By year

Vulnerabilities disclosed in 2026

CVEs published in 2026 with SEC.co analysis.

2448 published vulnerabilities · page 25 of 25

  • CVE-2026-11240LOW 3.1

    CVE-2026-11240 is a low-severity input validation flaw in Google Chrome's Loader component that allows a remote attacker to bypass the browser's site isolation security feature, but only if they have already compromised the renderer process. Site isolation is Chrome's defense mechanism that runs each website in a separate process to prevent one compromised site from accessing data from another. An attacker would need to deliver a specially crafted HTML page to exploit this, making it a post-compromise risk rather than a direct remote code execution vector. The vulnerability affects Chrome versions prior to 149.0.7827.53.

  • CVE-2026-11244LOW 3.1

    CVE-2026-11244 is a low-severity flaw in Google Chrome's WebAuthentication feature that allows inadequate validation of user-supplied input. An attacker with prior access to Chrome's renderer process—the component responsible for displaying web pages—could craft a malicious HTML page to circumvent the browser's same-origin policy, a fundamental security boundary that prevents scripts from one website accessing data from another. This is not a direct remote code execution and requires both renderer process compromise and user interaction to succeed.

  • CVE-2026-11247LOW 3.1

    A flaw in Google Chrome's CustomTabs feature on Android allows an attacker to leak data across website boundaries through a specially crafted webpage. The vulnerability requires user interaction and is difficult to exploit, affecting Android devices running Chrome versions before 149.0.7827.53. While the risk is low, it represents a potential privacy leak in a widely used mobile browser component.

  • CVE-2026-11251LOW 3.1

    A flaw in Chrome's password manager allows a sophisticated attacker to read stored password information if they can first compromise Chrome's renderer process through a malicious web page. The vulnerability requires multiple conditions to exploit: the attacker must already control the rendering engine, the user must interact with the page, and the attack surface is limited to sensitive credential disclosure. Chrome versions before 149.0.7827.53 are affected. This is not a zero-click issue and does not allow code execution or system-level access.

  • CVE-2026-11464LOW 3.1

    JeecgBoot versions up to 3.9.2 contain a vulnerability in the User List Endpoint that allows authenticated users to disclose sensitive information by manipulating a salt parameter. An attacker with valid credentials can exploit this flaw to access restricted data, though doing so requires specific conditions and technical knowledge. A fix is planned for a future release.

  • CVE-2026-11465LOW 3.1

    A logic flaw exists in songquanpeng one-api versions up to 0.6.11-preview.7 that affects the redemption code top-up functionality. An authenticated attacker with specific knowledge of the system could bypass or manipulate the business logic governing how redemption codes are processed, potentially allowing unauthorized credit issuance or redemption manipulation. The attack is complex to execute and requires an active user account, making widespread exploitation unlikely in typical deployments.

  • CVE-2026-11502LOW 3.1

    JeecgBoot versions up to 3.9.2 contain an open redirect vulnerability in the third-party login flow. When users are directed to log in via OAuth providers like DingTalk or WeChat, an attacker can manipulate the state parameter to redirect victims to a malicious website after authentication. The attack requires social engineering—tricking a user into clicking a specially crafted login link—and only affects deployments that have enabled third-party login functionality.

  • CVE-2026-11675LOW 3.1

    Google Chrome contained a memory reading vulnerability in its Skia graphics library that could allow an attacker to steal sensitive data from other websites. The attacker would first need to compromise Chrome's renderer process—the sandboxed component that handles web page rendering—and then trick a user into visiting a specially crafted webpage. If successful, the flaw could leak cross-origin data, meaning information from a different website than the one the user thought they were visiting. This vulnerability affects Chrome versions prior to 149.0.7827.103 across Windows, macOS, and Linux systems.

  • CVE-2026-11684LOW 3.1

    A policy enforcement gap in Google Chrome's Network component allowed attackers who had already compromised Chrome's utility process to steal cross-origin data by serving a specially crafted HTML page. This is a post-compromise attack where the attacker has already gained some level of access to the browser process itself, then exploits this weakness to read data that should be isolated between different websites.

  • CVE-2026-11686LOW 3.1

    A flaw in Google Chrome's Dawn graphics library on macOS allows an attacker who has already compromised the browser's renderer process to trick the system into leaking data from other websites. The vulnerability requires the attacker to already have control over the renderer and the user to interact with a malicious webpage, making it a limited but real risk in scenarios where renderer escapes are already being exploited.

