By year

Vulnerabilities disclosed in 2026

CVEs published in 2026 with SEC.co analysis.

1014 published vulnerabilities · page 8 of 11

  • CVE-2026-10568MEDIUM 6.3

    A SQL injection vulnerability exists in itsourcecode Fees Management System version 1.0. An authenticated attacker can manipulate the ID parameter in the /manage_payment.php file to execute arbitrary SQL queries against the backend database. This vulnerability requires valid login credentials to exploit, but can lead to unauthorized data access, modification, or deletion. Public exploit code is available, increasing the practical risk of exploitation.

  • CVE-2026-10581MEDIUM 6.3

    DedeCMS 5.7.88 contains a server-side request forgery (SSRF) vulnerability in its download functionality. An authenticated attacker can manipulate the Link parameter passed to the base64_decode function in /plus/download.php to cause the server to make unintended requests to internal or external systems. This allows an attacker with login credentials to potentially access restricted resources, exfiltrate data, or pivot to other systems on the network.

  • CVE-2026-10662MEDIUM 6.3

    A server-side request forgery (SSRF) vulnerability exists in ahujasid blender-mcp, a tool that handles ZIP file operations. An authenticated attacker can manipulate the ZIP file URL parameter to force the server to make HTTP requests to arbitrary internal or external systems. This could allow an attacker to access sensitive internal services, exfiltrate data, or pivot deeper into a network. The vulnerability affects versions up to commit 7636d13, and a patch is available.

  • CVE-2026-10690MEDIUM 6.3

    A server-side request forgery (SSRF) vulnerability exists in DesktopCommanderMCP version 0.2.37. The flaw allows authenticated attackers to manipulate URL parameters passed to the read_file function, enabling the server to make arbitrary HTTP requests on behalf of the attacker. This could expose internal services, exfiltrate data, or compromise systems that trust the affected server.

  • CVE-2026-10693MEDIUM 6.3

    SourceCodester Online Boat Reservation System version 1.0 contains a flaw in its administrative endpoints that fails to properly verify user permissions. An authenticated attacker can exploit this improper authorization to access or modify administrative functions they shouldn't have access to. The vulnerability requires an existing user account but can be exploited over the network without user interaction. The flaw affects multiple administrative endpoints, and exploit details have been publicly disclosed.

  • CVE-2026-10703MEDIUM 6.3

    A use-after-free memory safety flaw exists in EIPStackGroup OpENer versions up to 2.3.0 within the SendRRData request handler. An authenticated attacker can remotely trigger memory corruption by crafting malicious messages, potentially leading to information disclosure or service disruption. The vulnerability has been publicly disclosed but the vendor has not yet acknowledged or released a patch.

  • CVE-2026-10806MEDIUM 6.3

    CVE-2026-10806 is a medium-severity file upload vulnerability in mjperpinosa stumasy affecting the add_post.php component. An authenticated attacker can manipulate the up_file_to_post parameter to upload files without proper restrictions, potentially allowing arbitrary file placement on the server. The vulnerability requires valid login credentials but can be exploited over the network. Exploit code has been publicly disclosed, increasing practical risk.

  • CVE-2026-10807MEDIUM 6.3

    A file upload vulnerability exists in mjperpinosa stumasy that allows authenticated users to upload files without proper validation. By manipulating the profile image upload parameter in the application's profile management component, an attacker with login credentials can bypass upload restrictions and place arbitrary files on the server. The vulnerability requires authentication but poses meaningful risk to confidentiality, integrity, and availability of the affected system.

  • CVE-2026-10808MEDIUM 6.3

    A SQL injection vulnerability exists in itsourcecode Fees Management System version 1.0 that allows authenticated users to manipulate the ID parameter in the /manage_student.php file, potentially enabling unauthorized data access, modification, or deletion. The vulnerability requires valid login credentials but can be exploited remotely over the network. Public exploit code is available, elevating the risk of active attack.

  • CVE-2026-10809MEDIUM 6.3

    CVE-2026-10809 is a SQL injection vulnerability in itsourcecode Fees Management System version 1.0. An authenticated attacker can manipulate the ID parameter in the /manage_user.php file to inject malicious SQL commands, potentially reading, modifying, or deleting database records. The flaw requires valid login credentials but can be exploited over the network without user interaction. Public exploit code is available, elevating the practical risk despite the medium CVSS score.

  • CVE-2026-10811MEDIUM 6.3

    A SQL injection vulnerability exists in itsourcecode Fees Management System version 1.0. The flaw resides in the /receipt.php file, specifically in how the application processes the ef_id parameter. An authenticated attacker can manipulate this parameter to inject malicious SQL commands, potentially allowing them to read, modify, or delete database records. Public disclosure of this vulnerability means exploitation techniques are already available, elevating the practical risk.

  • CVE-2026-10815MEDIUM 6.3

    A missing authorization vulnerability was discovered in the Hostel Management System PHP application, specifically in the Admin Dashboard Page's index.php file. An authenticated attacker can manipulate the ID parameter to bypass authorization checks, potentially gaining unauthorized access to sensitive administrative functions. The vulnerability requires valid login credentials but does not require user interaction once authenticated. Public exploit code is available, increasing the practical risk.

  • CVE-2026-10874MEDIUM 6.3

    A SQL injection vulnerability exists in projectworlds Online Art Gallery Shop Project version 1.0 affecting the admin dashboard. An authenticated attacker can manipulate the 'social_insta' parameter in the /admin/adminHome.php file to inject malicious SQL commands. This allows unauthorized access to sensitive database information, modification of data, or potential system disruption. The vulnerability requires valid login credentials but has no other technical barriers to exploitation.

