By year

Vulnerabilities disclosed in 2026

CVEs published in 2026 with SEC.co analysis.

1014 published vulnerabilities · page 9 of 11

  • CVE-2026-46132MEDIUM 5.5

    CVE-2026-46132 is a kernel memory leak in the Linux networking subsystem that allows unprivileged local users to read up to 26 bytes of uninitialized kernel stack memory per virtual function (VF) per request. The vulnerability exists in the rtnetlink interface handler that reports virtual NIC configuration. When a user requests virtual function information, the kernel fails to zero-initialize a buffer before partially filling it with MAC broadcast data, leaving residual stack contents exposed to userspace. An attacker needs only basic local network namespace access to trigger repeated information leaks.

  • CVE-2026-46134MEDIUM 5.5

    A Linux kernel vulnerability in the Chrome OS Embedded Controller (cros_ec) Thunderbolt registration code fails to initialize a mutex lock, causing the system to crash when the uninitialized lock is later accessed. This affects devices that use the affected kernel code path during Thunderbolt device registration and mode switching. An unprivileged local user can trigger the crash by interacting with Thunderbolt/USB-C functionality, resulting in a denial of service.

  • CVE-2026-46139MEDIUM 5.5

    A flaw in the Linux kernel's SMB client code leaves a security descriptor buffer partially uninitialized when building access control lists. Specifically, a 2-byte reserved field in the ACL structure—which must be zero according to the SMB protocol specification—is left containing whatever garbage data happened to be in that heap memory. When Samba or other SMB servers validate the descriptor, they reject it if those bytes are non-zero, causing file permission operations like chmod to fail with an invalid argument error. The fix is straightforward: replace the memory allocation function with one that zeroes the buffer before use.

  • CVE-2026-46141MEDIUM 5.5

    A memory leak vulnerability exists in the Linux kernel's PowerPC XIVE interrupt handling code. When allocating MSI-X interrupt vectors for NVMe devices, the kernel creates interrupt data structures but fails to properly clean them up when the interrupt domain is freed. This occurs because the code looks for the data in the wrong place during cleanup, causing allocated memory to be abandoned. While this is a localized memory management issue, repeated device allocation and deallocation cycles could gradually consume system memory and degrade performance.

  • CVE-2026-46142MEDIUM 5.5

    A flaw in the Linux kernel's libwx network driver allows a virtual machine or container running as a non-privileged user to trigger a system hang by reading a hardware register that should only be accessible to the physical device owner. During virtual function (VF) initialization, the driver incorrectly attempts to access a restricted register (WX_CFG_PORT_ST), causing the system to hang. The issue stems from the driver not properly distinguishing between physical function (PF) and virtual function device contexts when accessing low-level hardware state.

  • CVE-2026-46143MEDIUM 5.5

    CVE-2026-46143 is a memory leak vulnerability in the Linux kernel's QCOM audio subsystem. The issue occurs in the ASoC (ALSA System on Chip) driver for QCOM Q6APM LPASS audio interfaces, where the prepare function can be invoked multiple times. Each invocation opens a new graph for the playback path without checking if one is already open, resulting in cumulative resource exhaustion. While the vulnerability requires local access and low-privilege execution context, the impact is availability disruption through memory exhaustion.

  • CVE-2026-46144MEDIUM 5.5

    A memory cleanup issue exists in the Linux kernel's RDMA/mana driver when creating RSS (Receive-Side Scaling) queue pairs. If an error occurs during queue pair creation, a virtual port steering configuration is not properly freed, leading to a resource leak. While this is a memory management issue rather than a direct data breach risk, it can degrade system stability under error conditions or be exploited to exhaust kernel memory resources on systems with RDMA/mana network adapters.

  • CVE-2026-46146MEDIUM 5.5

    A vulnerability exists in the Linux kernel's USB audio driver that could cause the system to hang indefinitely when processing a specially crafted USB device descriptor. The flaw is in the convert_chmap_v3() function, which processes audio channel mapping information without properly validating the descriptor size field. An attacker with local access could trigger this endless loop, causing a denial of service. The issue affects multiple versions of the Linux kernel and requires local access to exploit.

  • CVE-2026-46147MEDIUM 5.5

    A flaw in the Linux kernel's ARM64 KVM (virtualization) implementation can cause system resource leaks and expose partially initialized virtual CPU objects to concurrent access. When vCPU initialization encounters an error partway through, cleanup code fails to release pinned memory references, accumulating leak over time. Additionally, the vCPU object is published to shared state without proper synchronization barriers, risking observers seeing an incompletely initialized structure. This affects hypervisor deployments using ARM64-based KVM virtualization.

