By year

Vulnerabilities disclosed in 2026

CVEs published in 2026 with SEC.co analysis.

1014 published vulnerabilities · page 7 of 11

  • CVE-2026-11027MEDIUM 6.5

    A vulnerability in Google Chrome's Glic component fails to properly validate untrusted input, allowing an attacker who has already compromised Chrome's renderer process to extract sensitive data across website boundaries using a specially crafted webpage. The attacker needs initial renderer process compromise but then gains the ability to read data from sites the user visits, bypassing normal browser security boundaries.

  • CVE-2026-11032MEDIUM 6.5

    Google Chrome's Password Manager contained a flaw that could allow an attacker to trick users into visiting a malicious webpage and leak sensitive data from other websites the user visits. The vulnerability requires user interaction—visiting a crafted HTML page—but once triggered, could expose cross-origin information that should remain isolated between websites. This affects Chrome on Windows, macOS, and Linux systems.

  • CVE-2026-11033MEDIUM 6.5

    A memory initialization flaw in Chrome's WebML component on macOS allows attackers to steal sensitive data. When a user visits a malicious webpage, the browser may leak uninitialized memory contents—potentially exposing passwords, tokens, or other private information—without requiring any special user interaction beyond loading the page. The issue affects Chrome versions before 149.0.7827.53 on Apple's macOS.

  • CVE-2026-11322MEDIUM 6.5

    Hermes WebUI versions before 0.51.221 have a path traversal flaw that lets authenticated users read files outside the intended workspace directory. By crafting symlinks that point to sensitive data, attackers can access SSH keys, cloud credentials, and application tokens that the server process can reach. The vulnerability requires an existing user account but poses a meaningful risk to credential and secret exposure.

  • CVE-2026-1871MEDIUM 6.5

    TP-Link Tapo C200 v5 camera firmware contains a flaw in how it validates incoming RTSP (Real Time Streaming Protocol) authentication requests. An attacker on the local network can send a specially crafted authentication message that overflows a memory buffer, crashing the camera's streaming service and forcing an automatic reboot. During this outage, users cannot view live video or manage the camera remotely. Once the camera restarts, service is restored, but the vulnerability remains exploitable, making repeated attacks feasible.

  • CVE-2026-23638MEDIUM 6.5

    Kiteworks, a platform designed to secure and control data sharing across organizations, contains a flaw that allows authenticated users to modify form approval workflows that belong to other users. The vulnerability stems from inadequate checks on who actually owns or has permission to modify a particular form's configuration. An attacker with valid Kiteworks credentials could exploit this to alter how forms route for approval, potentially disrupting legitimate business processes or gaining unauthorized visibility into sensitive approvals.

  • CVE-2026-24753MEDIUM 6.5

    Kiteworks Secure Data Forms contained an authorization flaw that allowed authenticated users to modify data forms and resources belonging to other users. The vulnerability stems from insufficient checks verifying that a user actually owns or has permission to modify a resource before allowing the action. Any authenticated user could exploit this by directly referencing another user's resource identifiers and making changes. This is categorized as an Insecure Direct Object Reference (IDOR) vulnerability. The issue is resolved in Kiteworks version 9.3.0 and later.

  • CVE-2026-26379MEDIUM 6.5

    Koha, an open-source library management system, contains a Server-Side Request Forgery (SSRF) vulnerability in its Z39.50/SRU server configuration. An authenticated attacker can exploit this flaw to scan the internal network and discover which services are running by measuring how the server responds to requests. This vulnerability affects Koha versions up to and including 25.11.

  • CVE-2026-26824MEDIUM 6.5

    libxls, a widely-used library for reading Microsoft Excel files, has a memory safety issue that could allow an attacker to crash applications or potentially leak sensitive information. The vulnerability exists in how the library initializes internal data structures when parsing Excel file containers. An attacker who crafts a malicious Excel file and tricks a user or application into opening it could trigger the vulnerability. This is a moderate-severity issue affecting the library through version 1.6.3.

  • CVE-2026-27145MEDIUM 6.5

    Go's x509 certificate hostname verification process had a performance flaw where it unnecessarily repeated the same string-splitting operation for each DNS Subject Alternative Name (SAN) entry on a certificate. When a certificate listed many DNS SANs, verification became progressively slower—scaling with both the number of SANs and the complexity of the hostname being checked. The flaw affected all certificate verification, including checks on untrusted certificates, making it possible for an attacker to craft a certificate with an extremely large SAN list that would cause significant CPU overhead during validation.

  • CVE-2026-3173MEDIUM 6.5

    The Meta Field Block plugin for WordPress has a permission-checking flaw that lets Contributor-level users and above read sensitive data stored in WordPress metadata. An attacker with basic contributor access can specify any object ID and type—bypassing the plugin's validation—to retrieve private information like user details, customer billing addresses, or other metadata that WordPress site administrators expected to keep hidden. On sites running e-commerce or membership plugins, this can expose personally identifiable information at scale.

  • CVE-2026-3198MEDIUM 6.5

    MLflow 3.9.0, when deployed with basic authentication enabled, contains an authorization bypass affecting several gateway API endpoints. The application fails to properly verify user permissions before allowing access to sensitive operations that list gateway secrets, endpoints, and model definitions. This means any user who has logged in—even with minimal privileges—can view all gateway configuration data, including API keys and proprietary model information that should be restricted. The vulnerability is confined to the basic-auth deployment mode and affects information disclosure rather than data modification or system availability.