  • CVE-2026-10875MEDIUM 6.3

    A SQL injection vulnerability exists in projectworlds Online Art Gallery Shop Project version 1.0 that allows authenticated users to inject malicious SQL commands through the social_twitter parameter in the admin panel. An attacker with login credentials can exploit this flaw to read, modify, or delete database records. Public exploit code has been released, increasing the risk of active exploitation.

  • CVE-2026-21404MEDIUM 6.3

    NAVTOR NavBox versions up to 4.16.1.20 contain hard-coded credentials embedded in its SOAP (Windows Communication Foundation) implementation. When SOAP functionality is enabled, a local user with basic system access can extract these credentials, authenticate to the SOAP interface, and gain unauthorized access to privileged methods that allow arbitrary file write and overwrite operations on the system. This vulnerability requires local access to trigger but bypasses intended security workflows entirely.

  • CVE-2026-25599MEDIUM 6.3

    This vulnerability affects Orca heat pump devices and their control portal. An attacker can intercept unencrypted communications between older Orca heat pumps and the control server, impersonate a legitimate device, and inject malicious code into the web portal. This injected code can steal user session cookies, compromise accounts, expose sensitive information, and grant attackers unauthorized access to the portal. The core issues are the lack of authentication, unencrypted HTTP connections, and missing input validation.

  • CVE-2026-35716MEDIUM 6.3

    A stack-based buffer overflow vulnerability exists in VIVOTEK FD8136 IP cameras that allows an authenticated attacker to run arbitrary code with root privileges. The flaw is in the motion privacy configuration endpoint, which fails to validate the size of user input before copying it into a fixed-size buffer on the stack. Because the camera firmware lacks stack protection mechanisms, an attacker can overwrite return addresses and hijack program execution. An authenticated attacker on the network can exploit this remotely by sending a specially crafted POST request.

  • CVE-2026-35717MEDIUM 6.3

    A stack-based buffer overflow exists in the export_language.cgi binary on VIVOTEK FD8136 IP cameras running firmware FD8136-VVTK-0300a. An authenticated attacker can send a specially crafted POST request to the language export endpoint with a malicious Content-Length value that causes the application to read more data than a 60-byte stack buffer can hold, overwriting critical return address information. This allows the attacker to execute arbitrary code with root privileges on the affected device. The vulnerability requires valid credentials to exploit but succeeds because the binary lacks stack protection mechanisms.

  • CVE-2026-39107MEDIUM 6.3

    Kimi AI v1.0 has a cross-site scripting (XSS) vulnerability in its Preview feature. When the AI generates code and displays it in the Preview tab, the application fails to sanitize the output properly. An attacker can embed malicious JavaScript in AI-generated responses, which then executes in a user's browser with the privileges of that session. This could allow theft of session cookies, unauthorized actions on behalf of the user, or credential harvesting.

  • CVE-2026-42538MEDIUM 6.3

    IRIS is a collaborative platform designed to help incident responders coordinate during security investigations by sharing technical findings. A file validation flaw in versions before 2.4.28 allows authenticated users to upload files without proper checks. This can enable attackers to host malicious content—such as phishing pages—directly within the platform, and also introduces a Cross-Site Scripting (XSS) vulnerability that could compromise other users' sessions or steal credentials when they interact with uploaded files.

  • CVE-2026-44287MEDIUM 6.3

    FastGPT, an AI Agent building platform, contains a sandbox escape vulnerability in versions before 4.15.0-beta1. The issue stems from an incomplete regex filter designed to block dynamic imports in a JavaScript sandbox environment. An attacker with valid platform access can craft a specially formatted import statement using block comments to bypass the filter, gaining the ability to execute arbitrary system commands within the sandbox container. This allows an authenticated user to break out of the intended sandbox isolation and run code with the permissions of the sandbox process.

  • CVE-2018-25423MEDIUM 6.2

    Arm Whois version 3.11 has a buffer overflow flaw that allows local users to crash the application by entering an extremely long string into IP address or domain input fields. An attacker with local access can supply a malicious 700-byte input to trigger a denial of service, making the tool temporarily unavailable but without risking data theft or system compromise.

  • CVE-2026-0046MEDIUM 6.2

    CVE-2026-0046 is a local privilege escalation vulnerability affecting Google Android that exploits a weakness in the InputInterceptor component of Letterbox.java. An attacker can overlay malicious UI elements on top of legitimate permission prompts, tricking users into granting permissions they did not intend to approve. What makes this particularly concerning is that exploitation requires no special system privileges and occurs without user awareness—the victim merely sees what appears to be a normal permission dialog. The result is unauthorized elevation of the attacker's application privileges within the Android system.

  • CVE-2026-0055MEDIUM 6.2

    A path traversal vulnerability in Android's PackageInstallerService allows an attacker to write a Device Policy Controller (DPC) application to an unintended directory. By exploiting this flaw, an unprivileged local process can escalate its privileges without requiring user interaction or additional system permissions. The vulnerability affects multiple Android versions and could allow an attacker with local access to gain elevated capabilities on the device.

  • CVE-2019-25731MEDIUM 6.1

    Zuz Music version 2.1 has a flaw that lets anyone send malicious code through the contact form without needing to log in. When site administrators read these messages, the injected code runs in their browsers, potentially allowing attackers to steal session data, modify settings, or trick them into performing unwanted actions. This is a persistent vulnerability, meaning the malicious payload stays stored on the server and affects every admin who views the inbox.

  • CVE-2019-25737MEDIUM 6.1

    Live Chat Unlimited version 2.8.3 contains a stored cross-site scripting (XSS) vulnerability in its chat input field. An unauthenticated attacker can inject malicious JavaScript code that persists in the system and executes when administrators access the chat interface. This allows attackers to steal admin session cookies, redirect users to phishing sites, or perform unauthorized actions within the admin dashboard without requiring authentication.

