By year
Vulnerabilities disclosed in 2026
CVEs published in 2026 with SEC.co analysis.
2772 published vulnerabilities · page 27 of 28
- CVE-2026-9911MEDIUM 4.3
CVE-2026-9911 is a memory safety issue in the ANGLE graphics library used by Google Chrome. When a user visits a specially crafted webpage, an attacker can read small amounts of sensitive data from the browser's memory. The vulnerability requires user interaction—visiting the malicious page—but needs no special permissions or browser configuration to exploit. While the data exposure is limited in scope, it could leak sensitive information like passwords, tokens, or cached credentials stored in memory.
- CVE-2026-9913MEDIUM 4.3
A flaw in the ANGLE graphics library component of Google Chrome prior to version 148.0.7778.216 could allow an attacker to access memory outside intended bounds when a user visits a malicious website. The vulnerability requires user interaction (visiting a crafted page) but does not require special privileges. Potential impacts include disclosure of sensitive information, though the attacker cannot modify data or crash the browser directly through this flaw.
- CVE-2026-9919MEDIUM 4.3
A WebGL processing flaw in Google Chrome for Android allows attackers to read data they shouldn't have access to by tricking users into visiting a malicious webpage. The vulnerability exists in how Chrome handles certain graphics operations and can leak information across website boundaries, but only affects the Android version of Chrome and requires user interaction to exploit.
- CVE-2026-9921MEDIUM 4.3
Google Chrome on Android contains a flaw in its WebGL graphics processing where memory buffers may not be properly initialized before use. An attacker can exploit this by crafting a malicious HTML page that, when visited, allows them to read sensitive information from other websites—a cross-origin data leak. The vulnerability requires user interaction (clicking a link or viewing a page) but does not require special privileges or complex attack setup.
- CVE-2026-9929MEDIUM 4.3
A flaw in how Google Chrome on Android handles WebGL—a technology that enables 3D graphics in web browsers—could allow an attacker to trick a user into visiting a malicious webpage and expose data from other websites the user has open. The attacker cannot force this to happen; the user must interact with the page, such as by clicking or scrolling. This is a cross-origin data leak, meaning sensitive information from one domain could become visible to JavaScript code running on an attacker's domain.
- CVE-2026-9930MEDIUM 4.3
An out-of-bounds write vulnerability exists in the Dawn graphics component of Google Chrome on macOS. An attacker can craft a malicious HTML page that, when viewed by a user, writes data to memory locations outside the intended bounds of a buffer. This memory corruption could allow an attacker to modify sensitive data or potentially achieve code execution, though the CVSS assessment indicates the integrity impact is limited. The vulnerability requires user interaction—the victim must visit or be directed to the malicious page—and affects Chrome versions prior to 148.0.7778.216 on macOS.
- CVE-2026-9935MEDIUM 4.3
CVE-2026-9935 is a memory safety issue in Google Chrome's ANGLE graphics library that allows attackers to steal sensitive data from other websites. When you visit a malicious webpage, an attacker can craft it to leak information that should be isolated to other sites you have open. The vulnerability requires user interaction—you must visit the attack page—but the bar for exploitation is otherwise low. Google has classified this as High severity internally, though the CVSS score reflects a more limited scope.
- CVE-2026-9943MEDIUM 4.3
A memory access flaw in Google Chrome's WebGL implementation on Android allows attackers to read data from other websites through a specially crafted web page. When a user visits the malicious page, the attacker can extract information (such as authentication tokens, session cookies, or sensitive content) from sites the user is logged into. This is a cross-origin data leak—meaning the attacker can access information meant to be isolated to other domains.
- CVE-2026-9955MEDIUM 4.3
A vulnerability in Google Chrome on iOS versions before 148.0.7778.216 allows attackers to extract sensitive information from websites the user visits. An attacker would craft a malicious webpage and trick a user into visiting it; the page can then read data intended to be private to other websites. This is a cross-origin data leak—a violation of the browser's same-origin policy that normally prevents websites from accessing each other's information.
- CVE-2026-11479MEDIUM 4.2
A weakness in the grepai hash implementation allows authenticated users to manipulate how files are indexed and chunked in the Qdrant backend, potentially corrupting data integrity or availability. The vulnerability requires login credentials and involves complex exploitation techniques, making opportunistic attacks unlikely. A fix has been proposed but not yet merged into the main codebase.
- CVE-2026-24315MEDIUM 4.2
SAP Fiori Launchpad contains a URL-crafting vulnerability that allows attackers to trigger unauthorized service calls within the Fiori application domain. When a user clicks a malicious link, the attacker can potentially steal credentials or compromise the user's account. The attack requires the attacker to have detailed knowledge of the system and depends on user interaction—the vulnerability cannot be exploited remotely without a victim opening the malicious URL.
- CVE-2026-41839MEDIUM 4.2
Spring Framework versions 5.3, 6.1, 6.2, and 7.0 contain a session management flaw in WebFlux applications. If an attacker first compromises a subdomain (through XSS or similar attack), they can trade a known session ID for one belonging to an authenticated user, potentially gaining unauthorized access to that user's account or data. The flaw requires two conditions: initial subdomain compromise and user interaction, which limits its immediate exploitability but remains a meaningful risk in multi-tenant or loosely-segmented environments.
