By year
Vulnerabilities disclosed in 2026
CVEs published in 2026 with SEC.co analysis.
1948 published vulnerabilities · page 20 of 20
- CVE-2026-45278LOW 3.3
Nextcloud's user OIDC (OpenID Connect) module contains an open redirect vulnerability that allows attackers to craft malicious login links. When users click these links to authenticate via OIDC, they are redirected to attacker-controlled websites after logging in. This affects Nextcloud versions 6.1.0 through 8.2.1. The vulnerability has a low CVSS score because it requires user interaction and does not directly compromise confidentiality or availability.
- CVE-2026-45324LOW 3.3
Rizin, a reverse engineering framework used for binary analysis and code inspection, contains a double free vulnerability in its search functionality. This occurs when the same memory location is freed twice, potentially causing application crashes or unexpected behavior. The vulnerability requires physical access to the system and user interaction to trigger, making it a lower-risk issue in most operational environments.
- CVE-2026-45613LOW 3.3
Rizin, a reverse engineering framework used by security researchers and analysts, contains a heap buffer overflow vulnerability in its OMF (Object Module Format) file parsing code. An attacker could craft a malicious OMF binary file that, when opened by a user in Rizin, could read small amounts of sensitive data from the program's memory. This requires local access and user interaction—the user must deliberately open a malicious file.
- CVE-2026-47327LOW 3.3
CVE-2026-47327 is a denial-of-service vulnerability in Ubuntu Linux affecting versions 6.8, 6.17, and 7.0. A NULL pointer dereference in the AppArmor notification handling code allows any unprivileged local user to crash the kernel without authentication or special permissions. The attack requires only local system access and can be triggered with a single action, causing a kernel oops that disrupts availability but does not compromise confidentiality or integrity.
- CVE-2026-47329LOW 3.3
Ubuntu Linux versions 6.8, 6.17, and 7.0 contain a flaw in SAUCE patches that handle AppArmor security notifications. The vulnerability stems from improper validation of the name field size in these notifications. An unprivileged local user can exploit this by sending crafted AppArmor responses that bypass validation checks, potentially leading to unexpected behavior in the kernel's handling of these security-related messages. This is a local-only issue with low severity impact.
- CVE-2026-47330LOW 3.3
CVE-2026-47330 is a local privilege escalation and cache poisoning vulnerability affecting Ubuntu Linux systems with AppArmor SAUCE patches. An unprivileged user can trigger uninitialized variable handling in AppArmor's notification code, causing incorrect caching of security policy responses. While the CVSS score is low (3.3), the issue undermines AppArmor's integrity by allowing cache corruption that could affect subsequent policy enforcement decisions.
- CVE-2026-47336LOW 3.3
Ubuntu Linux 6.8 has a bug in its AppArmor security module that could allow an unprivileged local user to bypass or weaken network socket access controls. The issue stems from an uninitialized variable in the code that mediates AF_INET and AF_INET6 (IPv4 and IPv6) socket access. While the vulnerability requires local access and does not enable data theft or system crashes, it undermines the purpose of AppArmor's fine-grained network policy enforcement, potentially allowing a local user to perform network operations that should have been restricted.
- CVE-2026-47337LOW 3.3
A NULL pointer dereference flaw in Ubuntu Linux kernel versions 6.8, 6.17, and 7.0 can be triggered by any unprivileged local user to crash the kernel. The vulnerability exists in socket mediation code that handles both IPv4 and IPv6 traffic. While the flaw itself does not enable data theft or system compromise, it can be exploited to cause a denial of service by forcing a kernel panic, disrupting availability for all users on the affected system.
- CVE-2026-48156LOW 3.3
pypdf, a popular open-source Python library for PDF handling, contains a vulnerability that allows an attacker to craft malicious PDF files that cause the library to consume excessive processing time during parsing. The issue stems from how pypdf processes cross-reference streams—a mechanism PDFs use to index internal objects—when they contain specific structural patterns. An attacker would need to trick a user or application into opening a specially crafted PDF, but once opened, the library can hang or freeze during PDF processing, resulting in a denial-of-service condition on that system.
- CVE-2026-49383LOW 3.3
CVE-2026-49383 is a low-severity vulnerability in JetBrains IntelliJ IDEA's UI Designer form parser that could allow local attackers to read sensitive information from a user's system. The vulnerability requires user interaction—specifically opening a malicious or compromised form file in the IDE—and affects versions prior to 2026.1. The exposure is limited to information disclosure; the vulnerability does not enable code execution or system modification.