  • CVE-2026-33464MEDIUM 6.5

    Kibana contains a denial-of-service vulnerability that allows low-privileged authenticated users to crash the service by sending an oversized request to an internal API. When exploited, Kibana becomes unresponsive to all users until manually restarted or the process recovers. This is a resource exhaustion attack that requires valid credentials but no special privileges.

  • CVE-2026-35049MEDIUM 6.5

    Wire iOS users running versions before 4.16.0 are vulnerable to a denial-of-service attack where a specially crafted message causes the app to crash immediately upon receipt, without any user action required. The crash persists across app restarts, trapping users in a crash loop until they manually clear the app's local data. This affects authenticated users only—the attacker must have messaging access to the target.

  • CVE-2026-35673MEDIUM 6.5

    OpenClaw versions before 2026.4.29 contain a Server-Side Request Forgery (SSRF) policy bypass that allows authenticated users to circumvent network security controls. The vulnerability exists in browser debug and export functionality, where attackers can reuse previously-blocked tabs to access or export content that should remain restricted by private-network SSRF policies. This is a policy evasion technique rather than a direct network breach—the attacker must already have authenticated access to these routes, but can then leverage that access to reach otherwise-protected resources.

  • CVE-2026-35718MEDIUM 6.5

    VIVOTEK FD8136 network cameras running firmware version 0300a contain a path traversal vulnerability in their administrative media download function. An authenticated attacker can craft requests to the vulnerable endpoint to read files anywhere on the device, potentially exposing sensitive configuration data, credentials, or system files. This requires valid login credentials but does not require user interaction to exploit.

  • CVE-2026-36499MEDIUM 6.5

    Open vSwitch v3.6.90 contains a flaw that allows someone with write access to its configuration database to cause the software to allocate an unreasonably large number of worker threads. By requesting more threads than the system can handle, an attacker can exhaust memory and CPU resources, effectively shutting down the switch. The vulnerability requires existing database access, limiting the immediate threat surface, but represents a significant availability risk in environments where OVSDB write permissions are not tightly controlled.

  • CVE-2026-36604MEDIUM 6.5

    A Mercusys AC12G (EU) V1 router running firmware version AC12G(EU)_V1_200909 fails to validate the HTTP Host header in requests, creating an opening for DNS rebinding attacks. When an attacker controls a domain, they can redirect that domain to the router's internal IP address. The router's existing CORS misconfiguration (which already allows requests from any origin) amplifies this weakness, permitting the attacker to extract sensitive information from the router's web interface as if the request came from a trusted source. This vulnerability requires user interaction—typically visiting a malicious website—but does not require authentication.

  • CVE-2026-36605MEDIUM 6.5

    Mercusys AC12G (EU) V1 routers running firmware version AC12G(EU)_V1_200909 contain a denial-of-service vulnerability where an attacker on the local network can send a small number of specially crafted incomplete HTTP requests to crash the router. The device becomes unresponsive and requires a physical power cycle to restore function. This affects network availability for all connected devices.

  • CVE-2026-3870MEDIUM 6.5

    Zyxel VMG4005-B50B routers with firmware up to version 5.13(ABRL.5.4)C0 contain a buffer overflow flaw in their UPnP port-mapping feature. An attacker on the same local network can exploit this to crash the UPnP service temporarily, preventing legitimate port-forwarding operations until the service recovers or the device is rebooted.

  • CVE-2026-3871MEDIUM 6.5

    Zyxel VMG4005-B50B gateway devices running firmware version 5.13(ABRL.5.4)C0 and earlier contain a buffer overflow flaw in the UPnP DeletePortMapping command. An attacker on the same local network can exploit this to crash the UPnP service, temporarily disabling port mapping features. The vulnerability requires network adjacency and does not enable data theft or system compromise, but does degrade device functionality.

  • CVE-2026-39229MEDIUM 6.5

    Bolt CMS versions up to 3.7.0 contain a SQL injection vulnerability in how it processes the 'order' parameter on content listing pages. An attacker who has legitimate user credentials—even with minimal permissions—can craft malicious input to extract sensitive data from the database. The vulnerability is triggered through the OrderDirective component during normal sorting operations. This is an information disclosure risk; attackers cannot modify or delete data, but they can read information they shouldn't access.

  • CVE-2026-40861MEDIUM 6.5

    CVE-2026-40861 is a path traversal vulnerability in Apache Airflow that allows a DAG (Directed Acyclic Graph) author to read or write arbitrary files on the system when the worker and API server share a log directory. An attacker with DAG authoring privileges can either create symbolic links in their task's log folder to access sensitive files like `/etc/passwd` or `airflow.cfg`, or inject path traversal sequences (`..`) in task IDs to escape the intended log directory. The vulnerability exposes confidential configuration data and could enable file overwrites on the API server's filesystem.

  • CVE-2026-41141MEDIUM 6.5

    EspoCRM versions before 9.3.5 contain an access control bypass in the email template preparation endpoint. An authenticated user with basic EmailTemplate read permissions can extract sensitive field data from any Contact, Lead, Account, or User record by providing the target's email address—effectively circumventing role-based visibility restrictions. This allows lower-privileged users to read information they should not have access to, such as financial details, personal fields, or team-restricted records.

  • CVE-2026-41184MEDIUM 6.5

    Calico's CNI installer container accidentally logs Kubernetes ServiceAccount tokens to standard output during deployment, specifically when using Canal or Flannel-Calico configurations. Any user with permission to view pod logs in the affected namespace can retrieve this token, which grants the ability to modify pod annotations—a vector for attacking workloads in your cluster. The vulnerability is a regression of a previously fixed issue and does not affect deployments using the default kubeconfig authentication method.