- CVE-2026-41844MEDIUM 4.2
CVE-2026-41844 is a redirect vulnerability in Spring Framework that allows attackers to craft malicious links causing users' browsers to redirect to arbitrary external websites. The flaw exists in Spring MVC and Spring WebFlux applications configured with a catch-all URL mapping ("/**") where the view name is not explicitly set. An attacker can exploit the 'redirect:' prefix to bypass intended routing controls and send users to phishing sites or other malicious hosts. This requires user interaction—the victim must click a crafted link—and impacts four widely-used versions of Spring Framework spanning multiple release series.
- CVE-2026-41854MEDIUM 4.2
CVE-2026-41854 is a server-side request forgery (SSRF) vulnerability in Spring Framework caused by incorrect parsing of host names in URLs. When an application uses Spring's UriComponentsBuilder to process a URL provided by an external user, an attacker could craft a malicious URL that causes the application to make unintended requests to internal systems or services. The vulnerability affects Spring Framework versions 7.0.0 through 7.0.7 and 6.2.0 through 6.2.18. Exploitation requires user interaction and presents moderate risk.
- CVE-2026-48104MEDIUM 4.2
7-Zip versions 9.18 through 26.00 contain a memory safety bug in the SquashFS archive handler that can crash the application or leak heap information when processing a specially crafted archive file. The vulnerability stems from uninitialized memory left in an internal index structure; an attacker can craft a SquashFS archive that causes the handler to read from these uninitialized slots and potentially dereference invalid pointers during directory parsing. The issue is triggered automatically when you open the malicious file—no user interaction beyond that is required. The impact is limited to denial of service and potential information disclosure; the attacker cannot modify files or escalate privileges.
- CVE-2026-48522MEDIUM 4.2
PyJWT, a widely-used Python library for JSON Web Token handling, has a vulnerability in versions before 2.13.0 where it blindly accepts any URL scheme when fetching public key sets (JWKS). An attacker who can influence the URL used to fetch these keys—through JWT headers, configuration, or OAuth parameters—can trick the application into reading local files, attempting unusual protocol connections (FTP, data URIs), or in certain chained scenarios, forging valid tokens. The vulnerability requires specific conditions: the attacker must control the URL source, and token forgery scenarios require additional application-layer flaws like writable filesystem access.
- CVE-2026-9986MEDIUM 4.2
CVE-2026-9986 is a UI spoofing vulnerability in Google Chrome's OptimizationGuide component that could let an attacker deceive users about what they're seeing on a webpage. The vulnerability requires the attacker to have already compromised Chrome's rendering process—the engine that draws web content. While this limits the immediate attack scope, it represents a meaningful escalation risk for adversaries who have achieved code execution in that sandboxed component. The flaw stems from inadequate validation of user-supplied input before it's used to generate on-screen elements.
- CVE-2024-47263MEDIUM 4.1
A path traversal flaw in Synology Hyper Backup's web API allows administrators who already have legitimate access to write files outside their intended directory. The vulnerability is constrained to non-sensitive file types, limiting immediate damage, but represents a control-boundary weakness that could enable privilege misuse or lateral movement in environments where admin accounts are compromised or where insider threat is a concern.
- CVE-2026-10052MEDIUM 4.1
Quay's configuration tool contains a weakness in how it validates LDAP and SMTP settings. When a configuration editor supplies endpoints for these services, the tool connects to them without restricting which IP addresses or hostnames are allowed. An attacker with config editor privileges can abuse this to make the Quay container reach internal network resources, allowing them to map and discover the organization's internal infrastructure from inside the cluster's network position.
- CVE-2026-37700MEDIUM 4.1
MaxSite CMS version 109.2 contains a cross-site scripting (XSS) vulnerability in its backend file upload feature that allows authenticated attackers to inject malicious scripts. When an administrator performs a file upload through the admin page endpoint, an attacker with login credentials could craft a request that executes JavaScript in the victim's browser, potentially exposing sensitive information displayed during the upload process.
- CVE-2026-42401MEDIUM 4.1
CVE-2026-42401 is a stored HTML injection vulnerability in Kibana that allows an attacker with write access to an Elasticsearch index to inject malicious markup. When other users view the affected Kibana dashboard or visualization, the injected code is not properly sanitized before rendering in their browser. This can enable unauthorized UI changes and cause the victim's browser to make unintended outbound network requests on their behalf.
- CVE-2019-25723MEDIUM 4.0
Dräger Perseus A500 ventilators running software versions 2.00 through 2.02 are vulnerable to a denial-of-service attack. An attacker on the network can send malformed data through the Medibus medical interface to crash the device's processor, forcing a warm restart. During this restart—which lasts several seconds—ventilation pressure drops to ambient level, temporarily interrupting therapy delivery before the device recovers. This is a network-accessible vulnerability with no authentication required, making it a genuine concern for clinical environments.
- CVE-2019-25734MEDIUM 4.0
Contact Form by WD version 1.13.1 has a security flaw that combines two weaknesses: a cross-site request forgery (CSRF) vulnerability and local file inclusion (LFI). An unauthenticated attacker can craft a malicious web form that, when visited by an admin, tricks the admin's browser into loading arbitrary files from the server using directory traversal sequences. This bypasses the normal authentication checks on certain WordPress AJAX actions, potentially exposing sensitive files.
- CVE-2021-4479MEDIUM 4.0
Dräger Atlan A350 patient monitoring devices running firmware versions 1.00 through 1.01 are vulnerable to a denial-of-service attack delivered through the Medibus network interface. An attacker can send malformed data packets that the device fails to validate properly, causing the internal processor to become overloaded. Over several hours, this degradation manifests as loss of data transmission capability, delays in displaying vital sign curves, and discrepancies between measured airway pressure and displayed values—conditions that could compromise clinical decision-making in critical care settings.