- CVE-2024-42206LOW 3.1
HCL iReflection contains third-party components that are vulnerable and outdated, creating a potential integrity risk within the web application. An authenticated user with low privileges could potentially exploit this condition, though the attack surface is constrained by difficult environmental conditions and limited authentication requirements.
- CVE-2025-52608LOW 3.1
HCL iControl contains a cookie security misconfiguration that leaves session identifiers and authentication tokens vulnerable to interception and cross-site request forgery attacks. The vulnerability stems from the absence of the Secure and SameSite cookie attributes, combined with an overly permissive cookie path set to root. While the immediate risk is moderate, this configuration flaw can enable attackers to hijack user sessions or trick authenticated users into performing unintended actions.
- CVE-2025-52611LOW 3.1
HCL iControl v4.0.0 contains a vulnerability where the application crashes and exposes internal error messages, including stack traces, when certain code paths are triggered. The underlying cause is a programming error where the application attempts to access a property (the 'dashboard key') from an object that hasn't been properly initialized or is missing entirely. While an attacker would need valid login credentials to trigger this issue, the exposure of stack trace information could help them understand the application's internal structure and identify further attack vectors.
- CVE-2026-10011LOW 3.1
A flaw in Chrome's Skia graphics library could allow an attacker who has already compromised Chrome's renderer process to extract sensitive data from websites you visit. The attacker would need to serve you a specially crafted web page to perform the attack. While the underlying issue received a High severity rating from Chromium, the overall exploitability is limited because it requires both renderer compromise and user interaction, making it a low-risk vulnerability in practical terms.
- CVE-2026-10565LOW 3.1
A race condition vulnerability has been discovered in Open5GS versions up to 2.7.6 that affects the NGAP Handover security mode processing function. The flaw allows an authenticated attacker to trigger a timing-dependent race condition that results in a denial-of-service condition. While a public exploit exists, successful exploitation requires specific conditions and careful timing, making real-world attacks difficult to execute reliably.
- CVE-2026-10705LOW 3.1
Dask, a Python library for parallel computing and distributed data processing, contains a resource exhaustion vulnerability in its HyperLogLog (approximate distinct count) functionality. An authenticated remote attacker can trigger excessive resource consumption through the nunique_approx function, potentially degrading system availability. The flaw requires significant attack complexity and specific preconditions, making real-world exploitation difficult despite being theoretically possible.
- CVE-2026-11240LOW 3.1
CVE-2026-11240 is a low-severity input validation flaw in Google Chrome's Loader component that allows a remote attacker to bypass the browser's site isolation security feature, but only if they have already compromised the renderer process. Site isolation is Chrome's defense mechanism that runs each website in a separate process to prevent one compromised site from accessing data from another. An attacker would need to deliver a specially crafted HTML page to exploit this, making it a post-compromise risk rather than a direct remote code execution vector. The vulnerability affects Chrome versions prior to 149.0.7827.53.
- CVE-2026-11244LOW 3.1
CVE-2026-11244 is a low-severity flaw in Google Chrome's WebAuthentication feature that allows inadequate validation of user-supplied input. An attacker with prior access to Chrome's renderer process—the component responsible for displaying web pages—could craft a malicious HTML page to circumvent the browser's same-origin policy, a fundamental security boundary that prevents scripts from one website accessing data from another. This is not a direct remote code execution and requires both renderer process compromise and user interaction to succeed.
- CVE-2026-11247LOW 3.1
A flaw in Google Chrome's CustomTabs feature on Android allows an attacker to leak data across website boundaries through a specially crafted webpage. The vulnerability requires user interaction and is difficult to exploit, affecting Android devices running Chrome versions before 149.0.7827.53. While the risk is low, it represents a potential privacy leak in a widely used mobile browser component.
- CVE-2026-11251LOW 3.1
A flaw in Chrome's password manager allows a sophisticated attacker to read stored password information if they can first compromise Chrome's renderer process through a malicious web page. The vulnerability requires multiple conditions to exploit: the attacker must already control the rendering engine, the user must interact with the page, and the attack surface is limited to sensitive credential disclosure. Chrome versions before 149.0.7827.53 are affected. This is not a zero-click issue and does not allow code execution or system-level access.