  • CVE-2026-10305MEDIUM 6.1

    Samsung's rlottie animation library contains a vulnerability that allows reading data beyond the intended buffer boundaries. When processing specially crafted animation files, the library may access memory it shouldn't, potentially exposing sensitive information or causing the application to crash. The issue stems from insufficient bounds checking during buffer operations. While the vulnerability requires user interaction (opening a malicious animation file) and is limited to local access, the combination of integrity impact and high availability risk warrants prompt attention.

  • CVE-2026-10510MEDIUM 6.1

    A cross-site scripting (XSS) vulnerability exists in the GeniexWebView component of Transsion's AI Assistant Lifestyle application for Android. An attacker can craft a malicious URL containing injected JavaScript code in the web_action_data parameter, which the vulnerable WebView will execute with the same privileges as the application. This allows arbitrary JavaScript execution in the context of the app, potentially compromising user data or enabling phishing attacks. The vulnerability affects all versions of the application currently in distribution.

  • CVE-2026-10856MEDIUM 6.1

    MISP dashboard widgets contain a URL validation flaw that allows attackers to craft malicious buttons appearing to link within the application while actually redirecting users to external sites. The vulnerability stems from incomplete validation that accepts paths like '/\example.com', which browsers may normalize into scheme-relative URLs pointing to attacker-controlled domains. An attacker with dashboard configuration access can embed these crafted buttons to redirect legitimate users, creating phishing and credential-theft opportunities.

  • CVE-2026-10861MEDIUM 6.1

    MISP, a widely-used threat intelligence sharing platform, contains an open redirect vulnerability in its post-login redirect logic. When a user logs in, the application redirects them to a URL stored in the session without properly validating that the destination is actually part of the MISP application. An attacker can craft a malicious link that tricks users into visiting their legitimate MISP instance, then redirects them to an attacker-controlled website after they authenticate. This could be weaponized for phishing by appearing to come from a trusted source or to deliver malware from a domain the victim might not otherwise visit.

  • CVE-2026-10916MEDIUM 6.1

    CVE-2026-10916 is a cross-site scripting vulnerability in Google Chrome's developer tools that allows an attacker to inject malicious scripts or HTML content into a webpage. The attack requires two conditions: first, the attacker must have already compromised Chrome's renderer process (the component that executes web content), and second, the user must be tricked into visiting a specially crafted HTML page. While the initial compromise is a significant prerequisite, once achieved, this vulnerability enables the attacker to execute arbitrary code with the privileges of the browser session, potentially stealing sensitive data or performing actions on behalf of the user.

  • CVE-2026-11034MEDIUM 6.1

    Google Chrome on Android contains a vulnerability in its Tab Group Sync feature that allows attackers to inject malicious scripts or HTML into web pages. An attacker with network access can craft malicious traffic to exploit insufficient input validation, potentially displaying fake content or stealing user information from websites. This affects Chrome versions prior to 149.0.7827.53.

  • CVE-2026-1450MEDIUM 6.1

    The rognone WordPress plugin contains a reflected cross-site scripting (XSS) flaw that allows unauthenticated attackers to inject malicious scripts into web pages. The vulnerability exists in how the plugin handles the 'mode' parameter—it fails to properly sanitize user input and escape output, creating an opening for attackers to craft malicious links. If a user clicks such a link while using a site running the vulnerable plugin, the attacker's script executes in their browser with access to session data and sensitive information.

  • CVE-2026-1451MEDIUM 6.1

    The rognone plugin for WordPress contains a reflected cross-site scripting (XSS) vulnerability that allows attackers to inject malicious JavaScript into pages viewed by unsuspecting users. An attacker could craft a malicious link containing JavaScript in the 'a' parameter and trick a user into clicking it, causing the script to execute in their browser within the context of the WordPress site. This works because the plugin fails to properly sanitize user input or escape output before displaying it. The vulnerability affects versions up to and including 0.6.2.

  • CVE-2026-20175MEDIUM 6.1

    A remote attacker can trick a user into clicking a malicious link that causes their browser to load files from an attacker-controlled location while interacting with Cisco Finesse. Because the application doesn't properly validate where those files come from, an attacker can inject malicious scripts or steal sensitive information visible in the user's active session—all without needing to authenticate first.

  • CVE-2026-20233MEDIUM 6.1

    Cisco Webex Meetings contained a cross-site scripting (XSS) vulnerability in its web interface that could allow an attacker to inject malicious scripts if a user clicked a crafted link. The vulnerability resulted from weak input validation. Cisco has already patched the service, and users do not need to take action—the fix has been deployed automatically.

  • CVE-2026-2425MEDIUM 6.1

    The hiWeb Migration Simple WordPress plugin contains a reflected cross-site scripting (XSS) vulnerability in how it handles the 'new_domain' parameter. An attacker can craft a malicious link and trick a WordPress administrator into clicking it, causing arbitrary JavaScript to execute in the admin's browser session. This could allow the attacker to steal session tokens, modify site content, or perform administrative actions on behalf of the compromised admin. The vulnerability affects all versions through 2.0.0.1.

  • CVE-2026-30586MEDIUM 6.1

    A cross-site scripting (XSS) vulnerability exists in usememos Memos version 0.26.0 that allows an attacker to inject malicious code into memo pages. When a user views a compromised memo—whether public or private—the attacker's script executes in the user's browser, potentially exposing sensitive information. The vulnerability stems from improper sanitization of user input in the memo rendering component, meaning the application fails to adequately strip or encode dangerous HTML and JavaScript before displaying memo content.