- CVE-2026-10099MEDIUM 4.0
XX-Net V5.16.6 has a flaw in how it processes WebSocket communications that causes data corruption. When a client sends WebSocket frames without proper masking, the server incorrectly interprets the first 4 bytes of the message as a mask key (even when masking wasn't used), then mangles the rest of the data by applying the wrong decryption. This results in corrupted data being processed by the application. The vulnerability affects local attack scenarios and has medium severity.
- CVE-2026-10998MEDIUM 4.0
CVE-2026-10998 is a memory safety issue in Google Chrome's media handling code that allows an attacker positioned on the same local network to read data from memory locations they shouldn't have access to. The vulnerability exists in Chrome versions before 149.0.7827.53. An attacker would need to send specially crafted network traffic to trigger an out-of-bounds read, which could potentially expose sensitive information resident in the browser's memory. This is a local-network-only threat, meaning the attacker must be on your network segment to exploit it.
- CVE-2026-28581MEDIUM 4.0
A logic error in Android's call processing code allows an application to initiate emergency calls without proper authorization checks. The vulnerability stems from inadequate validation in the CallIntentProcessor when determining the initiating user, potentially enabling an app to trigger emergency dialing functionality that should be restricted. No user interaction is required for exploitation, and the issue affects multiple Android versions.
- CVE-2026-30963LOW 3.9
Capsule is a Kubernetes framework that uses webhooks to prevent tenant administrators from hijacking namespaces—essentially taking control of cluster resources they shouldn't own. The framework checks most update requests, but it misses two specific APIs (namespace/status and namespace/finalize subresources) that can also change namespace ownership markers. Before version 0.13.0, a tenant admin with permission to use these subresources could bypass the webhook protection and seize a namespace. Version 0.13.0 patches this gap by ensuring the webhook intercepts both subresource types.
- CVE-2026-45642LOW 3.9
CVE-2026-45642 affects Microsoft's Azure Attestation and Device Health Attestation services, which are used to verify the integrity and trustworthiness of devices and systems. The vulnerability stems from inadequate validation of user-supplied input, allowing an attacker who already has physical access and elevated privileges on a target system to spoof attestation results. This means an attacker could make a compromised or malicious device appear legitimate to systems that rely on attestation checks. The attack requires both physical proximity to the device and administrative-level access, significantly limiting real-world exposure.
- CVE-2025-12656LOW 3.8
The WPvivid Backup & Migration plugin for WordPress contains a vulnerability that allows administrators to inadvertently (or maliciously) delete arbitrary directories from the server. The flaw lies in insufficient validation of file paths when canceling a staging site, meaning an authenticated admin could specify any folder path and have it removed. This is restricted to high-privilege accounts, but the impact—permanent data loss—is serious for affected organizations.
- CVE-2026-10299LOW 3.8
CVE-2026-10299 is a resource identifier control vulnerability in code-projects Online Hospital Management System version 1.0. An authenticated attacker with high-level privileges can manipulate the 'delid' parameter in the viewdoctortimings.php file to cause unintended modifications or deletion of data. While the flaw requires administrative or high-privilege access and carries a low CVSS score, the availability of public exploit code warrants attention in environments running this system.
- CVE-2026-40510LOW 3.8
OpenSC, a widely-used open-source smart card library, contains a stack buffer overflow flaw in how it processes the Key History Object from PIV (Personal Identity Verification) cards. An attacker with physical access to a system could craft a malicious smart card or USB device that returns an oversized URL field—exceeding 118 bytes—triggering memory corruption. This vulnerability requires the attacker to be physically present at the machine and involves user interaction, limiting its reach but posing a real concern in environments where untrusted hardware may be connected.
- CVE-2026-40528LOW 3.8
OpenSC, a widely-used open-source library for working with smart cards and cryptographic tokens, contains a buffer overflow vulnerability in its profile configuration parser. When OpenSC's pkcs15-init tool processes a maliciously crafted configuration file, it can be tricked into copying more data than a buffer can hold, corrupting memory. An attacker would need local access to supply the malicious file and convince a user to run the initialization tool, but successful exploitation could allow memory corruption and potential code execution.
- CVE-2026-45683LOW 3.8
OpenTelemetry eBPF Instrumentation versions prior to 0.9.0 contain a memory disclosure vulnerability in the Java TLS monitoring probe. The vulnerability stems from incorrect kernel memory access calls that allow a local attacker to read sensitive kernel memory and exfiltrate it through the instrumentation telemetry pipeline. This is a localized information disclosure risk that requires local process-level access to exploit.
- CVE-2026-6816LOW 3.8
Drupal's TFA Basic Plugins module contains a flaw that allows administrators with user management permissions to access or create recovery codes intended for other users. This bypasses the expected access controls around two-factor authentication recovery mechanisms. The vulnerability is restricted to versions 7.x-1.0 through 7.x-1.2, and exploitation requires administrative privileges, limiting its immediate threat to environments where admin accounts are already compromised or where trust boundaries have been violated.
- CVE-2025-52609LOW 3.7
HCL iControl is missing HTTP security headers that would instruct modern web browsers to block cross-site scripting (XSS) attacks. Without these headers—such as Content-Security-Policy or X-XSS-Protection—the application relies on older browser XSS filters that are inconsistently implemented and increasingly deprecated. An attacker could craft malicious input that, when processed by iControl, gets reflected in responses without proper sanitization, potentially allowing script execution in users' browsers.
