevent tenant administrators from hijacking namespaces—essentially taking control of cluster resources they shouldn't own. The framework checks most update requests, but it misses two specific APIs (namespace/status and namespace/finalize subresources) that can also change namespace ownership markers. Before version 0.13.0, a tenant admin with permission to use these subresources could bypass the webhook protection and seize a namespace. Version 0.13.0 patches this gap by ensuring the webhook intercepts both subresource types.

  • CVE-2026-10299LOW 3.8

    CVE-2026-10299 is a resource identifier control vulnerability in code-projects Online Hospital Management System version 1.0. An authenticated attacker with high-level privileges can manipulate the 'delid' parameter in the viewdoctortimings.php file to cause unintended modifications or deletion of data. While the flaw requires administrative or high-privilege access and carries a low CVSS score, the availability of public exploit code warrants attention in environments running this system.

  • CVE-2026-40510LOW 3.8

    OpenSC, a widely-used open-source smart card library, contains a stack buffer overflow flaw in how it processes the Key History Object from PIV (Personal Identity Verification) cards. An attacker with physical access to a system could craft a malicious smart card or USB device that returns an oversized URL field—exceeding 118 bytes—triggering memory corruption. This vulnerability requires the attacker to be physically present at the machine and involves user interaction, limiting its reach but posing a real concern in environments where untrusted hardware may be connected.

  • CVE-2026-40528LOW 3.8

    OpenSC, a widely-used open-source library for working with smart cards and cryptographic tokens, contains a buffer overflow vulnerability in its profile configuration parser. When OpenSC's pkcs15-init tool processes a maliciously crafted configuration file, it can be tricked into copying more data than a buffer can hold, corrupting memory. An attacker would need local access to supply the malicious file and convince a user to run the initialization tool, but successful exploitation could allow memory corruption and potential code execution.

  • CVE-2026-45683LOW 3.8

    OpenTelemetry eBPF Instrumentation versions prior to 0.9.0 contain a memory disclosure vulnerability in the Java TLS monitoring probe. The vulnerability stems from incorrect kernel memory access calls that allow a local attacker to read sensitive kernel memory and exfiltrate it through the instrumentation telemetry pipeline. This is a localized information disclosure risk that requires local process-level access to exploit.

  • CVE-2026-6816LOW 3.8

    Drupal's TFA Basic Plugins module contains a flaw that allows administrators with user management permissions to access or create recovery codes intended for other users. This bypasses the expected access controls around two-factor authentication recovery mechanisms. The vulnerability is restricted to versions 7.x-1.0 through 7.x-1.2, and exploitation requires administrative privileges, limiting its immediate threat to environments where admin accounts are already compromised or where trust boundaries have been violated.

  • CVE-2025-52609LOW 3.7

    HCL iControl is missing HTTP security headers that would instruct modern web browsers to block cross-site scripting (XSS) attacks. Without these headers—such as Content-Security-Policy or X-XSS-Protection—the application relies on older browser XSS filters that are inconsistently implemented and increasingly deprecated. An attacker could craft malicious input that, when processed by iControl, gets reflected in responses without proper sanitization, potentially allowing script execution in users' browsers.

  • CVE-2026-10169LOW 3.7

    A weakness in the password recovery feature of OUSL-GROUP-BrinaryBrains School Student Management System allows an attacker to manipulate the email parameter in the forgot password function, potentially leading to unauthorized password resets or account takeover. The vulnerability exists in the Login.php controller's ajax_forgot_password endpoint. While exploitable remotely, the attack requires specific conditions and is considered of low severity. Exploit code is publicly available, increasing risk of opportunistic attacks.

  • CVE-2026-10216LOW 3.7

    A vulnerability has been discovered in unitedbyai droidclaw version 0.5.3 and earlier that weakens authentication security on the claim endpoint. The flaw allows attackers to bypass rate limiting or account lockout protections during login attempts, potentially enabling brute-force attacks to guess user credentials. While a public exploit exists, the attack requires specific conditions and technical skill to execute successfully. The vendor has been notified but has not yet released a fix.

  • CVE-2026-10300LOW 3.7

    SGLang version 0.5.10.post1 contains a vulnerability in its inference HTTP endpoint that can be triggered by manipulating the lora_path argument. When an attacker provides a specially crafted lora_path value, the system reaches an assertion condition that causes the service to become unavailable. This is a remote vulnerability requiring network access, though the attack is complex to execute and not trivial to exploit in practice.