  • CVE-2026-41185MEDIUM 6.5

    Calico, a widely-used open-source networking plugin for Kubernetes, logs sensitive authentication credentials to plaintext files when deployed with Azure's IPAM plugin and token-based Kubernetes authentication. The vulnerability occurs because the Calico CNI binary adds subnet information to the configuration before forwarding it to Azure IPAM for processing. During this handoff, the entire configuration—including Kubernetes ServiceAccount tokens, client keys, and certificate authority data—is logged at INFO level to /var/log/calico/cni/cni.log. This happens on every pod scheduling or termination, creating a high-frequency credential leak. Any user or process with read access to node-level logs can extract cluster-wide Calico networking administrator credentials without triggering alarms.

  • CVE-2026-42073MEDIUM 6.5

    OpenClaude, an open-source command-line tool for interacting with cloud and local AI models, has a flaw in how it handles user login. When you authenticate using OAuth, the software runs a temporary web server locally to catch the login response. To prevent attackers from hijacking this process, the server checks a security token called a 'state parameter.' However, due to a bug in how the code checks this token, an attacker can bypass the security check entirely and crash the server without even knowing what the token is. This has been fixed in version 0.5.1 and later.

  • CVE-2026-42358MEDIUM 6.5

    Apache Airflow's secret-masking feature, which is supposed to hide sensitive values in Variables when they're accessed through the UI or API, has a flaw that lets authenticated users read plaintext secrets stored in deeply nested JSON structures. The masking tool gives up checking for sensitive key names (like 'password', 'token', 'secret', 'api_key') once it reaches a certain nesting depth, so secrets buried deeper than that limit slip through unmasked. Any user with permission to read Variables can exploit this. This is a follow-up to an earlier fix; that patch addressed shallow nesting, but didn't raise the depth limit itself, leaving the same bypass hole for deeper structures.

  • CVE-2026-42360MEDIUM 6.5

    Apache Airflow has a flaw in how it protects sensitive information embedded within complex data structures (like JSON templates). When a workflow template is large enough to exceed Airflow's size limit for storing template data, the system converts it to plain text before masking secrets—a process that loses track of nested sensitive fields like passwords, tokens, and API keys. An authenticated user with access to read stored template fields could then retrieve these unmasked secrets. The issue affects Airflow deployments where workflow authors pass structured data containing nested sensitive values to operators. Even organizations that patched a related vulnerability (CVE-2025-68438) last year need to apply this additional update, as that earlier fix did not address this specific nested-key masking gap.

  • CVE-2026-42399MEDIUM 6.5

    A vulnerability in Kibana allows authenticated users with basic access to crash the application by uploading specially crafted visualizations. An attacker submits a Timelion visualization with deeply nested function calls that causes Kibana to allocate memory without limit, eventually consuming all available RAM and taking the service offline for everyone. This is a denial-of-service attack that requires valid credentials but no administrative privileges.

  • CVE-2026-42400MEDIUM 6.5

    CVE-2026-42400 is a denial-of-service vulnerability in Kibana that allows an authenticated user to crash or freeze a Kibana instance by sending a malicious compressed request. The vulnerability exists because Kibana processes and decompresses incoming requests before fully validating user permissions, meaning an attacker can consume excessive memory and CPU resources on the server before authorization checks can stop them. While this requires valid credentials to exploit, the impact is straightforward: a Kibana instance can become unresponsive or crash entirely, disrupting visibility and analysis capabilities that teams depend on.

  • CVE-2026-42539MEDIUM 6.5

    IRIS is a web-based platform used by incident response teams to collaborate and share technical details during security investigations. A vulnerability in versions before 2.4.28 causes the platform to leak sensitive information to authenticated users that those users should not have access to. This happens because the application returns unnecessary data in responses, exposing information beyond what the client application actually needs to function. An attacker with valid IRIS credentials can exploit this to view restricted incident data.

  • CVE-2026-42671MEDIUM 6.5

    Paolo GeoDirectory versions up to 2.8.157 contain a missing authorization flaw that allows attackers to bypass access controls. Without needing credentials or user interaction, an attacker on the network can exploit misconfigured security levels to gain unauthorized access to sensitive operations, potentially modifying data or causing service disruption.

  • CVE-2026-42676MEDIUM 6.5

    myCred, a gamification and community engagement plugin, contains a stored cross-site scripting (XSS) vulnerability that allows authenticated users to inject malicious scripts into web pages. Unlike reflected XSS attacks that require victims to click a link, stored XSS persists in the application's database, meaning any user—including administrators—who views the affected content will execute the attacker's code. The vulnerability affects myCred versions up to and including 3.0.4. An authenticated attacker could exploit this to steal session tokens, redirect users, deface content, or perform actions on behalf of legitimate users.

  • CVE-2026-42679MEDIUM 6.5

    CVE-2026-42679 is a path traversal vulnerability in Mamunur Rashid Classified Listing that allows authenticated users to read sensitive files outside the application's intended directory structure. An attacker with valid login credentials can craft specially formatted file path requests to access restricted files on the server, potentially exposing configuration data, database backups, or other confidential information. The vulnerability affects Classified Listing versions up through 5.3.8.

  • CVE-2025-14042MEDIUM 6.4

    The Automotive Car Dealership Business WordPress Theme contains a stored cross-site scripting (XSS) vulnerability affecting all versions through 13.4.1. An attacker with contributor-level or higher permissions can inject malicious scripts into Portfolio Item 'Project Details' fields. These scripts will execute when other users view the affected pages, potentially compromising visitor sessions, stealing credentials, or defacing content. The vulnerability stems from the theme's failure to properly sanitize and escape user input in a custom field.