  • CVE-2026-46148MEDIUM 5.5

    A flaw in the Linux kernel's Microchip CoreQSPI SPI controller driver causes incorrect chip select (CS) line management when multiple SPI devices are connected. The hardware's built-in CS is automatically controlled by design, but this automatic behavior conflicts with proper operation when GPIO-based chip selects are also in use. The driver was modified to manually control the CS line instead, allowing correct behavior for both active-low and active-high devices, and preventing the built-in CS from being asserted while other GPIO-controlled devices are being accessed.

  • CVE-2026-46151MEDIUM 5.5

    A flaw in the Linux kernel's USB printer driver (usblp) allows a malicious or malfunctioning printer to leak uninitialized kernel memory to local users. When a printer responds to a device ID request with fewer bytes than claimed in its length header, the driver fails to zero out the remaining buffer before exposing it via sysfs or an ioctl. An attacker with local access could craft a printer (or intercept USB traffic) to trigger this and read sensitive kernel memory.

  • CVE-2026-46153MEDIUM 5.5

    A memory leak exists in the Linux kernel's VLAN (802.1Q) network driver. When network administrators repeatedly configure and then clear egress QoS priority mappings on VLAN interfaces, the kernel fails to properly delete the cleared mappings. Instead, it retains them as empty placeholders (tombstones) in memory. Over time, this causes memory to accumulate and leak, eventually exhausting system resources when the VLAN device is torn down. The fix involves properly deleting these cleared mappings after a safe grace period rather than leaving them in place.

  • CVE-2026-46156MEDIUM 5.5

    A flaw in the Linux kernel's Loongson GPU driver can cause a system crash when the code attempts to read from an invalid memory address during hardware initialization. The vulnerability occurs in the `loongson_gpu_fixup_dma_hang()` function, which uses incorrect logic to identify and configure GPU devices on certain Loongarch-based systems. When a discrete GPU is present in a non-standard PCI slot configuration, the driver may try to access memory at a random address, triggering a kernel panic. This is a local issue that requires prior system access and affects the stability and availability of affected systems.

  • CVE-2026-46158MEDIUM 5.5

    CVE-2026-46158 is a resource leak in the Linux kernel's MPTCP (Multipath TCP) protocol implementation. When the kernel retransmits an ADD_ADDR control message, it fails to properly release a reference to a socket object in certain error paths, allowing the socket's memory to remain allocated longer than necessary. This leak occurs only when specific unlikely conditions are met during ADD_ADDR retransmission, making it a localized but real availability concern on systems handling MPTCP traffic.

  • CVE-2026-46160MEDIUM 5.5

    A flaw in the Linux kernel's Btrfs filesystem can corrupt the transaction log during recovery if a directory is removed while a process still holds an open file descriptor to it and performs an fsync operation. When the system crashes after this sequence, the filesystem becomes inconsistent and fails to mount, resulting in data loss or extended downtime. This is a local issue requiring user-level access and specific conditions to trigger.

  • CVE-2026-46161MEDIUM 5.5

    A divide-by-zero vulnerability exists in the Linux kernel's RAID10 disk management code. When a user configures RAID10 with a "far_copies" value of zero, the kernel crashes instead of rejecting the invalid configuration. This requires local access and root-level privileges to trigger, making it a local denial-of-service risk rather than a remote compromise threat.

  • CVE-2026-46165MEDIUM 5.5

    A self-deadlock vulnerability exists in the Linux kernel's Open vSwitch module when tunnel ports are released. The issue occurs because the code attempts to clean up network device references while holding locks that prevent the cleanup from completing, causing the system to hang during tunnel port deletion. This is a local denial-of-service condition that affects systems running vulnerable kernel versions with Open vSwitch configured.

  • CVE-2026-46167MEDIUM 5.5

    A flaw in the Linux kernel's USB printer driver (usblp) allows uninitialized kernel memory to leak to user-space applications through the LPGETSTATUS ioctl command. When a USB printer responds with fewer bytes than expected, the driver fails to initialize the response buffer properly, potentially exposing stale heap memory to callers. This can occur even with standard-behaving printers; the vulnerability is particularly concerning in multi-user environments where one user's application could inadvertently receive residual kernel memory from prior operations.

  • CVE-2026-46168MEDIUM 5.5

    A vulnerability in the Linux kernel's multipath TCP (MPTCP) implementation allows a local attacker with standard user privileges to trigger a denial-of-service condition. The issue stems from improper locking during socket option handling for timestamps. When the kernel attempts to set timestamp options, it uses a fast atomic lock that cannot safely call functions designed to sleep, resulting in a kernel panic. An unprivileged user can exploit this by making specific socket option calls, causing the system to crash or become unresponsive.

  • CVE-2026-46169MEDIUM 5.5

    CVE-2026-46169 is a memory initialization bug in the Linux kernel's HFS+ filesystem driver. When mounting a corrupted HFS+ filesystem, the kernel may read incomplete catalog records and fail to detect that the data is truncated. This leaves portions of a kernel data structure uninitialized. Later, when the filesystem code attempts to process the incomplete record—such as performing case-insensitive string comparison—it uses the uninitialized memory as array indices, triggering a kernel warning. An unprivileged local attacker with the ability to mount a crafted filesystem image could trigger this condition, potentially causing a denial of service or information disclosure.