  • CVE-2026-11691LOW 3.1

    Google Chrome contained a flaw in its New Tab Page that could allow attackers who had already compromised Chrome's renderer process to steal data from websites across different origins. The vulnerability required an attacker to have already broken into the renderer—the sandboxed component that runs web content—and then trick a user into visiting a malicious HTML page. While the Chromium security team rated this High severity internally, the calculated CVSS score is Low (3.1) because the attack requires both prior renderer compromise and user interaction.

  • CVE-2026-35193LOW 3.1

    Django's cache middleware has a flaw that can leak private user data. When Django caches web responses, it's supposed to mark cached data as private (via the `Vary` header) if a request included authentication credentials. In Django 5.2 before version 5.2.15 and 6.0 before version 6.0.6, this protection doesn't work correctly. An attacker can make an unauthenticated request to the same URL a logged-in user visited, and Django may serve the cached private response—revealing sensitive information that should have been protected. Older Django versions (5.0.x, 4.1.x, 3.2.x) haven't been formally evaluated but may have the same problem.

  • CVE-2026-40963LOW 3.1

    Apache Airflow's UI structure_data endpoint was leaking metadata about linked workflows (DAGs) to users who shouldn't see them. An authenticated user with permission to view one workflow could discover the names and dependency relationships of other workflows they weren't authorized to access. This is a read-only information disclosure—no data modification or system disruption occurs—but it can undermine team isolation in multi-tenant Airflow deployments where workflow topology is considered sensitive.

  • CVE-2026-45426LOW 3.1

    Apache Airflow's log server uses a flawed string-matching approach to authorize workers' access to task logs. Instead of checking if a worker's JWT token matches a specific Dag name exactly, the system strips characters from the left side of requested Dag names in a way that can match multiple unintended Dags. An authenticated worker with a token for 'dag_a' could read logs from 'dag_attacker', 'aaaa_target', or '_dag_secret'—any Dag whose name starts with characters found in 'dag_a'. This breaks the intended per-Dag log isolation in multi-team environments.

  • CVE-2026-45739LOW 3.1

    Strawberry GraphQL, a popular library for building GraphQL APIs, has a flaw in its bundled GraphiQL interface (versions 0.288.4 through 0.315.3) where sensitive headers entered by developers are inadvertently exposed in the browser URL. When a developer pastes an authorization token or other credential into the GraphiQL headers editor, that value becomes part of the page URL and persists in browser history, shareable links, and server access logs. This creates a credential leakage risk if someone gains access to those logs or if links are shared. The issue has been patched in version 0.315.4.

  • CVE-2026-48102LOW 3.1

    7-Zip versions 9.11 through 26.00 contain a flaw in how they parse UDF (Universal Disk Format) disc images—used in .iso and .udf files. When processing certain malformed UDF file structures, the parser reads 1 to 3 bytes beyond the allocated memory buffer. This out-of-bounds read occurs during the file open operation and can reveal small amounts of memory content or cause the application to crash. The vulnerability requires user interaction (opening a crafted archive) and affects only information disclosure and stability, not file integrity or system compromise.

  • CVE-2026-48587LOW 3.1

    Django's cache handling function has a flaw where whitespace in HTTP Vary headers isn't properly cleaned up before comparison. An attacker can exploit this by crafting requests that cause the application to serve cached responses intended for different users, potentially leaking sensitive information. The vulnerability affects Django 5.2 before version 5.2.15 and 6.0 before version 6.0.6, though older unsupported versions may also be vulnerable.

  • CVE-2026-49380LOW 3.1

    JetBrains TeamCity versions before 2026.1 contain an open redirect vulnerability in the SAML authentication plugin. An attacker could craft a malicious link that, when clicked by a user, redirects them to an attacker-controlled website after authentication. This requires user interaction and offers limited direct impact, but could be chained with phishing or credential harvesting tactics.

  • CVE-2026-6873LOW 3.1

    Django's signed cookie verification contains a cryptographic flaw in how it generates salts for cookie signatures. By exploiting collisions in salt derivation, an authenticated attacker can repurpose a legitimately signed cookie in an unintended context—for example, using a cookie signed for one feature to authenticate requests for a different feature. This is a low-severity issue requiring prior authentication and careful attack setup, but it undermines the integrity guarantee that signed cookies are meant to provide.

  • CVE-2026-7666LOW 3.1

    Django's email system has a vulnerability that can expose email content over the network under specific conditions. When Django is configured to silently ignore mail delivery errors (`fail_silently=True`) and a secure connection attempt fails, the system may reuse a partially-initialized connection that falls back to unencrypted communication. An attacker positioned on the network path between your application and the mail server could potentially read email content in transit. This requires multiple conditions to align: configuration settings, network positioning, and a failed STARTTLS handshake.