  • CVE-2025-59610MEDIUM 6.4

    A memory corruption vulnerability affects numerous Qualcomm chipsets and platforms when processing IOCTL (input/output control) requests that contain mismatched API versions. The flaw stems from concurrent modification of user-space buffers during processing, allowing a privileged local attacker to corrupt kernel memory and potentially gain elevated code execution. The vulnerability requires high privilege access and specific conditions to trigger, limiting opportunistic exploitation but posing significant risk in compromised or malicious insider scenarios.

  • CVE-2026-20454MEDIUM 6.4

    CVE-2026-20454 is a privilege escalation vulnerability in MediaTek's geniezone component affecting multiple system-on-chip (SoC) models. An attacker who already holds System privilege can exploit a race condition in memory handling to read or modify sensitive data and potentially gain higher-level control. No user interaction or network access is required—exploitation occurs locally once System privilege is obtained.

  • CVE-2026-2382MEDIUM 6.4

    The FPW Category Thumbnails WordPress plugin contains a stored cross-site scripting (XSS) vulnerability in versions up to 1.9.5. Any user with Subscriber-level access or higher can inject malicious JavaScript through the 'id' parameter in an AJAX function. This script persists in the plugin's settings and executes whenever an administrator views that page, potentially compromising administrator accounts. The vulnerability stems from the plugin failing to properly clean and escape user input before storing and displaying it.

  • CVE-2026-25600MEDIUM 6.4

    PDBM application contains a critical cryptographic weakness: a single hard-coded encryption secret embedded in the executable file that is identical across all installations. This secret is used to encrypt and decrypt user credentials stored in the application's configuration files. An attacker with local system access can extract this secret from the PDBM.exe binary, then use it to decrypt stored administrative credentials. Because the default configuration assigns these credentials administrative privileges within PDBM, successful exploitation grants attackers complete control over the application's management functions and operational capabilities.

  • CVE-2026-34993MEDIUM 6.4

    AIOHTTP, a popular Python library for building asynchronous web applications, contains a vulnerability in its cookie handling mechanism. When the `CookieJar.load()` function processes untrusted cookie files, attackers can craft malicious files that execute arbitrary code on the affected system. However, the vulnerability requires specific conditions: an application must explicitly load cookies from attacker-controlled files, which is uncommon in typical deployments where cookie data comes from trusted sources or user profiles.

  • CVE-2026-36612MEDIUM 6.4

    The Mercusys AC12G (EU) router with firmware version AC12G(EU)_V1_200909 ships with Wi-Fi Protected Setup (WPS) enabled by default. WPS is a feature designed to simplify device pairing, but this implementation has a critical weakness: after just 10 failed PIN guesses, the device locks out for only 60 seconds. This short lockout window makes brute-force attacks against the WPS PIN feasible within a reasonable timeframe, potentially allowing an attacker within wireless range to gain administrative access to the router.

  • CVE-2026-3722MEDIUM 6.4

    A WordPress plugin called 'Auto Image Attributes From Filename With Bulk Updater' fails to properly clean and display user-supplied data in image metadata fields. This allows authenticated users with Author-level permissions or higher to embed malicious code into image properties. When site visitors view pages containing the injected image, that code runs in their browsers—potentially stealing session cookies, performing actions on their behalf, or redirecting them to malicious sites. The vulnerability affects all versions up to and including 4.9.

  • CVE-2026-4080MEDIUM 6.4

    The Easy Cart plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability in its 'add_to_cart' shortcode. Attackers with Contributor-level access or above can inject malicious scripts into shortcode parameters that will execute for any user viewing the affected page. The vulnerability stems from incomplete sanitization—while HTML tags are stripped, quotation marks are not escaped, allowing attackers to break out of HTML attribute context and inject event handlers like onclick or onerror. All versions through 1.8 are affected.

  • CVE-2026-4081MEDIUM 6.4

    The ZeM STL plugin for WordPress contains a vulnerability that allows authenticated users with Contributor-level permissions or higher to inject malicious scripts into website pages. When someone visits a page containing the injected script, their browser executes the attacker's code. This happens because the plugin doesn't properly clean or escape user input when processing shortcode parameters like 'url', 'color', and 'bgcolor'. All versions up to 1.0 are affected.

  • CVE-2026-4334MEDIUM 6.4

    The Shariff Wrapper plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability affecting versions up to 4.6.20. Attackers with Contributor-level access or higher can inject malicious scripts through the 'headline' parameter in the [shariff] shortcode. When other users view the affected page, the injected code executes in their browsers, potentially enabling session hijacking, credential theft, or further compromise. The vulnerability stems from the plugin's use of a permissive HTML sanitization routine followed by unsafe string replacement operations that reintroduce dangerous content after the sanitization check.

  • CVE-2026-44462MEDIUM 6.4

    Zed is a popular code editor that includes a terminal tool with permission controls meant to restrict which commands can be executed. Prior to version 0.229.0, an attacker could bypass these restrictions by chaining bash variable expansion syntax—specifically the ${var@P} expansion—to execute arbitrary commands even when they appeared to violate the allowed command prefix rules. This requires user interaction (opening a malicious project or terminal configuration) but grants the attacker code execution within the editor's process context.

  • CVE-2025-65640MEDIUM 6.3

    Arket Globe Document Intelligence version 5.0.0.559 contains a reflected cross-site scripting (XSS) vulnerability in the "Task in Progress / Recent" page. An authenticated attacker can inject malicious JavaScript into document creation fields that will execute in the browsers of other users viewing that page, potentially allowing session hijacking, credential theft, or other malicious actions performed on behalf of those users.