  • CVE-2026-33553MEDIUM 6.1

    Northern.tech CFEngine Enterprise contains a cross-site scripting (XSS) vulnerability in versions 3.24.3 before 3.24.4 and 3.27.0 before 3.27.1. An attacker can inject malicious scripts that execute in the browser context of users interacting with the CFEngine Enterprise interface, potentially compromising user sessions or stealing sensitive information without requiring authentication.

  • CVE-2026-35212MEDIUM 6.1

    OpenCTI, an open-source threat intelligence platform, contains a cross-site scripting (XSS) vulnerability in how it renders email message data. An attacker can craft a malicious email observable with unsanitized content in the message body, which executes JavaScript in a victim's browser when they view it. Because threat intelligence is often shared across teams via STIX files or automated ingesters, this could be weaponized to steal session cookies at scale, potentially compromising multiple analysts' accounts. The vulnerability requires user interaction—someone must view the crafted email observable—but the attack surface is broad given how threat intelligence is typically distributed.

  • CVE-2026-36324MEDIUM 6.1

    SourceCodester Doctor Appointment System version 1.0 contains a Cross-Site Scripting (XSS) vulnerability in its user registration form. An attacker can inject malicious scripts into the registration page, which are then executed in the browsers of other users who view that registration data. This allows the attacker to steal session cookies, redirect users to phishing sites, or perform actions on behalf of legitimate users without their knowledge.

  • CVE-2026-40181MEDIUM 6.1

    React Router, a widely-used navigation library for React applications, contains an open redirect vulnerability in specific versions. When certain URLs are passed to the redirect function, the library can inadvertently send users to an external website controlled by an attacker. This happens because paths beginning with double slashes (//) are misinterpreted as protocol-relative URLs, allowing an attacker to craft a malicious URL that bypasses the intended redirect destination. The vulnerability only affects applications using the programmatic redirect function; applications built with React Router's declarative mode (using <BrowserRouter>) are not impacted. The severity of the risk depends on how thoroughly the application validates URLs before redirecting.

  • CVE-2026-40713MEDIUM 6.1

    Dell ThinOS 10 devices running versions before 2602_10.0765 have a flaw that allows someone with physical access to the device—without needing to log in—to view sensitive information stored on it. This is a medium-severity issue because it requires hands-on access to the hardware, but once someone has that access, the controls meant to protect data don't work properly.

  • CVE-2026-41569MEDIUM 6.1

    authentik, an open-source identity provider, contains a URL validation flaw in its WS-Federation provider that allows attackers to redirect users' login credentials to attacker-controlled domains. The vulnerability stems from incomplete validation of the wreply parameter—a redirect URL used after authentication. An attacker can craft a malicious login link where the wreply parameter points to a lookalike domain (for example, https://portal.example.com.evil.tld/) that bypasses the validation check, tricking users into sending their signed authentication response to the attacker instead of the legitimate application. This affects authentik versions prior to 2026.2.3.

  • CVE-2026-42253MEDIUM 6.1

    Apache ActiveMQ's web console contains a cross-site scripting (XSS) vulnerability that allows an attacker to inject malicious content into HTTP response headers. The flaw exists in how the MessageServlet handles JMS message properties—it copies them directly into HTTP headers without filtering or validation. An attacker who can craft a JMS message with specially crafted properties could inject security headers, potentially leading to session hijacking, credential theft, or malware delivery when a user views the affected web console. The vulnerability requires user interaction (a victim must view the injected content) and affects versions of ActiveMQ and ActiveMQ Web released before 5.19.7 and 6.2.6.

  • CVE-2026-42998MEDIUM 6.0

    OpenStack Keystone contains an authentication bypass vulnerability in its application credential system. An attacker with valid credentials can request a token while impersonating another user by manipulating the user identity in the authentication request. Keystone fails to validate that the requesting user owns the application credential being used, allowing the attacker to obtain a token attributed to a victim account. The token grants access only to projects shared between the attacker and victim, and only with roles that overlap between both users' permissions, but this is still sufficient for account takeover scenarios and audit trail manipulation.

  • CVE-2026-42999MEDIUM 6.0

    OpenStack Keystone contains a critical authorization bypass vulnerability that allows any authenticated user to escalate their privileges and access resources belonging to other users or projects. The vulnerability stems from a flaw in how Keystone processes policy enforcement—it blindly merges user-supplied JSON request data into the authorization check dictionary, overwriting the trusted database-sourced security context. This means an attacker can simply inject fake user IDs or project IDs into their API request to trick the system into granting them permissions they shouldn't have. The issue affects all versions before 29.0.2 and has existed since Rocky (14.0.0).

  • CVE-2026-43000MEDIUM 6.0

    An authenticated attacker with basic member-level permissions on an OpenStack Keystone project can escalate their privileges to administrator by chaining two Keystone features—application credentials and trusts—in an unintended way. The attack exploits a validation gap: when an impersonated token is created, Keystone checks the victim's stored admin role assignment in the database rather than validating against the actual permissions on the requesting token. This allows the attacker to create a trust that delegates the victim's admin privileges to themselves. The resulting admin access persists independently and can be maintained through additional credential chains, while all actions appear in audit logs under the victim's identity.

  • CVE-2026-44394MEDIUM 6.0

    OpenStack Keystone, the identity service underlying many cloud deployments, has a flaw in how it handles federated user logins through SAML2 or OpenID Connect. When a user rescopes a token (essentially asking for a new token with different permissions or projects), the system doesn't carry forward the original token's expiration time. Instead, it issues a fresh token with a standard lifetime. An attacker with valid federated credentials can exploit this by repeatedly rescoping their token just before it expires, effectively creating a token that never truly expires. This bypasses the organization's configured token lifetime policies, allowing indefinite access once initial compromise occurs.