  • CVE-2026-24761LOW 3.7

    CVE-2026-24761 is an authorization flaw in Kiteworks Secure Data Forms that allows authenticated users to view metadata belonging to other users. Because the system doesn't properly verify who owns a resource before allowing access, a legitimate user can craft requests to retrieve information about files and documents they shouldn't see. The vulnerability requires an attacker to already have valid credentials and involves a higher complexity of exploitation, which limits its risk profile. This affects Kiteworks versions before 9.3.0.

  • CVE-2026-44546LOW 3.7

    Daphne, a popular ASGI server for Django applications, contains a header parsing vulnerability that allows attackers to inject additional HTTP headers into requests under specific conditions. The issue arises from a mismatch in how Daphne and the underlying WebSocket library (autobahn) interpret certain whitespace characters as line separators. By crafting requests with specific byte sequences in header values, an attacker can inject headers that the application receives, potentially leading to security bypasses depending on application logic. Daphne versions before 4.2.2 are affected. The vulnerability has a low CVSS score (3.7) and requires specific conditions to exploit, but organizations running affected versions should still apply the patch.

  • CVE-2026-48524LOW 3.7

    PyJWT, a widely-used Python library for handling JSON Web Tokens (JWTs), contains a weakness in how it fetches public signing keys. When a JWT arrives with an unfamiliar key identifier (kid), the library will make a fresh HTTP request to retrieve the correct signing key—without any protection against repeated requests for the same unknown identifier. An attacker can exploit this by sending JWTs with different fake kid values, forcing the library to make outbound requests for each one. While the actual impact depends on whether the signing-key endpoint has its own rate limiting or becomes saturated, the vulnerability allows an attacker to potentially cause a denial-of-service condition through request amplification. This issue is resolved in PyJWT 2.13.0 and later.

  • CVE-2026-5419LOW 3.7

    A timing vulnerability has been discovered in GnuTLS, a widely-used encryption library. When the library decrypts data protected with PKCS#7 padding, the padding verification process takes different amounts of time depending on the content of the padding bytes. An attacker with network access could measure these timing differences to infer information about the padding, potentially revealing details about encrypted messages. This is a subtle flaw that requires precise network-level observation to exploit, making it a low-risk issue in most environments, but one that sophisticated attackers targeting high-value communications might attempt.

  • CVE-2026-10766LOW 3.6

    MLRun versions up to 1.12.0-rc3 contain a weakness in how they hash dataframes. The vulnerable function in mlrun/utils/helpers.py uses cryptographic methods that are considered inadequate for security purposes. An attacker with local access to a system running MLRun could potentially manipulate or forge data integrity checks, though doing so requires significant technical effort and local privileges. The vulnerability is not currently listed as actively exploited in the wild, but proof-of-concept details have been publicly disclosed.

  • CVE-2026-10775LOW 3.6

    CVE-2026-10775 is a denial-of-service vulnerability in SGLang's cache handling mechanism. An attacker with local system access and user-level privileges can trigger a crash or service interruption by exploiting the data_hash function in the cache handler. The attack requires specific knowledge of the system's cache internals, making it moderately difficult to execute, though proof-of-concept code has been publicly disclosed.

  • CVE-2026-10800LOW 3.6

    PaddlePaddle FastDeploy versions up to 2.4.1 contain a weakness in how the MultimodalHasher component generates hashes for multimodal features. An attacker with local system access and user-level privileges could manipulate the hash_features function to use cryptographically weak hashing, potentially allowing them to forge or predict hash values. This is a low-severity issue that requires both local access and significant technical effort to exploit.

  • CVE-2026-10801LOW 3.6

    A weakness in how ModelScope's ms-swift library (versions up to 4.2.0) hashes cached PIL images creates a local integrity risk. An attacker with local system access and user-level privileges could manipulate image cache validation, potentially leading to cache poisoning or image substitution. The vulnerability requires significant technical effort to exploit and poses limited immediate threat in most environments, but should be addressed before deployment in sensitive workflows.

  • CVE-2026-10803LOW 3.6

    MLflow versions up to 3.10.0 contain a cryptographic weakness in the Dataset Digest Computation module. The vulnerability uses an insufficiently strong hash function for dataset digest operations, which could allow an attacker with local system access and user-level privileges to tamper with dataset integrity checks or trigger application errors. Exploitation requires significant technical effort and local presence on the affected machine.

  • CVE-2026-10804LOW 3.6

    Streamlit versions up to 1.53.0 contain a weak cryptographic hashing vulnerability in its palette handler component. An attacker with local system access and authenticated user privileges can manipulate the hashing function to produce predictable or non-unique hash values, potentially allowing them to bypass integrity checks or cause minor application disruptions. The attack is complex and requires deep knowledge of the affected code path, making opportunistic exploitation unlikely. However, the vulnerability is not currently tracked as an active threat on CISA's Known Exploited Vulnerabilities catalog.