  • CVE-2026-10060MEDIUM 6.3

    TRENDnet's TEW-432BRP wireless router (firmware version 3.10B20) contains a command injection vulnerability in its route configuration interface. An authenticated attacker can manipulate IP, mask, or gateway parameters to inject arbitrary commands on the device. The vulnerability requires valid credentials but poses a direct threat to affected networks. Critically, this product reached end-of-life in 2009—over 15 years ago—and the vendor has stated it cannot replicate or fix vulnerabilities in legacy hardware.

  • CVE-2026-10061MEDIUM 6.3

    A command injection vulnerability exists in the TRENDnet TEW-432BRP wireless router (firmware version 3.10B20), discovered in the WPS configuration function. An authenticated attacker can manipulate the peerPin parameter to execute arbitrary commands on the device. The vulnerability is network-accessible and requires valid login credentials. Notably, this router reached end-of-life in 2009—over 15 years ago—and TRENDnet has stated they cannot replicate or provide fixes for vulnerabilities in this legacy hardware. While exploit code is public, the practical risk is limited to organizations still operating this obsolete equipment in production environments.

  • CVE-2026-10064MEDIUM 6.3

    TRENDnet has disclosed a remote stack-based buffer overflow vulnerability in the TEW-432BRP wireless router (firmware version 3.10B20 and earlier). An authenticated attacker can exploit this flaw by sending a specially crafted request to the port forwarding configuration endpoint, potentially allowing code execution or denial of service. The vendor has confirmed this product reached end-of-life in 2009 and will not issue patches. Public exploit code is available, elevating the practical risk despite the device's age.

  • CVE-2026-10101MEDIUM 6.3

    ACM/MCE (Advanced Cluster Management / Multicluster Engine) inadvertently exposes container registry credentials in InfraEnv status messages when pull-secret validation fails. A user with read-only namespace access can view InfraEnv objects and extract the full `.dockerconfigjson` payload—including usernames, passwords, and base64-encoded authentication tokens—despite having no direct permission to read Secrets. This circumvents Kubernetes RBAC controls designed to keep registry credentials confidential.

  • CVE-2026-10127MEDIUM 6.3

    A command injection vulnerability exists in Edimax BR-6478AC wireless routers running firmware version 1.23. An authenticated attacker can send a specially crafted web request to the device's configuration interface that tricks it into executing arbitrary system commands. The vulnerability stems from improper validation of the 'rootAPmac' parameter in the device's wireless driver setup function. Because proof-of-concept code has been publicly released, there is a meaningful risk that attackers will attempt to exploit this flaw in active environments.

  • CVE-2026-10152MEDIUM 6.3

    A flaw in TaleLin's lin-cms-spring-boot framework (version 0.2.1 and earlier) allows authenticated users to bypass access controls on the book endpoint. An attacker with valid login credentials can manipulate requests to perform actions they should not be permitted to execute, such as viewing, modifying, or deleting book records without proper authorization checks. Proof-of-concept code is publicly available, increasing the risk of active exploitation.

  • CVE-2026-10166MEDIUM 6.3

    A command injection vulnerability exists in Edimax BR-6478AC version 1.23 that allows an authenticated attacker to execute arbitrary commands on the device. The flaw is in the web interface's wireless settings handler, where the rootAPmac parameter is not properly sanitized before being used in system commands. An attacker with valid login credentials can manipulate this parameter to inject malicious commands, potentially compromising router configuration, data, or availability. Public exploit details are available, increasing real-world risk.

  • CVE-2026-10168MEDIUM 6.3

    A vulnerability in OUSL-GROUP-BrinaryBrains School Student Management System allows authenticated users to manipulate resource identifiers through the marks function in the Parents.php controller, potentially exposing or modifying student data. An attacker with login credentials can exploit this remotely by injecting malicious parameters, affecting the confidentiality and integrity of educational records. Public disclosure has occurred, increasing real-world exploitation risk.

  • CVE-2026-10170MEDIUM 6.3

    A SQL injection vulnerability exists in code-projects Visitor Management System version 1.0. An authenticated attacker can manipulate the 'phone' parameter in the /vms/php/phone_0.php file to inject malicious SQL commands. This allows the attacker to read, modify, or delete database contents without special privileges. The vulnerability requires valid login credentials to exploit and has a published proof-of-concept.

  • CVE-2026-10172MEDIUM 6.3

    Bdtask Multi-Store Inventory Management System version 1.0 contains a file upload vulnerability that allows authenticated users to upload arbitrary files to the server without validation. An attacker with valid login credentials can exploit this flaw to upload malicious files, potentially leading to remote code execution or other attacks. Public exploit code is available, increasing the risk of widespread exploitation.

  • CVE-2026-10174MEDIUM 6.3

    Aider-AI's Aider version 0.86.3 contains a flaw in how it processes pre-commit hook arguments. An attacker with valid credentials can manipulate the git-commit-verify argument to bypass security protections that normally prevent unauthorized code commits. The vulnerability requires network access and prior authentication, making it a concern primarily for development teams using Aider in shared or untrusted environments. Public exploit code exists, increasing the practical risk.

  • CVE-2026-10175MEDIUM 6.3

    A code injection vulnerability exists in Aider-AI Aider version 0.86.3 within the Architect Mode feature. An authenticated user can manipulate the editor_coder.run function in auth.py to inject and execute arbitrary code on the system. The flaw requires valid credentials to exploit but no additional user interaction, making it a direct threat to organizations using this development assistance tool. Public exploit code is already available.