- CVE-2026-10169LOW 3.7
A weakness in the password recovery feature of OUSL-GROUP-BrinaryBrains School Student Management System allows an attacker to manipulate the email parameter in the forgot password function, potentially leading to unauthorized password resets or account takeover. The vulnerability exists in the Login.php controller's ajax_forgot_password endpoint. While exploitable remotely, the attack requires specific conditions and is considered of low severity. Exploit code is publicly available, increasing risk of opportunistic attacks.
- CVE-2026-10216LOW 3.7
A vulnerability has been discovered in unitedbyai droidclaw version 0.5.3 and earlier that weakens authentication security on the claim endpoint. The flaw allows attackers to bypass rate limiting or account lockout protections during login attempts, potentially enabling brute-force attacks to guess user credentials. While a public exploit exists, the attack requires specific conditions and technical skill to execute successfully. The vendor has been notified but has not yet released a fix.
- CVE-2026-10300LOW 3.7
SGLang version 0.5.10.post1 contains a vulnerability in its inference HTTP endpoint that can be triggered by manipulating the lora_path argument. When an attacker provides a specially crafted lora_path value, the system reaches an assertion condition that causes the service to become unavailable. This is a remote vulnerability requiring network access, though the attack is complex to execute and not trivial to exploit in practice.
- CVE-2026-11555LOW 3.7
A privilege escalation vulnerability exists in D-Link's DGS-1100-08PD switch running firmware version 1.00.006. The issue resides in how the web interface processes the /etc/boa.conf configuration file, potentially allowing an attacker to modify system settings in ways that bypass normal access restrictions. While a public exploit exists, successful exploitation requires significant technical skill and specific conditions to align. The impact is limited to integrity violations—an attacker cannot read sensitive data or crash the device, only make unauthorized configuration changes.
- CVE-2026-24761LOW 3.7
CVE-2026-24761 is an authorization flaw in Kiteworks Secure Data Forms that allows authenticated users to view metadata belonging to other users. Because the system doesn't properly verify who owns a resource before allowing access, a legitimate user can craft requests to retrieve information about files and documents they shouldn't see. The vulnerability requires an attacker to already have valid credentials and involves a higher complexity of exploitation, which limits its risk profile. This affects Kiteworks versions before 9.3.0.
- CVE-2026-41848LOW 3.7
Spring Framework's AntPathMatcher component is susceptible to a Regular Expression Denial of Service (ReDoS) attack. If an attacker can control or influence URL path patterns processed by the matcher, they can craft a malicious pattern that causes excessive CPU consumption, potentially degrading application performance or availability. This vulnerability affects multiple actively supported versions of Spring Framework spanning several release lines.
- CVE-2026-41852LOW 3.7
Spring Expression Language (SpEL) in VMware Spring Framework contains a flaw that allows attackers to invoke arbitrary methods with zero arguments even in contexts designed to restrict or prevent such actions. An attacker with network access could exploit this to trigger unintended application logic, potentially leading to denial of service or information disclosure depending on available methods and application design. This affects multiple versions across the 5.3, 6.1, 6.2, and 7.0 release branches.
- CVE-2026-42768LOW 3.7
OpenSSL's CMS and S/MIME decryption functions contain a flaw that allows attackers to exploit error messages or decryption output to gradually recover encrypted data or forge signatures. The vulnerability exists in two forms: when no recipient certificate is provided, an attacker can craft a message with multiple encryption layers to probe for valid padding patterns; when a certificate is provided but doesn't match, OpenSSL substitutes a random key, which an attacker can use to compare results and refine attacks. The practical risk is low because exploiting it requires the victim's application to expose detailed error codes or decryption results to an untrusted attacker, a scenario OpenSSL's developers consider very unlikely in real-world deployments.
- CVE-2026-42770LOW 3.7
A weakness in OpenSSL's handling of X9.42 Diffie-Hellman key exchanges allows a malicious peer to forge domain parameters in a way that bypasses security validation. Specifically, when checking that a peer's public key belongs to the correct mathematical subgroup, OpenSSL uses the peer's own parameters instead of verifying against the local key's parameters. An attacker can exploit this to gradually recover fragments of a victim's private key through repeated key exchange attempts, ultimately reconstructing the entire key via mathematical combination. However, the practical risk is limited to specific scenarios: principally Certificate Management Protocol (CMP) deployments where a Certification Authority or Registration Authority maintains long-lived X9.42 DHX keys, and custom enterprise or government applications using static DHX keys in interactive protocols.
- CVE-2026-44546LOW 3.7
Daphne, a popular ASGI server for Django applications, contains a header parsing vulnerability that allows attackers to inject additional HTTP headers into requests under specific conditions. The issue arises from a mismatch in how Daphne and the underlying WebSocket library (autobahn) interpret certain whitespace characters as line separators. By crafting requests with specific byte sequences in header values, an attacker can inject headers that the application receives, potentially leading to security bypasses depending on application logic. Daphne versions before 4.2.2 are affected. The vulnerability has a low CVSS score (3.7) and requires specific conditions to exploit, but organizations running affected versions should still apply the patch.
- CVE-2026-44743LOW 3.7
CVE-2026-44743 is a low-severity information disclosure vulnerability in SAP Business Objects that allows unauthorized attackers to leak sensitive data through a specific application endpoint. The vulnerability requires specific conditions to be exploitable and does not affect system integrity or availability—only the confidentiality of information is at risk.