  • CVE-2023-52951MEDIUM 5.9

    Synology Note Station Client versions before 2.2.4-703 transmit user credentials in cleartext over the network, allowing attackers positioned to intercept traffic—such as those on the same Wi-Fi network or controlling network infrastructure—to capture login credentials. This is a network-based credential theft vulnerability that does not require authentication or user interaction to exploit, though the attacker must be able to intercept the specific traffic.

  • CVE-2023-5502MEDIUM 5.9

    Arista EOS devices configured with 802.1x authentication on network access ports have a weakness that allows a malicious user to bypass the authentication requirement under specific conditions. The vulnerability exists when 802.1x is enabled on access or trunk ports and routing is enabled on the access VLAN. An attacker could potentially gain network access without providing valid authentication credentials, though exploitation requires specific network configuration and circumstances to be in place.

  • CVE-2026-0061MEDIUM 5.9

    CVE-2026-0061 is a privilege escalation vulnerability in Android's WindowState component that allows an attacker to manipulate the permission-granting UI through overlay attacks (tapjacking). By displaying a malicious overlay on top of the system permission dialog, an attacker can trick users into granting sensitive permissions without explicit awareness. The critical aspect is that this requires no special execution privileges and no user interaction in the traditional sense—the attack succeeds through visual deception rather than social engineering or code execution exploits.

  • CVE-2026-0075MEDIUM 5.9

    CVE-2026-0075 is a SQL injection vulnerability in Google Android's contact database access functions that allows local attackers to escalate privileges without needing special permissions or user interaction. An attacker with local access to an Android device can exploit this flaw to read, modify, or delete contact information and potentially gain elevated system privileges.

  • CVE-2026-10584MEDIUM 5.9

    Graph Explorer versions prior to 3.0.1 contain a flaw in their proxy server that causes HTTPS connections to silently downgrade to unencrypted HTTP when certificate files are unavailable. An attacker positioned to intercept network traffic could potentially eavesdrop on sensitive information that was intended to be transmitted securely. This is a configuration-dependent issue—the vulnerability manifests only when certificates are missing—but the silent fallback behavior makes it particularly insidious because applications may not explicitly warn users that encryption has been disabled.

  • CVE-2026-25861MEDIUM 5.9

    QloApps versions through 1.7.0 use MD5 to hash passwords, a cryptographic method that is computationally cheap to crack. The vulnerability is particularly severe because QloApps concatenates a static value (a cookie key) with user passwords before hashing, reducing the effective randomness of the hash. When guest accounts are automatically converted to customer accounts, the system assigns simple 8-character passwords, which are trivially recoverable through offline brute-force attacks. An attacker who gains access to the password database can extract user credentials without needing to interact with the application in real time.

  • CVE-2026-28116MEDIUM 5.9

    Emilia Projects Progress Planner versions 1.9.0 and earlier contain a stored cross-site scripting (XSS) vulnerability that allows authenticated administrators to inject malicious scripts into the application. When other users view affected pages, the injected code executes in their browsers, potentially enabling session hijacking, credential theft, or further lateral movement within the application environment.

  • CVE-2026-36610MEDIUM 5.9

    Mercusys AC12G (EU) V1 routers with firmware version AC12G(EU)_V1_200909 transmit Dynamic DNS (DDNS) credentials using only Base64 encoding over unencrypted HTTP connections. Base64 is not encryption—it's merely encoding and can be trivially decoded by anyone observing network traffic. Because the firmware lacks TLS/SSL support entirely, an attacker positioned on the network path can intercept and recover DDNS service credentials, potentially compromising the domain name update service tied to the affected router.

  • CVE-2026-36616MEDIUM 5.9

    Mercusys AC12G (EU) V1 routers contain hardcoded credentials baked directly into the firmware. A researcher can extract a WiFi driver password, RADIUS shared secret, WPS test key, and default network password from the device's production binary. This allows someone with network access to bypass WiFi protections and potentially reach internal network resources, though the attack requires being within radio range and some technical effort to extract and use these credentials.

  • CVE-2026-41017MEDIUM 5.9

    Apache Airflow's JWT authentication middleware fails to mark session cookies as secure, exposing them to interception when the API server sits behind a TLS-terminating reverse proxy—a standard cloud architecture. An attacker on a shared network (public Wi-Fi, compromised LAN, or captive portal) can intercept an authenticated user's session token and replay it to gain API access. The vulnerability only materializes in specific deployment topologies where the reverse proxy strips HTTPS before forwarding to Airflow; teams running Airflow with end-to-end encryption or without reverse proxies are not affected. Apache Airflow 3.2.2 and later patch this issue.

  • CVE-2026-43625MEDIUM 5.9

    CodexBar versions before 0.32.0 have a vulnerability where session cookies imported from your browser can be intercepted over the network. When CodexBar redirects requests to Amp or Ollama providers, attackers positioned on your network path can capture these cookies if the redirect sends them over unencrypted HTTP. This requires the attacker to be on the network between you and the provider, but the leaked cookies could grant them access to your sessions on those services.

  • CVE-2026-10517MEDIUM 5.8

    Clair, a container image scanning tool, has a server-side request forgery (SSRF) vulnerability in its fetcher component. When processing container manifests, Clair can be tricked into making HTTP requests to attacker-controlled URLs without proper validation. An attacker who is unauthenticated can submit a malicious manifest pointing to internal services or cloud metadata endpoints, causing Clair to reach out to those targets. When the request fails, error messages leak up to 256 bytes of the response, potentially exposing sensitive information like API credentials or internal configuration. Red Hat Quay deployments that are operator-managed are automatically protected because they enable pre-shared key (PSK) authentication by default; self-managed Clair installations without PSK are at risk.