  • CVE-2026-8404LOW 3.1

    Django's cache middleware has a case-sensitivity bug in how it reads `Cache-Control` directives. When a web application uses uppercase or mixed-case values in `Cache-Control` headers (e.g., `PRIVATE` instead of `private`), the middleware fails to recognize them as valid directives. This causes responses that should not be cached to be cached anyway, potentially exposing sensitive data to unauthorized users who can trigger cache hits.

  • CVE-2026-9920LOW 3.1

    Google Chrome on Android contains a vulnerability in GPU memory handling that could allow an attacker who has already compromised the browser's renderer process to access sensitive data from websites that should be isolated from each other. The vulnerability stems from uninitialized memory in the GPU code path, which under specific conditions could leak cross-origin data through a malicious webpage. This requires the renderer process to be compromised first, making it a secondary exploitation step rather than a direct entry point.

  • CVE-2026-9944LOW 3.1

    CVE-2026-9944 is a memory safety issue in the ANGLE graphics library used by Google Chrome. An attacker who has already compromised Chrome's renderer process can craft a malicious webpage to leak sensitive data from other websites or origins. The vulnerability requires the renderer to be compromised first, limiting the attack surface, but the data leakage potential is real once that initial foothold exists. Chrome versions before 148.0.7778.216 are vulnerable on Windows, macOS, and Linux.

  • CVE-2026-9950LOW 3.1

    A same-origin policy bypass vulnerability exists in Google Chrome on iOS versions prior to 148.0.7778.216. The flaw stems from insufficient validation of untrusted input that allows an attacker who has already compromised Chrome's renderer process to craft a malicious HTML page that circumvents browser security boundaries. This means an attacker could potentially access data or perform actions from a different website origin than the one a user is visiting, but only if the renderer process has already been compromised through another attack vector.

  • CVE-2026-9959LOW 3.1

    A race condition in WebRTC functionality within Google Chrome on Windows allows an attacker to leak data across origin boundaries. The vulnerability requires user interaction (clicking on a crafted HTML page) and is difficult to exploit reliably due to timing constraints. While the underlying issue is rated High severity by Chromium, the CVSS 3.1 score of 3.1 reflects the practical barriers to exploitation and limited scope—an attacker can extract sensitive information, but cannot modify data or disrupt service.

  • CVE-2026-9991LOW 3.1

    A vulnerability in Google Chrome's media handling on Windows allows an attacker who has already compromised the browser's renderer process to extract sensitive data across security boundaries. The attacker would need to host a malicious webpage and trick a user into visiting it while the renderer is already under their control. The exposure is information disclosure—no system takeover or crashes—and the barrier to exploitation is relatively high because the attacker must first achieve renderer compromise.

  • CVE-2026-10078LOW 2.7

    Quay's config-tool contains a flaw in how it handles GitLab OAuth setup. When administrators configure GitLab as an identity provider, sensitive credentials (client ID and secret) are passed in plaintext within the URL query string of POST requests. This is problematic because these credentials can be logged by web servers, reverse proxies, load balancers, and monitoring systems—anywhere that records HTTP request details. An attacker who gains access to these logs could extract the credentials and impersonate Quay's OAuth client to GitLab, potentially gaining unauthorized access to repositories or other GitLab resources.

  • CVE-2026-44367LOW 2.7

    Klaw, a Kafka topic management and governance platform, contains a vulnerability in how it handles usernames during registration and login. The system doesn't consistently apply case sensitivity rules—treating 'Admin' and 'admin' as different or the same depending on the operation—which allows authenticated users with administrative privileges to deliberately lock out accounts or trigger denial of service conditions. This is a low-severity issue requiring administrative access to exploit, but it can impact operational availability if administrators use it maliciously or if the inconsistency is exploited in targeted attacks. The flaw was fixed in version 2.10.4.

  • CVE-2026-45076LOW 2.7

    Synapse, an open-source Matrix homeserver implementation used for federated messaging, contains a flaw in how it handles room history in cross-server deployments. Malicious homeservers can craft specially formed room events that cause Synapse instances to withhold historical messages from clients requesting older conversation data. Users may see incomplete chat histories or missing messages when paginating through room archives. This is a low-severity issue because it requires a compromised or malicious federated peer and affects data availability rather than confidentiality or integrity.