- CVE-2026-48524LOW 3.7
PyJWT, a widely-used Python library for handling JSON Web Tokens (JWTs), contains a weakness in how it fetches public signing keys. When a JWT arrives with an unfamiliar key identifier (kid), the library will make a fresh HTTP request to retrieve the correct signing key—without any protection against repeated requests for the same unknown identifier. An attacker can exploit this by sending JWTs with different fake kid values, forcing the library to make outbound requests for each one. While the actual impact depends on whether the signing-key endpoint has its own rate limiting or becomes saturated, the vulnerability allows an attacker to potentially cause a denial-of-service condition through request amplification. This issue is resolved in PyJWT 2.13.0 and later.
- CVE-2026-5419LOW 3.7
A timing vulnerability has been discovered in GnuTLS, a widely-used encryption library. When the library decrypts data protected with PKCS#7 padding, the padding verification process takes different amounts of time depending on the content of the padding bytes. An attacker with network access could measure these timing differences to infer information about the padding, potentially revealing details about encrypted messages. This is a subtle flaw that requires precise network-level observation to exploit, making it a low-risk issue in most environments, but one that sophisticated attackers targeting high-value communications might attempt.
- CVE-2026-10766LOW 3.6
MLRun versions up to 1.12.0-rc3 contain a weakness in how they hash dataframes. The vulnerable function in mlrun/utils/helpers.py uses cryptographic methods that are considered inadequate for security purposes. An attacker with local access to a system running MLRun could potentially manipulate or forge data integrity checks, though doing so requires significant technical effort and local privileges. The vulnerability is not currently listed as actively exploited in the wild, but proof-of-concept details have been publicly disclosed.
- CVE-2026-10775LOW 3.6
CVE-2026-10775 is a denial-of-service vulnerability in SGLang's cache handling mechanism. An attacker with local system access and user-level privileges can trigger a crash or service interruption by exploiting the data_hash function in the cache handler. The attack requires specific knowledge of the system's cache internals, making it moderately difficult to execute, though proof-of-concept code has been publicly disclosed.
- CVE-2026-10800LOW 3.6
PaddlePaddle FastDeploy versions up to 2.4.1 contain a weakness in how the MultimodalHasher component generates hashes for multimodal features. An attacker with local system access and user-level privileges could manipulate the hash_features function to use cryptographically weak hashing, potentially allowing them to forge or predict hash values. This is a low-severity issue that requires both local access and significant technical effort to exploit.
- CVE-2026-10801LOW 3.6
A weakness in how ModelScope's ms-swift library (versions up to 4.2.0) hashes cached PIL images creates a local integrity risk. An attacker with local system access and user-level privileges could manipulate image cache validation, potentially leading to cache poisoning or image substitution. The vulnerability requires significant technical effort to exploit and poses limited immediate threat in most environments, but should be addressed before deployment in sensitive workflows.
- CVE-2026-10803LOW 3.6
MLflow versions up to 3.10.0 contain a cryptographic weakness in the Dataset Digest Computation module. The vulnerability uses an insufficiently strong hash function for dataset digest operations, which could allow an attacker with local system access and user-level privileges to tamper with dataset integrity checks or trigger application errors. Exploitation requires significant technical effort and local presence on the affected machine.
- CVE-2026-10804LOW 3.6
Streamlit versions up to 1.53.0 contain a weak cryptographic hashing vulnerability in its palette handler component. An attacker with local system access and authenticated user privileges can manipulate the hashing function to produce predictable or non-unique hash values, potentially allowing them to bypass integrity checks or cause minor application disruptions. The attack is complex and requires deep knowledge of the affected code path, making opportunistic exploitation unlikely. However, the vulnerability is not currently tracked as an active threat on CISA's Known Exploited Vulnerabilities catalog.
- CVE-2026-10812LOW 3.6
GPTCache versions up to 0.1.44 contain a weakness in how it hashes image data used for cache key generation. An attacker with local access to a system running vulnerable GPTCache can manipulate image input parameters to exploit weak cryptographic hashing, potentially causing data integrity issues. The attack requires elevated complexity to execute and is not considered an immediate threat to most deployments, but organizations using GPTCache for image processing should monitor for patches.
- CVE-2026-10813LOW 3.6
LMCache versions up to 0.4.6 contain a cryptographic weakness in the KV Cache Handler component, specifically in how it converts hash values to integers. An attacker with local system access could manipulate this weak hash function to potentially compromise data integrity or availability. However, exploiting this requires significant technical complexity and local access privileges, limiting its practical risk in most environments.
- CVE-2026-11329LOW 3.6
CVE-2026-11329 is a low-severity weakness in ONNX MLIR's node cache handler that uses weak cryptographic hashing in the hash key generation function. The vulnerability requires local access and elevated privileges to exploit, making it a restricted-scope risk. An attacker with local user permissions could manipulate the hash mechanism to cause minor integrity issues or availability disruptions, but the attack is difficult to execute in practice and does not compromise confidentiality.
- CVE-2026-11330LOW 3.6
A cryptographic weakness has been discovered in thedotmack claude-mem versions up to 11.0.1. The Observation Content Hash Handler component uses an insufficiently strong hashing algorithm when processing observation data, which could allow a local attacker with user-level access to manipulate or forge content hashes under specific conditions. This is a localized vulnerability with limited practical exploitability but should be remediated in environments where hash integrity is critical.
- CVE-2026-41974LOW 3.6
CVE-2026-41974 is a permission control flaw in a service notification system that could be exploited to impact system availability. The vulnerability requires local access and user interaction to trigger, but does not require elevated privileges. The attack surface is confined to the notification subsystem, and successful exploitation would degrade service performance or cause temporary unavailability rather than expose sensitive data or grant unauthorized access.