  • CVE-2026-40425MEDIUM 5.7

    A vulnerability in the Danelec MacGregor Voyage Data Recorder web interface allows an authenticated administrator to directly modify sensitive authentication-related files on the system. This could enable an attacker with admin credentials to alter the root password and gain elevated system control. While exploitation requires existing administrative access, the ability to change root credentials represents a critical privilege escalation path that should be addressed promptly.

  • CVE-2026-40989MEDIUM 5.7

    Spring Cloud Function versions across multiple release lines contain a flaw in the routing layer that can trigger infinite recursion during request handling. This recursion exhausts available memory, causing an out-of-memory (OOM) error that crashes the application. The vulnerability requires either physical access to the system or authenticated local access to exploit, which limits its immediate risk in cloud-native deployments but remains a concern for containerized environments or systems with weak internal network segmentation.

  • CVE-2026-40990MEDIUM 5.7

    A resource exhaustion flaw exists in Spring Cloud Function that allows an attacker to trigger out-of-memory (OOM) errors by registering an excessive number of functions in the Function Registry. The vulnerability requires local or adjacent network access and user interaction, making it a medium-severity concern primarily affecting development and hybrid deployment environments. Multiple versions across Spring Cloud Function 3.2 through 5.0 are vulnerable.

  • CVE-2026-41918MEDIUM 5.7

    RUGGEDCOM RST2428P industrial switches store sensitive configuration data in the web browser's cache when authenticated users make changes. An attacker with valid credentials and access to the same system could potentially retrieve this cached data, exposing sensitive operational information. The vulnerability affects all versions prior to V4.0.

  • CVE-2026-10222MEDIUM 5.6

    A vulnerability exists in NousResearch's hermes-agent software that allows attackers to inject malicious code through improper sanitization of environment variables. The flaw resides in the configuration parsing logic and can be exploited remotely, though successful exploitation requires substantial technical knowledge and effort. While a public exploit exists, the attack surface is limited by high complexity requirements. This is a medium-severity issue affecting versions up to 2026.4.30.

  • CVE-2025-48648MEDIUM 5.5

    CVE-2025-48648 is a denial-of-service vulnerability in Android's NotificationManagerService that allows a local attacker to exhaust system resources and crash the notification service. An attacker with basic user privileges can trigger this flaw without user interaction, causing persistent disruption to the device's notification functionality.

  • CVE-2025-5085MEDIUM 5.5

    The WP Nano AD plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability affecting versions 1.31 and earlier. An authenticated administrator can inject malicious scripts through the 'blogrole_link' parameter that persist in the database and execute in the browsers of users who view affected pages. The vulnerability is limited to WordPress multisite installations or those with the 'unfiltered_html' capability disabled, which narrows its real-world scope but makes it critical for affected deployments.

  • CVE-2025-55664MEDIUM 5.5

    CVE-2025-55664 is a heap buffer overflow vulnerability in GPAC MP4Box version 2.4 that can be triggered when processing a specially crafted MP4 file. An attacker can exploit this by tricking a user into opening a malicious MP4 file, causing the application to crash or become unresponsive. This is a local, user-interaction-based attack that does not allow data theft or system compromise, but disrupts availability of the MP4Box tool.

  • CVE-2025-59609MEDIUM 5.5

    CVE-2025-59609 is a medium-severity information disclosure vulnerability affecting multiple Qualcomm wireless and audio chipset products. The flaw occurs when devices process Wi-Fi advertisement frames containing malformed MBSSID (Multiple BSSID) elements that are shorter than expected. An attacker with network proximity and valid credentials can craft these frames to trigger uninitialized memory access, potentially exposing sensitive data. The attack requires user interaction and specific network conditions to succeed, limiting its practical exploitability but still warranting prompt patching given the breadth of affected components.

  • CVE-2025-60481MEDIUM 5.5

    GPAC Project's MP4Box, a widely-used multimedia framework and command-line tool, contains a flaw in how it processes AC4 audio configuration data within media files. When a specially crafted AC4 file is opened, the application crashes due to a null pointer dereference—essentially trying to access memory that hasn't been properly initialized. This is a local denial-of-service vulnerability that requires user interaction (opening the malicious file) but could disrupt workflows involving media processing or transcoding pipelines.

  • CVE-2025-60483MEDIUM 5.5

    A flaw in GPAC Project/MP4Box's AC4 audio file parser can crash the application when processing a specially crafted audio file. An attacker would need to trick a user into opening a malicious AC4 file, causing the service to stop responding. This is a moderate-risk issue affecting organizations that rely on MP4Box for media processing or transcoding workflows.

  • CVE-2025-60485MEDIUM 5.5

    CVE-2025-60485 is a memory safety flaw in GPAC's MP4Box tool that causes the application to crash when processing a specially crafted MP4 media file. An attacker can exploit this by distributing a malicious MP4 that triggers the crash, disrupting service for anyone using MP4Box to process or analyze video files. The vulnerability requires local access and user interaction (opening or processing the file), so it is most relevant in environments where untrusted media files are routinely handled.

  • CVE-2025-60486MEDIUM 5.5

    A memory safety flaw in GPAC's MP4Box tool allows an attacker to crash the application by processing a specially crafted MPEG-2 video file. The vulnerability stems from improper memory management in the dasher_process function—specifically, the code attempts to access memory that has already been freed. An attacker with local file access can exploit this by distributing a malicious video file that, when opened in MP4Box, triggers the defect and renders the tool unusable. This is a denial-of-service issue rather than a path to code execution or data theft.