  • CVE-2026-9088LOW 2.7

    Keycloak contains a flaw in how it enforces user profile visibility rules for delegated administrators. An admin with permission to view group memberships and users can circumvent access controls by querying the group members endpoint, allowing them to see sensitive user attributes that should be hidden from them. This is a controlled-access issue—the attack requires administrative privileges and does not affect regular users or public-facing functionality.

  • CVE-2026-45154LOW 2.6

    Nextcloud, an open-source content collaboration platform, contains a flaw affecting versions 2.6.0 through 4.2.x that allows guest users to retrieve deleted collaborative pages from the trash when the parent collective is shared in view-only mode. An attacker with guest access could circumvent intended deletion by directly accessing removed content, though the exposure is limited to information disclosure and requires prior access to the shared collective. The vulnerability has been resolved in version 4.3.0.

  • CVE-2026-45155LOW 2.6

    Nextcloud Server contains a flaw in its circles feature that allows authenticated users to add unknown circles to other circles by directly referencing their IDs, potentially enabling membership tracking. While circle IDs are designed with high complexity (62^15 combinations), if an attacker obtains a valid circle ID through other means, they could exploit this missing access control. The vulnerability requires an authenticated session and user interaction to exploit, making opportunistic attacks unlikely but targeted attacks possible if circle IDs are discovered.

  • CVE-2026-10783LOW 2.5

    A weakness in Gradio 6.14.0's audio caching function allows a local user with limited privileges to potentially access confidential information through use of a weak cryptographic hash. The attack is technically difficult to execute and requires hands-on access to the system. While a public exploit exists, real-world exploitation remains unlikely due to high complexity requirements and low impact scope.

  • CVE-2026-11481LOW 2.5

    A weakness in the grepai project (versions up to 0.35.0) allows a local user with login privileges to manipulate how the Postgres Embedding Cache stores and retrieves content hashes, potentially causing the system to use weak cryptographic hashing. The vulnerability requires significant technical knowledge to exploit and poses limited immediate risk, but should be addressed through the pending patch once merged.

  • CVE-2026-10112LOW 2.4

    CVE-2026-10112 is a stored or reflected cross-site scripting (XSS) vulnerability in the Dashboard Page component of STUDENT-MANAGEMENT-SYSTEM version 1.0. An attacker with high privileges can inject malicious scripts through the Name parameter, which are then executed in the browsers of users who view the affected page. The vulnerability requires user interaction and has a low CVSS score of 2.4, but exploitation has already been disclosed publicly.

  • CVE-2026-10514LOW 2.4

    A cross-site scripting (XSS) vulnerability exists in CordysCRM versions up to 1.6.2. The flaw is located in a request parameter handling component and allows attackers with administrative privileges to inject malicious scripts that execute in users' browsers. While public exploit code is available, the attack requires both high-level credentials and user interaction (such as clicking a malicious link), significantly limiting real-world risk. Upgrading to version 1.7.0 resolves the issue.

  • CVE-2026-10529LOW 2.4

    A cross-site scripting (XSS) vulnerability has been discovered in westboy CicadasCMS affecting the Task Scheduling Management Module. The flaw exists in the ScheduleJobController component and can be triggered by an authenticated user with elevated privileges through a specially crafted request. While the vulnerability requires administrative or high-privilege access to exploit, the presence of user interaction (rendering) combined with public availability of exploit details elevates attention. The CMS uses a rolling release model, making definitive version tracking difficult, though the affected commit hash has been identified.

  • CVE-2026-11338LOW 2.4

    A reflected cross-site scripting (XSS) vulnerability exists in SourceCodester Ship Ferry Ticket Reservation System version 1.0. An authenticated administrative user with high privileges can inject malicious JavaScript into the Username parameter on the user management page, which executes in the browsers of other users who view the manipulated content. The vulnerability requires user interaction and administrative access to trigger, limiting its immediate exposure but potentially enabling unauthorized account manipulation or credential theft within administrative workflows.

  • CVE-2026-11434LOW 2.4

    FluentCMS version 0.0.5 contains a cross-site scripting (XSS) vulnerability in its Blocks Plugin, specifically within the /admin/blocks file. An authenticated administrator with high privileges can inject malicious scripts that execute in the browsers of other users viewing the affected page. The vulnerability requires user interaction (such as clicking a link) to trigger. Public exploit code is available, though the low CVSS score reflects the requirement for high-privilege authentication and user interaction to succeed.