- CVE-2026-10228LOW 3.5
A cross-site scripting (XSS) vulnerability exists in the raisulislamg4 student_management_system_by_php project. The flaw resides in the admission_form_check.php file, where user input passed through the Message parameter is not properly sanitized before being reflected in the web response. An authenticated attacker can craft malicious input that, when viewed by another user, executes arbitrary JavaScript in their browser. The vulnerability requires user interaction (clicking a malicious link) and affects only the integrity of data, not confidentiality or availability. Public exploit details are available, though the CVSS 3.5 score reflects the relatively constrained attack scenario requiring authentication and browser-based execution.
- CVE-2026-10234LOW 3.5
Mettle sendportal versions up to 3.0.1 contain a cross-site scripting (XSS) vulnerability in the Campaign Handler component. An authenticated attacker can inject malicious scripts through the content parameter in the /webview/ endpoint, potentially allowing them to steal session cookies, perform actions on behalf of users, or redirect users to malicious sites. The vulnerability requires user interaction to be effective and does not grant direct administrative access. Exploit code is publicly available, elevating practical risk despite the low CVSS score.
- CVE-2026-10244LOW 3.5
SourceCodester Pharmacy Sales and Inventory System version 1.0 contains a cross-site scripting (XSS) vulnerability in the medicine name creation function. An authenticated user can inject malicious script code through the medicine_name parameter, which executes in the context of other users' browsers. The vulnerability requires user interaction (clicking a link or visiting a page) to trigger, and an attacker must have valid login credentials to exploit it. Public exploits are now available.
- CVE-2026-10245LOW 3.5
SourceCodester Pharmacy Sales and Inventory System version 1.0 contains a cross-site scripting (XSS) vulnerability in its supplier creation functionality. An authenticated user can inject malicious code through the company name field when creating a supplier record. This code executes in the browsers of other users who view the supplier information, potentially allowing attackers to steal session tokens, redirect users to malicious sites, or perform unauthorized actions on their behalf. Public exploits for this vulnerability are already available.
- CVE-2026-10246LOW 3.5
A stored cross-site scripting (XSS) vulnerability exists in SourceCodester Pharmacy Sales and Inventory System version 1.0. An authenticated user can inject malicious scripts through the medicine presentation creation function, which are then executed in the browsers of other users who view that data. The attack requires user interaction and does not grant elevated privileges, but can be used to steal session tokens, redirect users, or perform actions on their behalf within the application.
- CVE-2026-10247LOW 3.5
A cross-site scripting (XSS) vulnerability exists in SourceCodester Pharmacy Sales and Inventory System version 1.0. An authenticated attacker can inject malicious scripts through the generic_name parameter in the create_generic_name function, which the application will then execute in users' browsers. This could allow the attacker to steal session cookies, hijack user accounts, or manipulate pharmacy data. The vulnerability requires user interaction to trigger and an authenticated account to exploit, limiting its immediate impact, but public exploit code is now available.
- CVE-2026-10264LOW 3.5
CVE-2026-10264 is a path traversal vulnerability in lharries whatsapp-mcp version 0.0.1, located in the SendMessageRequest function of the Send API Endpoint. An attacker with local access and user privileges can manipulate the mediaPath argument to traverse the file system and read sensitive files, though exploitation impact is limited to information disclosure. The vulnerability has been publicly disclosed.
- CVE-2026-10567LOW 3.5
A stored cross-site scripting (XSS) vulnerability exists in 1Panel-dev CordysCRM versions up to 1.4.1. An authenticated attacker can inject malicious JavaScript into the Description field of the ModuleFormController, which will execute in the browsers of other users who view the affected module form. The vulnerability requires user interaction (viewing the crafted form) to trigger, and does not grant the attacker direct access to sensitive data or system functions. Upgrading to version 1.7.0 resolves the issue.
- CVE-2026-11511LOW 3.5
Bolt CMS versions up to 3.7.5 contain a vulnerability in how it handles HTML attributes within text fields. An authenticated attacker can manipulate the 'style' argument to inject arbitrary HTML code, potentially affecting the visual presentation or behavior of a web page. The vulnerability requires user interaction (a user must view the injected content) and authentication, limiting its immediate risk. However, because Bolt CMS is no longer actively maintained, affected organizations should plan transitions away from this platform.
- CVE-2026-11520LOW 3.5
SourceCodester Inventory System version 1.0 contains a cross-site scripting (XSS) vulnerability in the header.php file that allows authenticated users to inject malicious scripts through multiple parameters. An attacker with valid credentials can craft a specially crafted request to inject JavaScript that executes in the browsers of other users, potentially stealing session data or performing unauthorized actions on their behalf. Public exploit code is available, increasing the practical risk despite the low CVSS score.
- CVE-2026-11534LOW 3.5
A cross-site scripting (XSS) vulnerability exists in imvks786's student_management_system application. The flaw allows attackers to inject malicious scripts through the name, address, or fname parameters in the /add.php file. An attacker with authenticated access can craft a malicious request that, when clicked by another user, executes arbitrary JavaScript in that user's browser. The vulnerability is publicly known, and the development team has been notified but has not yet responded with a patch.
- CVE-2026-45159LOW 3.5
Nextcloud's end-to-end encrypted file drop feature contained a logic flaw that allowed a user with drop-link access to place files into other encrypted folders owned by the share recipient—without being able to read or modify existing files. The vulnerability affects multiple version lines and has been patched across all active branches.