  • CVE-2026-10176MEDIUM 6.3

    Aider-AI's Aider version 0.86.3 contains a SQL injection vulnerability in its code generation workflow that can be exploited by authenticated users to manipulate database queries. While the vulnerability requires login credentials to trigger, an attacker with access can extract, modify, or delete sensitive data. Public exploit information is available, increasing the near-term risk of active exploitation.

  • CVE-2026-10177MEDIUM 6.3

    Aider-AI's Aider version 0.86.3 contains a server-side request forgery (SSRF) vulnerability in its AWS EC2 metadata endpoint handling. An authenticated attacker can exploit the requests.get function in api_docs.py to make the application fetch resources from arbitrary locations, potentially accessing sensitive internal services or metadata. The vulnerability is remotely exploitable and public disclosure has already occurred.

  • CVE-2026-10180MEDIUM 6.3

    A command injection vulnerability exists in the TRENDnet TEW-432BRP router (firmware version 3.10B20) that allows authenticated users to execute arbitrary system commands through the formSysCmd web interface parameter. The vulnerability is in the /goform/formSysCmd endpoint and can be exploited remotely by anyone with network access and valid credentials. TRENDnet has not patched this issue because the router reached end-of-life in 2009 and is no longer supported.

  • CVE-2026-10182MEDIUM 6.3

    A remote command injection vulnerability exists in the TRENDnet TEW-432BRP wireless router running firmware version 3.10B20. An authenticated attacker can exploit the WLAN setup function by manipulating the 'enrollee' parameter to execute arbitrary commands on the device. The vulnerability has been publicly disclosed. However, this router reached end-of-life in 2009—over 15 years ago—and the vendor has stated they cannot replicate or fix vulnerabilities in products no longer supported. Organizations still operating this hardware face unpatched exposure.

  • CVE-2026-10193MEDIUM 6.3

    OFCMS versions up to 1.1.3 contain a SQL injection vulnerability in the ComnController component. An authenticated attacker can manipulate the 'system.user.query' parameter to inject malicious SQL commands, potentially accessing, modifying, or deleting database records. The vulnerability has been publicly disclosed and exploit code is available, making active exploitation a realistic threat.

  • CVE-2026-10194MEDIUM 6.3

    A heap-based buffer overflow exists in OFFIS DCMTK 3.7.0 within the query/retrieve service component (dcmqrscp). An authenticated attacker can trigger this flaw remotely by sending specially crafted requests to the image deletion function, potentially causing memory corruption, data loss, or service disruption. The vulnerability requires valid credentials to exploit but poses moderate risk in networked medical imaging environments where DCMTK is deployed.

  • CVE-2026-10202MEDIUM 6.3

    A SQL injection vulnerability exists in OFCMS version 1.1.3 affecting the JSON Query Interface within the SystemDictController component. An authenticated attacker can send specially crafted queries to manipulate SQL commands executed by the application, potentially reading, modifying, or deleting database records. The vulnerability requires valid user credentials but can be exploited over the network without user interaction. Exploit code is publicly available, increasing the risk of active exploitation.

  • CVE-2026-10203MEDIUM 6.3

    A SQL injection vulnerability exists in OFCMS 1.1.3 within the Query function of the SystemParamController component. The flaw allows authenticated attackers to inject malicious SQL commands through the JSON Query Interface, potentially compromising database integrity and confidentiality. Public exploit code is available, increasing active exploitation risk.

  • CVE-2026-10204MEDIUM 6.3

    A SQL injection vulnerability has been discovered in OFCMS version 1.1.3, specifically in the JSON Query Interface of the user management controller. An authenticated attacker can submit specially crafted queries to execute arbitrary SQL commands against the application's database. This could allow them to read, modify, or delete sensitive data. The vulnerability is not currently on the CISA Known Exploited Vulnerabilities (KEV) catalog, but exploit code has been publicly released, increasing the practical risk of attacks.

  • CVE-2026-10205MEDIUM 6.3

    Metasoft MetaCRM version 6.4.0 contains an unrestricted file upload vulnerability in its logo upload functionality. An authenticated attacker can upload arbitrary files to the server, potentially leading to code execution or system compromise. The vulnerability affects a JSP file handling logo uploads and requires valid user credentials to exploit. Public exploit code exists for this issue.

  • CVE-2026-10209MEDIUM 6.3

    A SQL injection vulnerability exists in the Online Hospital Management System version 1.0, specifically in the appointment booking functionality. An authenticated attacker can manipulate the 'editid' parameter in the appointmentdetail.php file to inject malicious SQL commands. This allows an attacker with valid credentials to read, modify, or delete sensitive appointment and patient data without additional authorization. Since the exploit has been publicly disclosed, the risk of active exploitation is elevated.

  • CVE-2026-10210MEDIUM 6.3

    AstrBot version 4.23.6 contains a vulnerability in its skill management system that allows authenticated users to inject malicious code through the prompt description field. An attacker with login credentials can manipulate how skill prompts are processed, potentially leading to unauthorized data access, system modification, or service disruption. The vulnerability has been publicly disclosed, and exploit code is available, though the vendor has not engaged with disclosure efforts.

  • CVE-2026-10211MEDIUM 6.3

    AstrBot version 4.23.6 contains a flaw in how it validates file system paths, allowing authenticated users to bypass access restrictions and read, modify, or delete files they shouldn't be able to access. An attacker with valid credentials can exploit this remotely without user interaction. The vulnerability has already been disclosed publicly, and exploit code may be available.