  • CVE-2025-60495MEDIUM 5.5

    GPAC's MP4Box, a widely-used multimedia toolkit, contains a memory safety flaw in its color information parsing logic. When MP4Box processes a specially crafted media file, the vulnerable code attempts to access memory in an unsafe manner, causing the application to crash. An attacker with the ability to supply a malicious file to a user or system running MP4Box can trigger this denial of service. This is a local impact issue—it requires user interaction to open the file—but the barrier to exploitation is low.

  • CVE-2025-70100MEDIUM 5.5

    CVE-2025-70100 is a denial-of-service vulnerability in lwext4, a lightweight ext4 filesystem library. An attacker can craft a malicious ext4 filesystem image containing a zero logical block size that crashes any application using lwext4 to mount or process the image. The library fails to validate the block size parameter before performing arithmetic operations, leading to a divide-by-zero condition. While this vulnerability cannot be exploited for data theft or system compromise, it can disrupt services that depend on lwext4 for filesystem operations, such as embedded systems, recovery tools, or specialized storage applications.

  • CVE-2025-71313MEDIUM 5.5

    A memory allocation failure in the Linux kernel's PCI endpoint driver could cause the system to crash. When the kernel tries to create a work queue for handling PCI endpoint-to-endpoint communication, it doesn't properly check whether that operation succeeded. If memory is scarce and the allocation fails, the driver continues anyway and later attempts to use the non-existent queue, triggering a NULL pointer dereference that halts the affected system. The fix is straightforward: check whether the allocation succeeded before proceeding.

  • CVE-2025-71314MEDIUM 5.5

    A vulnerability in the Linux kernel's Panthor GPU driver can cause the graphics system to hang indefinitely when memory subsystem operations fail to complete. The issue arises because the driver lacks proper recovery mechanisms for stuck cache-flush operations. When a GPU memory flush times out, the driver now schedules a reset and recovers gracefully instead of hanging. This affects systems using Panthor-based GPUs (primarily ARM Mali GPUs in certain SoCs).

  • CVE-2026-0018MEDIUM 5.5

    CVE-2026-0018 is a denial-of-service vulnerability in Android's AccessibilityManagerService that allows a local attacker with user-level privileges to crash or hang the accessibility subsystem persistently. No special permissions, code execution, or user interaction are required to trigger the flaw—an authenticated local process can simply send malformed input to designated service functions that fail to properly validate their parameters. This could degrade or disable accessibility features for affected users.

  • CVE-2026-0042MEDIUM 5.5

    CVE-2026-0042 is a resource exhaustion vulnerability in Google Android's UBSan runtime component that allows a local attacker to cause a persistent denial of service. An attacker with basic user-level access can trigger the flaw without user interaction, exhausting system resources and rendering the device unavailable. The vulnerability does not enable unauthorized access or data theft—only availability disruption.

  • CVE-2026-0043MEDIUM 5.5

    CVE-2026-0043 is a medium-severity integer overflow vulnerability in Android's UBSan runtime library that can cause a persistent denial of service and local privilege escalation. The flaw resides in multiple functions within ubsan_throwing_runtime.cpp and requires only local access to exploit—no special privileges or user interaction are needed. Once triggered, the integer overflow can exhaust system resources or corrupt memory state, denying service to the affected device or enabling an attacker to elevate their privileges locally.

  • CVE-2026-0060MEDIUM 5.5

    CVE-2026-0060 is a local denial-of-service vulnerability in Android's graphics driver management system. A local attacker with basic user privileges can trigger a persistent crash condition in the GraphicsDriverEnableAngleAsSystemDriverController component, rendering the graphics subsystem unavailable without requiring elevated permissions or user interaction. The issue stems from improper state handling in the updateState method.

  • CVE-2026-0067MEDIUM 5.5

    A logic error in Android's ubsan_throwing_runtime.cpp file can be exploited by a local attacker to permanently deny service to affected devices. The vulnerability requires only basic user-level permissions and no special interaction to trigger, making it a straightforward availability threat for any Android user or administrator managing affected deployments.

  • CVE-2026-0069MEDIUM 5.5

    CVE-2026-0069 is a resource exhaustion vulnerability in Android's signature verification code that allows a local attacker to crash the system without needing special privileges or user interaction. An attacker with basic local access can trigger excessive resource consumption in the APK checksum verification process, causing a denial of service.

  • CVE-2026-0070MEDIUM 5.5

    A flaw in Android's DevicePolicyManagerService allows a local attacker with standard user privileges to hide critical system packages through improper validation of input parameters. This creates a denial-of-service condition by making essential system components inaccessible, potentially rendering the device unstable or non-functional without requiring any special permissions or user interaction.

  • CVE-2026-0074MEDIUM 5.5

    CVE-2026-0074 is a denial-of-service vulnerability in Android's LauncherProcessImageListener component. An attacker with local system access can exhaust device resources through the getPreferredSize function, causing the launcher process to become unresponsive or crash. No special privileges or user interaction are required to trigger the flaw, making it a concern for multi-user devices and environments where untrusted code may run locally.

  • CVE-2026-0079MEDIUM 5.5

    CVE-2026-0079 is a denial-of-service vulnerability in Android's ubsan_throwing_runtime.cpp component. An integer overflow flaw allows a local attacker to crash or hang affected systems persistently without requiring elevated privileges or user interaction. The vulnerability resides in multiple functions within the runtime component responsible for undefined behavior sanitization, making it accessible to processes running with standard user permissions.

  • CVE-2026-0085MEDIUM 5.5

    A flaw in Android's contact data handling allows a local attacker to crash the system by inserting an unusually large contact name. The vulnerability exists in the DataRowHandler component, which fails to properly validate the size of contact name input before processing it. Because the attack requires only local access and no special privileges, any app on a compromised device could trigger the denial of service without user interaction.