- CVE-2026-35193LOW 3.1
Django's cache middleware has a flaw that can leak private user data. When Django caches web responses, it's supposed to mark cached data as private (via the `Vary` header) if a request included authentication credentials. In Django 5.2 before version 5.2.15 and 6.0 before version 6.0.6, this protection doesn't work correctly. An attacker can make an unauthenticated request to the same URL a logged-in user visited, and Django may serve the cached private response—revealing sensitive information that should have been protected. Older Django versions (5.0.x, 4.1.x, 3.2.x) haven't been formally evaluated but may have the same problem.
- CVE-2026-40963LOW 3.1
Apache Airflow's UI structure_data endpoint was leaking metadata about linked workflows (DAGs) to users who shouldn't see them. An authenticated user with permission to view one workflow could discover the names and dependency relationships of other workflows they weren't authorized to access. This is a read-only information disclosure—no data modification or system disruption occurs—but it can undermine team isolation in multi-tenant Airflow deployments where workflow topology is considered sensitive.
- CVE-2026-45426LOW 3.1
Apache Airflow's log server uses a flawed string-matching approach to authorize workers' access to task logs. Instead of checking if a worker's JWT token matches a specific Dag name exactly, the system strips characters from the left side of requested Dag names in a way that can match multiple unintended Dags. An authenticated worker with a token for 'dag_a' could read logs from 'dag_attacker', 'aaaa_target', or '_dag_secret'—any Dag whose name starts with characters found in 'dag_a'. This breaks the intended per-Dag log isolation in multi-team environments.
- CVE-2026-45739LOW 3.1
Strawberry GraphQL, a popular library for building GraphQL APIs, has a flaw in its bundled GraphiQL interface (versions 0.288.4 through 0.315.3) where sensitive headers entered by developers are inadvertently exposed in the browser URL. When a developer pastes an authorization token or other credential into the GraphiQL headers editor, that value becomes part of the page URL and persists in browser history, shareable links, and server access logs. This creates a credential leakage risk if someone gains access to those logs or if links are shared. The issue has been patched in version 0.315.4.
- CVE-2026-48587LOW 3.1
Django's cache handling function has a flaw where whitespace in HTTP Vary headers isn't properly cleaned up before comparison. An attacker can exploit this by crafting requests that cause the application to serve cached responses intended for different users, potentially leaking sensitive information. The vulnerability affects Django 5.2 before version 5.2.15 and 6.0 before version 6.0.6, though older unsupported versions may also be vulnerable.
- CVE-2026-49380LOW 3.1
JetBrains TeamCity versions before 2026.1 contain an open redirect vulnerability in the SAML authentication plugin. An attacker could craft a malicious link that, when clicked by a user, redirects them to an attacker-controlled website after authentication. This requires user interaction and offers limited direct impact, but could be chained with phishing or credential harvesting tactics.
- CVE-2026-6873LOW 3.1
Django's signed cookie verification contains a cryptographic flaw in how it generates salts for cookie signatures. By exploiting collisions in salt derivation, an authenticated attacker can repurpose a legitimately signed cookie in an unintended context—for example, using a cookie signed for one feature to authenticate requests for a different feature. This is a low-severity issue requiring prior authentication and careful attack setup, but it undermines the integrity guarantee that signed cookies are meant to provide.
- CVE-2026-7666LOW 3.1
Django's email system has a vulnerability that can expose email content over the network under specific conditions. When Django is configured to silently ignore mail delivery errors (`fail_silently=True`) and a secure connection attempt fails, the system may reuse a partially-initialized connection that falls back to unencrypted communication. An attacker positioned on the network path between your application and the mail server could potentially read email content in transit. This requires multiple conditions to align: configuration settings, network positioning, and a failed STARTTLS handshake.
- CVE-2026-8404LOW 3.1
Django's cache middleware has a case-sensitivity bug in how it reads `Cache-Control` directives. When a web application uses uppercase or mixed-case values in `Cache-Control` headers (e.g., `PRIVATE` instead of `private`), the middleware fails to recognize them as valid directives. This causes responses that should not be cached to be cached anyway, potentially exposing sensitive data to unauthorized users who can trigger cache hits.
- CVE-2026-9920LOW 3.1
Google Chrome on Android contains a vulnerability in GPU memory handling that could allow an attacker who has already compromised the browser's renderer process to access sensitive data from websites that should be isolated from each other. The vulnerability stems from uninitialized memory in the GPU code path, which under specific conditions could leak cross-origin data through a malicious webpage. This requires the renderer process to be compromised first, making it a secondary exploitation step rather than a direct entry point.