  • CVE-2026-11468LOW 2.4

    A cross-site scripting (XSS) vulnerability exists in SourceCodester Hospitals Patient Records Management System version 1.0. An authenticated administrator with high privileges can inject malicious scripts through the room_types page by manipulating the room parameter. When another user visits the affected page, the injected script executes in their browser, potentially allowing session hijacking, credential theft, or malware distribution. The vulnerability requires both administrative access to initiate the attack and user interaction (clicking a link or visiting a crafted URL) for the payload to execute. While the CVSS score is low, the healthcare context and potential for patient data exposure warrant careful attention.

  • CVE-2026-11491LOW 2.4

    CodeAstro Human Resource Management System version 1.0 contains a stored cross-site scripting (XSS) vulnerability in its Notice Board Management feature. An attacker with high privileges can inject malicious JavaScript into the Notice Title field, which is then executed in the browsers of other users viewing that notice. The vulnerability requires user interaction (a victim must view the affected notice) and has already been disclosed publicly with exploit code available.

  • CVE-2026-41986LOW 2.4

    CVE-2026-41986 is a logic bypass vulnerability affecting file system operations. An attacker with physical access to a system could exploit this flaw to disrupt availability—for example, by manipulating file system behavior to cause denial of service. The vulnerability requires direct physical interaction with the machine and carries a low severity rating. The primary concern is operational disruption rather than data theft or system compromise.

  • CVE-2026-49317LOW 2.4

    The 2025 Indian Motorcycle Scout Bobber + Tech infotainment system has a logic flaw in how it initializes during boot. The system is supposed to require a PIN to unlock, but it uses a problematic shortcut: it checks whether it detects wireless messages from the motorcycle's Wireless Control Module (WCM) during startup. If those messages are absent, the system assumes no immobilizer is present and skips the PIN screen entirely, granting immediate access to the infotainment interface. An attacker with adjacent network access can silence the WCM during the boot window—using techniques like a CAN bus-off attack—to trick the system into thinking the immobilizer is not installed, thereby bypassing the PIN protection that should guard the interface.

  • CVE-2026-49318LOW 2.4

    A flaw in the 2025 Indian Motorcycle Scout Bobber + Tech's infotainment system allows someone with physical proximity to the motorcycle to unlock the digital display without entering the correct PIN. The system incorrectly assumes that if it doesn't detect wireless signals from a control module during startup, no security PIN is needed. An attacker can exploit this by blocking those signals during the boot process, causing the system to skip the PIN screen entirely and display the full user interface.

  • CVE-2026-50266LOW 2.2

    A flaw in OpenStack Neutron versions before 28.0.1 allows project managers to perform network spoofing attacks on shared networks. The vulnerability stems from overly permissive role-based access control (RBAC) policies that allow any project manager to create or modify ports on networks they don't own, and crucially, to assign those ports special "trusted" network service identities (like DHCP servers). This bypasses normal anti-spoofing rules and security group protections, enabling attackers to spoof DHCP, MAC, or IP addresses to target other tenants sharing the same network. This is a reintroduction of a vulnerability that was supposedly fixed nearly a decade ago.

  • CVE-2026-45403LOW 2.0

    AnythingLLM versions before 1.13.0 contain a path traversal vulnerability in the agent filesystem copy tool. When copying files, the application only validates the top-level source and destination directories but fails to validate nested files or reject symbolic links. An attacker with high privileges could create or exploit a symlink nested within an allowed source directory to read files outside the intended filesystem boundaries and copy them to an allowed destination, potentially exposing sensitive data. The vulnerability requires high user privileges, complex conditions, and user interaction to exploit, making practical real-world abuse unlikely despite the core weakness.

  • CVE-2026-47713LOW 2.0

    AnythingLLM versions before 1.13.0 contain a token persistence flaw that can leak sensitive data when administrators migrate from single-user to multi-user mode. A mobile device token issued in single-user mode may remain valid after the migration, allowing it to bypass user-scoping controls and access workspaces and chat content belonging to other users. The vulnerability requires an attacker to have had a legitimate mobile device token before the migration, then exploit it post-migration in the multi-user environment.

  • CVE-2026-11786LOW 1.9

    A parsing flaw in 389 Directory Server can cause the LDIF (LDAP Data Interchange Format) parser to read past the boundary of allocated memory when it encounters attribute types ending with semicolons during database imports. The defect is detectable only under memory instrumentation tools (such as AddressSanitizer) and does not cause immediate functional failure or crashes under normal operation. This is a low-severity out-of-bounds read affecting local, high-privileged operations.