  • CVE-2026-10688MEDIUM 5.5

    A code injection vulnerability exists in ahujasid blender-mcp, a tool used for integrating Blender with model context protocol systems. An authenticated attacker can inject and execute arbitrary code by manipulating the 'code' parameter passed to the execute_blender_code function in the server. The vulnerability has been publicly disclosed and exploit code is available. The project uses rolling releases, making it difficult to identify fixed versions; however, the maintainers have been notified but have not yet responded with a patch or mitigation guidance.

  • CVE-2026-20456MEDIUM 5.5

    A flaw in MediaTek's wireless LAN driver allows an authenticated local user to crash the system without any user interaction. The vulnerability stems from missing boundary validation in the wlan STA (Station) driver code, permitting an attacker with user-level access to send crafted input that causes an out-of-bounds write. The impact is denial of service—the device becomes unresponsive until rebooted.

  • CVE-2026-28578MEDIUM 5.5

    A flaw in Android's device policy management system allows a local attacker to cause the device to become unstable or unresponsive by exploiting improper input validation in DevicePolicyManagerService. An attacker with basic user-level access can trigger this issue without user interaction, potentially disrupting device functionality. This is a local denial-of-service vulnerability with no remote attack vector.

  • CVE-2026-46104MEDIUM 5.5

    A flaw exists in how the Linux kernel's SELinux security module accesses socket security data when multiple security modules are stacked together. The vulnerability occurs because SELinux directly reads socket security information from a hardcoded memory location, assuming it will always find its own data there. When another security module is loaded first, SELinux reads the wrong data instead, potentially using invalid security identifiers in permission checks. This can cause the kernel to crash due to invalid memory access or improper security decisions.

  • CVE-2026-46106MEDIUM 5.5

    A race condition in the Linux kernel's eventfs subsystem can cause memory corruption or system crashes when users simultaneously remount the tracefs filesystem (which hosts performance monitoring tools) while creating or deleting tracepoints. The vulnerability arises because the kernel walks through a list of event structures during remount without proper synchronization, allowing concurrent operations to corrupt data structures or access freed memory. This is a local issue affecting only users with permission to remount filesystems and modify tracing events.

  • CVE-2026-46108MEDIUM 5.5

    A flaw in the Linux kernel's IPMI serial interface (SI) driver can leave the system in an abnormal state when message allocation fails. Normally, failed operations trigger cleanup routines that reset the driver to a ready state. This vulnerability occurs because certain error paths skip that reset logic, potentially causing the driver to remain hung or unresponsive. An attacker with local system access could trigger memory allocation failures under specific conditions, degrading system availability until the driver is manually restarted or the system reboots.

  • CVE-2026-46109MEDIUM 5.5

    A memory leak exists in the Linux kernel's USB ULPI (UTMI Low Pin Interface) driver registration code. When certain initialization steps fail early in the device registration process, allocated memory is not properly freed, allowing memory to accumulate over repeated failures. This is a residual issue from a prior fix that addressed a different memory safety problem. The vulnerability requires local access and elevated privileges to trigger.

  • CVE-2026-46118MEDIUM 5.5

    A flaw in the Linux kernel's PAPR hypervisor pipe driver can cause the kernel to crash when attempting to create a device handle. The issue stems from a recent code refactoring that changed how the driver manages memory allocation and cleanup. When the driver tries to reuse a data structure after it has been cleared, the kernel attempts to access invalid memory, leading to a null pointer dereference and system panic. An unprivileged local user with ioctl access can trigger this crash, resulting in a denial of service.

  • CVE-2026-46126MEDIUM 5.5

    CVE-2026-46126 is a memory cleanup bug in the Linux kernel's RDMA/mana driver that occurs during queue pair creation with RSS (Receive Side Scaling) support. When certain operations fail during setup, the kernel fails to properly release allocated work queue objects, leaving dangling resources. An unprivileged local user can trigger this condition to cause a denial of service by exhausting kernel resources or crashing the system.

  • CVE-2026-46127MEDIUM 5.5

    A local memory safety issue exists in the Linux kernel's RDMA over Converged Ethernet (OCRDMA) driver. During certain error conditions in the protection domain setup function, the code attempts to dereference a null pointer instead of using a valid reference, potentially crashing the system. The vulnerability requires local access and specific user privileges to trigger, making it a moderate-severity issue affecting system stability rather than confidentiality or integrity.

  • CVE-2026-46128MEDIUM 5.5

    A vulnerability in the Linux kernel's IPMI (Intelligent Platform Management Interface) subsystem allows local authenticated users to cause a denial of service. The issue stems from insufficient validation of event message buffer responses from Baseboard Management Controllers (BMCs). Some BMCs may return empty or malformed event messages instead of proper error responses, which the kernel fails to validate immediately. This can lead to kernel crashes or hangs when processing these invalid responses. The vulnerability requires local access and authenticated privileges to trigger, limiting its immediate blast radius but requiring attention in environments where untrusted local users have system access.

  • CVE-2026-46131MEDIUM 5.5

    A flaw exists in the Linux kernel's virtualization layer (KVM) where the hypervisor incorrectly validates guest memory operations in nested virtual machines. The vulnerability occurs when checking whether a guest is running nested virtualization—the code currently checks only whether an L2 guest exists, but fails to verify that nested EPT (Extended Page Tables) or NPT (Nested Page Tables) is actually enabled. This mismatch allows a local process running inside a nested guest to trigger denial-of-service conditions by invoking hypercalls that attempt invalid memory translations. The impact is limited to availability; an attacker cannot read or modify data.