- CVE-2026-45266LOW 3.5
A flaw in Nextcloud allows any authenticated user to remotely mute other participants' microphones during calls, but only when the deployment lacks a High-performance Backend configuration. This is a low-severity integrity issue that affects call participants' ability to communicate via audio.
- CVE-2026-48190LOW 3.5
OTRS has a permission-handling flaw in its External Interface and ConfigItem List module that allows authenticated customers to access Configuration Item (CI) information they shouldn't be able to see. The vulnerability only manifests when both CMDB is enabled and CustomerGroupSupport is configured, meaning organizations using default or simpler OTRS setups may not be affected. An attacker would need valid customer credentials and user interaction to exploit this issue.
- CVE-2026-48191LOW 3.5
A permissions bug in OTRS and STORM-powered OTRS allows authenticated users to discover metadata about configuration items (CIs), SLA levels, and services—such as how many are affected—without having actual access to view or modify them. An attacker needs valid login credentials and must interact with the Document Search Article Meta Filters modules to extract this information. While the exposure is limited to metadata disclosure rather than data access, it can provide reconnaissance value to an insider threat or compromised account holder.
- CVE-2026-48288LOW 3.5
Adobe Experience Manager contains a flaw in how it validates user input that can allow a logged-in attacker to bypass certain security controls and gain unauthorized write permissions. The attacker must trick a victim into visiting a malicious link or interacting with a compromised page, making this a lower-risk issue in practice. Affected versions include 6.5.24, LTS SP1, 2026.04 and earlier.
- CVE-2026-48289LOW 3.5
Adobe Experience Manager contains a vulnerability in how it validates user input that could allow a low-privileged attacker to bypass security controls and gain unauthorized write access to content. The attack requires the victim to visit a malicious link or interact with a compromised webpage, making it a practical but not trivial threat in environments where AEM is exposed to users. This is not currently listed as exploited in the wild.
- CVE-2026-8981LOW 3.5
The Custom Block Builder WordPress plugin before version 4.3.0 fails to properly validate user permissions when handling block template code in certain scenarios. This allows site administrators—particularly on WordPress multisite networks or single-site installations with `DISALLOW_UNFILTERED_HTML` enabled—to inject malicious JavaScript into block templates. When visitors load pages containing these blocks, the injected code executes in their browsers, potentially compromising user sessions or stealing sensitive information.
- CVE-2026-49370LOW 3.4
JetBrains YouTrack versions before 2026.1.13162 contain an information disclosure vulnerability affecting the fetchApp request handler. An authenticated user with high privileges can trigger unintended data exposure through a request that includes user interaction, though the scope of disclosed information is limited. This is a low-severity issue that requires administrative or privileged account access to exploit.
- CVE-2026-49381LOW 3.4
CVE-2026-49381 is a stored cross-site scripting (XSS) vulnerability in JetBrains TeamCity's SAML login page that existed prior to version 2026.1. An attacker with high privileges could inject malicious scripts into the login interface, which would then execute in the browsers of users who interact with that page. The vulnerability requires user interaction to trigger and has limited scope, affecting only the confidentiality of information visible to the victim during their session.
- CVE-2025-48616LOW 3.3
CVE-2025-48616 is a logic error in Android's KeyguardViewMediator that allows a local attacker with basic user privileges to bypass lockdown mode when screen pinning is active, potentially exposing sensitive information on the device. The vulnerability requires no user interaction and poses a localized risk to data confidentiality on affected Android devices.
- CVE-2025-62338LOW 3.3
CVE-2025-62338 is a low-severity vulnerability in HCL BigFix Cloud Lifecycle Management caused by insufficient input validation. An authenticated local user can exploit this flaw to bypass security controls and access sensitive information they shouldn't have permission to view. The issue does not allow attackers to modify data or crash the system, only to read information they're not authorized to access.
- CVE-2026-0016LOW 3.3
A permissions validation flaw in Android's credential management system allows a local attacker with limited user privileges to read sensitive information across other user accounts without special permissions or user interaction. The vulnerability resides in how the system handles credential provider updates when services are removed, creating a bypass that exposes data intended to be isolated between users.
- CVE-2026-0050LOW 3.3
CVE-2026-0050 is a local information disclosure vulnerability in Android's Bluetooth adapter service. A malicious app with basic user-level permissions can bypass security checks in the handleBondStateChanged function to read sensitive Bluetooth-related information without requiring additional privileges or user interaction. The impact is limited to information disclosure; the attacker cannot modify data or crash the system.
- CVE-2026-0056LOW 3.3
CVE-2026-0056 is a memory safety issue in Android's ResourceTypes.cpp component where an incorrect bounds check allows a local process to read data outside intended memory boundaries. This flaw exposes sensitive information resident in adjacent memory to any app with basic local access—no special permissions, elevated privileges, or user interaction required. The vulnerability is classified as low severity due to its limited scope and local-only nature.
- CVE-2026-10197LOW 3.3
Assimp, a widely-used open-source 3D model import library, contains a flaw in its glTF2 file handler that can cause the application to crash when processing maliciously crafted glTF2 files with embedded textures. An attacker with local file system access can trigger a null pointer dereference by supplying a crafted glTF2 file, leading to denial of service. The vulnerability affects versions up to and including 6.0.4. A fix exists in pending pull request form but has not yet been merged into a stable release.
- CVE-2026-10198LOW 3.3
Assimp, a popular open-source 3D model import library, contains a flaw in its glTF file import handler that can cause the application to crash. The vulnerability stems from improper handling of certain glTF mesh data, leading to a null pointer dereference when the ImportMeshes function processes malformed or specially crafted files. An attacker with local access to a system running a vulnerable version of Assimp could trigger this crash, resulting in denial of service. The issue affects Assimp versions up to and including 6.0.4.