  • CVE-2026-10212MEDIUM 6.3

    A flaw in AstrBot version 4.24.2 allows an authenticated attacker to manipulate the session_id parameter in the astr_main_agent function, bypassing authorization checks. This means a logged-in user could potentially access or modify resources belonging to other users or perform actions they should not be permitted to perform. The vulnerability is remotely exploitable and public exploits are available.

  • CVE-2026-10217MEDIUM 6.3

    A privilege management flaw exists in nextlevelbuilder GoClaw versions up to 3.11.3 that allows authenticated users to escalate their access or perform unauthorized actions. The vulnerability affects the RoleAdmin Gateway component, specifically in how it handles configuration saves. An attacker with valid credentials can exploit this remotely to gain elevated permissions or manipulate role-based access controls, potentially affecting data confidentiality, integrity, and availability.

  • CVE-2026-10223MEDIUM 6.3

    NousResearch's hermes-agent software contains an injection vulnerability in its memory scanning tool that allows authenticated users to inject malicious input. An attacker with valid credentials can exploit this flaw remotely to manipulate the application's memory handling logic. The vulnerability affects all versions up to 2026.4.30, and exploit code has already been publicly disclosed, raising the practical risk despite a moderate CVSS score.

  • CVE-2026-10235MEDIUM 6.3

    CodeAstro Ingredients Stock Management System version 1.0 contains a SQL injection vulnerability in its stock manager component. An authenticated attacker can manipulate the txt_search_category parameter in the /Ingredients-Stock/stock_manager.php file to execute arbitrary SQL queries. This allows unauthorized data access, modification, or deletion within the application's database. The vulnerability requires valid login credentials but can be exploited over the network without user interaction.

  • CVE-2026-10239MEDIUM 6.3

    JeecgBoot, an open-source low-code application development platform, contains a server-side request forgery (SSRF) vulnerability in its word document editing module. Specifically, the `WordUtil.addImage` function in the `/airag/word/edit` endpoint fails to properly validate image URLs, allowing an authenticated attacker to manipulate the application into making arbitrary HTTP requests on behalf of the server. This could expose internal resources, bypass firewalls, or facilitate lateral movement within a network. The vulnerability affects JeecgBoot versions up to and including 3.9.2 and has been publicly disclosed.

  • CVE-2026-10240MEDIUM 6.3

    JeecgBoot versions up to 3.9.2 contain a server-side request forgery (SSRF) vulnerability in the /airag/airagModel/test endpoint. An authenticated attacker can manipulate the baseUrl parameter to make the server perform unintended HTTP requests to internal or external systems. The vulnerability requires login credentials but does not require user interaction, and can be exploited over the network. A fix is planned for an upcoming release.

  • CVE-2026-10241MEDIUM 6.3

    JimuReport (jeecgboot) versions up to 3.9.1 contain a server-side request forgery (SSRF) vulnerability in a file download function exposed via a debug endpoint. An authenticated attacker can manipulate the application into making arbitrary network requests on behalf of the server, potentially accessing internal resources, cloud metadata, or other services not directly exposed to the internet. The vulnerability is reachable over the network and exploit code is publicly available.

  • CVE-2026-10242MEDIUM 6.3

    itsourcecode Content Management System version 1.0 contains a SQL injection vulnerability in the /instructions.php file. An attacker with user-level access can manipulate the topic_id parameter to execute unauthorized database queries, potentially reading, modifying, or deleting sensitive data. The vulnerability is remotely exploitable and public exploit code is available.

  • CVE-2026-10256MEDIUM 6.3

    A SQL injection vulnerability exists in itsourcecode Content Management System version 1.0 affecting the comment-saving functionality. An authenticated attacker can manipulate the Name parameter in /save_comment.php to execute arbitrary SQL queries, potentially reading, modifying, or deleting database contents. The vulnerability requires valid user credentials but does not require user interaction to exploit. Public exploit code is available, elevating the practical risk despite the MEDIUM CVSS score.

  • CVE-2026-10257MEDIUM 6.3

    A SQL injection vulnerability exists in itsourcecode Content Management System version 1.0, specifically in the admin update functionality. An authenticated user can inject malicious SQL commands through the topic_id parameter when uploading images, potentially reading, modifying, or deleting database contents. Public exploit code is available, increasing near-term risk.

  • CVE-2026-10258MEDIUM 6.3

    itsourcecode Content Management System version 1.0 contains a SQL injection vulnerability in its administrative interface. An authenticated attacker can manipulate the topic_id parameter in the /admin/add_sub_topic.php file to inject malicious SQL commands, potentially allowing unauthorized access to, modification of, or deletion of database records. The vulnerability requires valid login credentials but can be exploited over the network without additional user interaction.

  • CVE-2026-10265MEDIUM 6.3

    A SQL injection vulnerability exists in itsourcecode Content Management System version 1.0 that allows authenticated users to manipulate the topic_id parameter in the /admin/edit_topic.php file to execute arbitrary SQL queries. An attacker with valid admin credentials can exploit this to read, modify, or delete database records. Public exploits are available, elevating operational risk.

  • CVE-2026-10269MEDIUM 6.3

    A vulnerability in decolua 9router allows an authenticated user to bypass authorization controls by manipulating the Host HTTP header. The flaw exists in the authentication logic of the dashboard guard component and can be exploited remotely by someone with valid login credentials. Affected versions up to 0.4.0 should be updated immediately to 0.4.1.

  • CVE-2026-10271MEDIUM 6.3

    A flaw in a4m4 Student-Management-System allows an attacker to manipulate a parameter in the admin endpoint, causing the application to execute code after a redirect. The vulnerability requires user interaction but can be triggered remotely. An exploit has already been published publicly, increasing risk. The vendor uses rolling releases without traditional version numbers, making tracking more difficult for defenders.