- CVE-2026-9944LOW 3.1
CVE-2026-9944 is a memory safety issue in the ANGLE graphics library used by Google Chrome. An attacker who has already compromised Chrome's renderer process can craft a malicious webpage to leak sensitive data from other websites or origins. The vulnerability requires the renderer to be compromised first, limiting the attack surface, but the data leakage potential is real once that initial foothold exists. Chrome versions before 148.0.7778.216 are vulnerable on Windows, macOS, and Linux.
- CVE-2026-9950LOW 3.1
A same-origin policy bypass vulnerability exists in Google Chrome on iOS versions prior to 148.0.7778.216. The flaw stems from insufficient validation of untrusted input that allows an attacker who has already compromised Chrome's renderer process to craft a malicious HTML page that circumvents browser security boundaries. This means an attacker could potentially access data or perform actions from a different website origin than the one a user is visiting, but only if the renderer process has already been compromised through another attack vector.
- CVE-2026-9959LOW 3.1
A race condition in WebRTC functionality within Google Chrome on Windows allows an attacker to leak data across origin boundaries. The vulnerability requires user interaction (clicking on a crafted HTML page) and is difficult to exploit reliably due to timing constraints. While the underlying issue is rated High severity by Chromium, the CVSS 3.1 score of 3.1 reflects the practical barriers to exploitation and limited scope—an attacker can extract sensitive information, but cannot modify data or disrupt service.
- CVE-2026-9991LOW 3.1
A vulnerability in Google Chrome's media handling on Windows allows an attacker who has already compromised the browser's renderer process to extract sensitive data across security boundaries. The attacker would need to host a malicious webpage and trick a user into visiting it while the renderer is already under their control. The exposure is information disclosure—no system takeover or crashes—and the barrier to exploitation is relatively high because the attacker must first achieve renderer compromise.
- CVE-2026-10078LOW 2.7
Quay's config-tool contains a flaw in how it handles GitLab OAuth setup. When administrators configure GitLab as an identity provider, sensitive credentials (client ID and secret) are passed in plaintext within the URL query string of POST requests. This is problematic because these credentials can be logged by web servers, reverse proxies, load balancers, and monitoring systems—anywhere that records HTTP request details. An attacker who gains access to these logs could extract the credentials and impersonate Quay's OAuth client to GitLab, potentially gaining unauthorized access to repositories or other GitLab resources.
- CVE-2026-44367LOW 2.7
Klaw, a Kafka topic management and governance platform, contains a vulnerability in how it handles usernames during registration and login. The system doesn't consistently apply case sensitivity rules—treating 'Admin' and 'admin' as different or the same depending on the operation—which allows authenticated users with administrative privileges to deliberately lock out accounts or trigger denial of service conditions. This is a low-severity issue requiring administrative access to exploit, but it can impact operational availability if administrators use it maliciously or if the inconsistency is exploited in targeted attacks. The flaw was fixed in version 2.10.4.
- CVE-2026-45076LOW 2.7
Synapse, an open-source Matrix homeserver implementation used for federated messaging, contains a flaw in how it handles room history in cross-server deployments. Malicious homeservers can craft specially formed room events that cause Synapse instances to withhold historical messages from clients requesting older conversation data. Users may see incomplete chat histories or missing messages when paginating through room archives. This is a low-severity issue because it requires a compromised or malicious federated peer and affects data availability rather than confidentiality or integrity.
- CVE-2026-45154LOW 2.6
Nextcloud, an open-source content collaboration platform, contains a flaw affecting versions 2.6.0 through 4.2.x that allows guest users to retrieve deleted collaborative pages from the trash when the parent collective is shared in view-only mode. An attacker with guest access could circumvent intended deletion by directly accessing removed content, though the exposure is limited to information disclosure and requires prior access to the shared collective. The vulnerability has been resolved in version 4.3.0.
- CVE-2026-45155LOW 2.6
Nextcloud Server contains a flaw in its circles feature that allows authenticated users to add unknown circles to other circles by directly referencing their IDs, potentially enabling membership tracking. While circle IDs are designed with high complexity (62^15 combinations), if an attacker obtains a valid circle ID through other means, they could exploit this missing access control. The vulnerability requires an authenticated session and user interaction to exploit, making opportunistic attacks unlikely but targeted attacks possible if circle IDs are discovered.