- CVE-2026-10199LOW 3.3
Assimp, a popular 3D asset library, contains a null pointer dereference vulnerability in its glTF2 parsing code. An attacker with local access can craft a malicious glTF2 file that triggers a crash when processed, causing a denial of service. The vulnerability affects Assimp versions up to 6.0.4 and has been publicly disclosed, though it requires local interaction and low privileges to exploit.
- CVE-2026-10201LOW 3.3
CVE-2026-10201 is a divide-by-zero flaw in Assimp (Asset Importer Library), a widely-used 3D model processing library. The defect exists in the UV Channel Handler component, specifically within the FBXExporter::WriteObjects function in FBXExporter.cpp. When a user with local access supplies specially crafted input, the vulnerability triggers a division-by-zero error that crashes the application. Because this is a local-only attack requiring user-level privileges and the impact is availability-focused (denial of service via crash), the risk is classified as low. However, the fact that proof-of-concept code has been publicly released means defenders should not assume this will remain a theoretical concern.
- CVE-2026-10233LOW 3.3
Assimp, a popular open-source 3D model importing library, contains an out-of-bounds read vulnerability in its Half-Life 1 MDL file loader. When processing specially crafted MDL files, the vulnerability allows an attacker with local access to read memory outside intended boundaries. While the issue has been publicly disclosed, the impact is limited to information disclosure with no ability to modify or crash systems. This vulnerability requires local file system access and authenticated user privileges to trigger.
- CVE-2026-10267LOW 3.3
A flaw in the Janet programming language (version 1.41.0 and earlier) allows a local user to read memory beyond intended boundaries in the debug frame handling code. The vulnerability requires local system access and valid user credentials to exploit, but poses a confidentiality risk by enabling unauthorized disclosure of sensitive data in memory.
- CVE-2026-10268LOW 3.3
A vulnerability exists in Janet language versions up to 1.41.0 that allows an integer overflow when processing serialized fiber data. An attacker with local system access can exploit this condition to cause a denial of service by crashing the affected application. The vulnerability is not critical but represents a real risk in environments where untrusted users have local access to systems running vulnerable Janet versions.
- CVE-2026-10295LOW 3.3
CVE-2026-10295 is a low-severity denial-of-service vulnerability in SourceCodester Customer Review App version 1.0. By manipulating the 'name' or 'comment' parameters in the review submission functions, an attacker with local access can crash or degrade the application's availability. While an exploit has been published, the attack surface is limited because local authentication is required—this is not a remote vulnerability that can be exploited from the internet.
- CVE-2026-10298LOW 3.3
A null pointer dereference vulnerability exists in whisper.cpp versions up to 1.8.2, specifically in the model loading function. An attacker with local system access can trigger this flaw to cause the application to crash or become unavailable. The vulnerability requires user privileges to exploit and does not directly compromise data confidentiality or integrity. Public exploit code is available, though the impact remains limited to denial of service on the affected system.
- CVE-2026-10528LOW 3.3
Orthanc DICOM Server versions up to 1.12.11 contain a stack-based buffer overflow vulnerability in the DCMTK parser component. The flaw exists in the DcmItem::read function and can be triggered through malicious DICOM file manipulation. An attacker with local system access can exploit this to cause a denial of service condition. The vulnerability has been publicly disclosed with working exploit code available.
- CVE-2026-10722LOW 3.3
A local integer overflow vulnerability exists in Cilium eBPF's BTF (BPF Type Format) loading functionality. An attacker with local system access can manipulate offset parameters during eBPF collection loading, causing the application to miscalculate memory boundaries. While the impact is limited to denial of service on the affected system, the public disclosure means exploitation tools may become available. This is a localized threat requiring prior system access but warrants patching to maintain system stability.
- CVE-2026-11312LOW 3.3
A flaw in ByteDance's InfiniStore library (versions up to 0.2.33) allows a local user to trigger inefficient algorithmic behavior in the key-value map purge function. An attacker with local access can manipulate input to the purge_kv_map routine, causing the function to consume excessive CPU or processing time. The vulnerability requires local system access and valid user privileges, limiting its scope, but public exploit code now exists.
- CVE-2026-11459LOW 3.3
SecureAge CatchPulse versions up to 10.9.3 contain a vulnerability in the saappctl.sys driver that can leak sensitive information to authenticated local users. An attacker with a valid local account on the affected system can trigger the IOCTL handler to access data they shouldn't normally see. The vulnerability has been publicly disclosed and active exploitation is possible, though it requires legitimate access to the target machine.
- CVE-2026-11478LOW 3.3
CVE-2026-11478 is a denial-of-service vulnerability in the kokke tiny-regex-c library that allows a local attacker to trigger inefficient regular expression processing through the matchstar function. An attacker with local access and basic privileges can craft a malicious regex pattern that causes excessive computation, potentially slowing or stalling applications that parse untrusted regex inputs. The severity is low because exploitation requires local execution and user-level permissions, but the published exploit code means the attack method is already in the wild.
- CVE-2026-11792LOW 3.3
A memory corruption flaw exists in 389 Directory Server's audit logging feature. When audit logging is enabled and certain password storage conditions are met, the server can write more data than a buffer can hold, corrupting memory and producing garbled audit logs. The vulnerability requires non-standard configuration or a compromised replication partner to trigger, which limits real-world exposure.