  • CVE-2026-10274MEDIUM 6.3

    A server-side request forgery (SSRF) vulnerability exists in the aem-mcp-server project maintained by indrasishbanerjee. The flaw is in the getAssetMetadata function, which processes an assetPath parameter without proper validation. An authenticated attacker can manipulate this parameter to cause the server to make unintended HTTP requests to internal or external systems, potentially accessing sensitive data or interacting with restricted resources. The vulnerability is publicly known and exploit code may be in circulation.

  • CVE-2026-10276MEDIUM 6.3

    A server-side request forgery (SSRF) vulnerability exists in Jenkins-server-mcp version 0.1.0, a Jenkins integration tool. An authenticated attacker can manipulate the jobPath parameter in build status, log retrieval, or build trigger operations to make the server issue malicious requests to internal or external systems. The vulnerability requires valid login credentials but no user interaction, and the exploit code has already been made public.

  • CVE-2026-10277MEDIUM 6.3

    A security flaw exists in the MCP Google Workspace integration's Gmail tool that allows authenticated users to bypass access controls and manipulate file storage operations. An attacker with valid login credentials can remotely exploit this vulnerability to gain unauthorized access to data or perform unintended modifications. The vulnerability affects the component up to commit 831790e7d5c2663325733d9f5579cc339a267c4c, and a patch has been released.

  • CVE-2026-10278MEDIUM 6.3

    A path traversal vulnerability exists in the excel-mcp project (versions up to 1.0.2) that allows authenticated users to access files and directories outside the intended scope by manipulating file path parameters. An attacker with valid credentials can read or write files on the affected system by crafting malicious file path arguments, potentially exposing sensitive data or modifying system files. The vulnerability has been publicly disclosed, increasing the risk of active exploitation.

  • CVE-2026-10279MEDIUM 6.3

    A remote command injection vulnerability exists in wezterm-mcp version 0.1.0, a WezTerm terminal multiplexer control plane component. An authenticated attacker can manipulate the pane_id parameter in requests to the switch_pane/write_to_specific_pane function to inject arbitrary operating system commands. The vulnerability requires valid credentials to exploit but poses a meaningful risk in environments where WezTerm MCP is exposed to untrusted users or networked clients.

  • CVE-2026-10283MEDIUM 6.3

    Bottelet DaybydayCRM contains an authentication bypass vulnerability in its Settings Handler component. An authenticated attacker can manipulate application settings to gain unauthorized access to functionality they should not have, potentially viewing sensitive data, modifying records, or disrupting service availability. The vulnerability affects versions up to 2.2.1 and requires an attacker to already have valid login credentials to exploit it.

  • CVE-2026-10286MEDIUM 6.3

    CodeAstro Payroll System version 1.0 contains a SQL injection vulnerability in its employee home page functionality. An authenticated attacker can inject malicious SQL commands through the emp_id parameter, allowing them to read, modify, or delete database records. This vulnerability requires valid login credentials and is reachable over the network. Public exploit information is available, increasing the immediate risk of exploitation.

  • CVE-2026-10296MEDIUM 6.3

    A SQL injection vulnerability exists in itsourcecode Fees Management System version 1.0 that allows authenticated users to manipulate the Username parameter in the /ajax.php endpoint to execute arbitrary SQL queries. An attacker with valid login credentials can exploit this flaw to read, modify, or delete database contents. The vulnerability requires authentication but is otherwise straightforward to exploit and has been publicly disclosed.

  • CVE-2026-10297MEDIUM 6.3

    A SQL injection vulnerability exists in itsourcecode Fees Management System version 1.0 within the course management functionality. An authenticated attacker can manipulate the ID parameter in the /manage_course.php endpoint to execute arbitrary SQL queries against the underlying database. The vulnerability requires valid login credentials but can be exploited over the network without additional interaction. Exploit code is publicly available, elevating the practical risk.

  • CVE-2026-10302MEDIUM 6.3

    A SQL injection vulnerability exists in itsourcecode Fees Management System version 1.0 within the /manage_fee.php file. An authenticated attacker can manipulate the ID parameter to inject malicious SQL commands, potentially allowing unauthorized access to, modification of, or deletion of database records. The vulnerability requires valid user credentials to exploit but can be triggered remotely over the network.

  • CVE-2026-10550MEDIUM 6.3

    A command injection vulnerability exists in elunez eladmin versions up to 2.7 within the Application Deployment Module. An authenticated user can manipulate the uploadPath argument to inject arbitrary commands, leading to remote code execution on the affected system. The vulnerability requires valid credentials to exploit but does not need user interaction once authenticated. Public exploit code is available, increasing the risk of active exploitation.

  • CVE-2026-10558MEDIUM 6.3

    SourceCodester Pizzafy Ecommerce System version 1.0 contains a file inclusion vulnerability in its administrative interface. An attacker with valid login credentials can manipulate the 'page' parameter in /admin/index.php to include and execute arbitrary files on the server. This allows an authenticated attacker to read sensitive files, modify system behavior, or potentially execute code. The vulnerability is publicly known and proof-of-concept code is available.

  • CVE-2026-10559MEDIUM 6.3

    SourceCodester Pizzafy Ecommerce System version 1.0 contains a file inclusion vulnerability in its index.php file. An authenticated attacker can manipulate the 'page' parameter to include arbitrary files, potentially exposing sensitive data or executing unintended code. The vulnerability requires valid credentials but can be exploited over the network without user interaction.