- CVE-2026-10783LOW 2.5
A weakness in Gradio 6.14.0's audio caching function allows a local user with limited privileges to potentially access confidential information through use of a weak cryptographic hash. The attack is technically difficult to execute and requires hands-on access to the system. While a public exploit exists, real-world exploitation remains unlikely due to high complexity requirements and low impact scope.
- CVE-2026-10112LOW 2.4
CVE-2026-10112 is a stored or reflected cross-site scripting (XSS) vulnerability in the Dashboard Page component of STUDENT-MANAGEMENT-SYSTEM version 1.0. An attacker with high privileges can inject malicious scripts through the Name parameter, which are then executed in the browsers of users who view the affected page. The vulnerability requires user interaction and has a low CVSS score of 2.4, but exploitation has already been disclosed publicly.
- CVE-2026-10514LOW 2.4
A cross-site scripting (XSS) vulnerability exists in CordysCRM versions up to 1.6.2. The flaw is located in a request parameter handling component and allows attackers with administrative privileges to inject malicious scripts that execute in users' browsers. While public exploit code is available, the attack requires both high-level credentials and user interaction (such as clicking a malicious link), significantly limiting real-world risk. Upgrading to version 1.7.0 resolves the issue.
- CVE-2026-10529LOW 2.4
A cross-site scripting (XSS) vulnerability has been discovered in westboy CicadasCMS affecting the Task Scheduling Management Module. The flaw exists in the ScheduleJobController component and can be triggered by an authenticated user with elevated privileges through a specially crafted request. While the vulnerability requires administrative or high-privilege access to exploit, the presence of user interaction (rendering) combined with public availability of exploit details elevates attention. The CMS uses a rolling release model, making definitive version tracking difficult, though the affected commit hash has been identified.
- CVE-2026-49317LOW 2.4
The 2025 Indian Motorcycle Scout Bobber + Tech infotainment system has a logic flaw in how it initializes during boot. The system is supposed to require a PIN to unlock, but it uses a problematic shortcut: it checks whether it detects wireless messages from the motorcycle's Wireless Control Module (WCM) during startup. If those messages are absent, the system assumes no immobilizer is present and skips the PIN screen entirely, granting immediate access to the infotainment interface. An attacker with adjacent network access can silence the WCM during the boot window—using techniques like a CAN bus-off attack—to trick the system into thinking the immobilizer is not installed, thereby bypassing the PIN protection that should guard the interface.
- CVE-2026-49318LOW 2.4
A flaw in the 2025 Indian Motorcycle Scout Bobber + Tech's infotainment system allows someone with physical proximity to the motorcycle to unlock the digital display without entering the correct PIN. The system incorrectly assumes that if it doesn't detect wireless signals from a control module during startup, no security PIN is needed. An attacker can exploit this by blocking those signals during the boot process, causing the system to skip the PIN screen entirely and display the full user interface.
- CVE-2026-50266LOW 2.2
A flaw in OpenStack Neutron versions before 28.0.1 allows project managers to perform network spoofing attacks on shared networks. The vulnerability stems from overly permissive role-based access control (RBAC) policies that allow any project manager to create or modify ports on networks they don't own, and crucially, to assign those ports special "trusted" network service identities (like DHCP servers). This bypasses normal anti-spoofing rules and security group protections, enabling attackers to spoof DHCP, MAC, or IP addresses to target other tenants sharing the same network. This is a reintroduction of a vulnerability that was supposedly fixed nearly a decade ago.
- CVE-2026-45403LOW 2.0
AnythingLLM versions before 1.13.0 contain a path traversal vulnerability in the agent filesystem copy tool. When copying files, the application only validates the top-level source and destination directories but fails to validate nested files or reject symbolic links. An attacker with high privileges could create or exploit a symlink nested within an allowed source directory to read files outside the intended filesystem boundaries and copy them to an allowed destination, potentially exposing sensitive data. The vulnerability requires high user privileges, complex conditions, and user interaction to exploit, making practical real-world abuse unlikely despite the core weakness.
- CVE-2026-47713LOW 2.0
AnythingLLM versions before 1.13.0 contain a token persistence flaw that can leak sensitive data when administrators migrate from single-user to multi-user mode. A mobile device token issued in single-user mode may remain valid after the migration, allowing it to bypass user-scoping controls and access workspaces and chat content belonging to other users. The vulnerability requires an attacker to have had a legitimate mobile device token before the migration, then exploit it post-migration in the multi-user environment.