  • CVE-2026-46170MEDIUM 5.5

    A flaw in the Linux kernel's MPTCP (Multipath TCP) path manager can cause a denial of service when certain network protocol messages are retransmitted. Specifically, when an ADD_ADDR message is resent, the kernel may mismanage internal reference counting for a socket object, potentially leading to a deadlock or crash. An unprivileged local user can trigger this condition, causing the affected system to become unresponsive.

  • CVE-2018-25384MEDIUM 5.4

    Wikidforum 2.20 has a stored cross-site scripting (XSS) flaw that lets authenticated users inject malicious JavaScript into forum replies. When other users view those compromised posts through the rpc.php endpoint, the injected code executes in their browsers, potentially stealing session cookies, redirecting to phishing pages, or performing unauthorized actions on their behalf.

  • CVE-2019-25739MEDIUM 5.4

    GigToDo version 1.3 is vulnerable to a stored cross-site scripting (XSS) attack. An authenticated user can inject malicious JavaScript or HTML code into a proposal description field. When other users—particularly administrators—view that proposal, the attacker's code executes in their browser, potentially stealing session cookies or redirecting them to malicious sites. The vulnerability requires an attacker to already have valid login credentials, but the impact affects anyone who later views the compromised proposal.

  • CVE-2019-25742MEDIUM 5.4

    The Zoner Real Estate WordPress theme version 4.1.1 has a stored cross-site scripting (XSS) flaw in its property creation form. Authenticated real estate agents can inject malicious JavaScript into the property's address field, and that script will execute when site administrators review the property for approval. This could allow attackers to steal admin session cookies or hijack their accounts.

  • CVE-2019-25743MEDIUM 5.4

    WordPress Soliloquy Lite version 2.5.6 contains a stored cross-site scripting (XSS) vulnerability in its post editing functionality. An authenticated attacker can inject malicious JavaScript code into a post's title field, which persists in the WordPress database. When other users—particularly administrators or editors—preview that post, the injected script executes in their browser, potentially compromising their session or enabling further attacks. The vulnerability requires an attacker to have valid WordPress credentials but does not require tricking users into clicking malicious links, making it a genuine persistence risk in multi-user WordPress environments.

  • CVE-2019-25744MEDIUM 5.4

    WordPress Popup Builder version 3.49 contains a stored cross-site scripting (XSS) flaw that allows authenticated users to inject malicious JavaScript into posts or pages. An attacker with WordPress login credentials can craft a specially formatted post title containing script code that breaks out of HTML option tags, causing the malicious script to execute in the browsers of site visitors viewing popup selections. This is a persistence vulnerability—the injected code remains in the database and executes repeatedly.

  • CVE-2026-10213MEDIUM 5.4

    AstrBot version 4.23.6 contains a path traversal vulnerability in its API endpoint that handles skill deletion. An authenticated attacker can manipulate the Name parameter to traverse the file system and read or modify files outside the intended directory structure. The vulnerability is network-accessible and does not require user interaction beyond the attacker having valid credentials. Public exploit code is available, increasing the risk of active exploitation.

  • CVE-2026-10218MEDIUM 5.4

    A security flaw exists in nextlevelbuilder GoClaw versions up to 3.11.3 that allows authenticated users to perform actions they shouldn't be authorized to perform. The vulnerability resides in the authentication logic of the application and can be exploited remotely by someone with valid login credentials. Because the flaw has been publicly disclosed, there's elevated risk that attackers may attempt to exploit it.

  • CVE-2026-10284MEDIUM 5.4

    A security flaw in DevaslanPHP project-management versions up to 2.0.0-beta1 allows authenticated users to bypass authorization controls when editing or deleting comments in ticket management workflows. An attacker with login credentials can manipulate comment-related functions to perform actions they shouldn't be authorized to perform, such as deleting or modifying comments belonging to other users. The issue resides in the Livewire handler component and can be exploited remotely without requiring additional user interaction.

  • CVE-2026-10285MEDIUM 5.4

    DevaslanPHP project-management versions up to 2.0.0-beta1 contain an authorization flaw in the ticket handler component. An authenticated user can manipulate ticket records in ways they should not be permitted to perform, potentially modifying or deleting ticket data without proper access controls. The vulnerability requires an existing login but can be exploited remotely over the network.

  • CVE-2026-10984MEDIUM 5.4

    Google Chrome on Android contains a flaw in how it handles accessibility features that allows attackers to trick users with a fake interface. By hosting a malicious webpage, an attacker can make Chrome display misleading or fraudulent content that mimics legitimate UI elements, potentially deceiving users into performing unintended actions. The vulnerability requires user interaction—specifically, a user must visit the crafted page—but does not require special privileges or complex setup.

  • CVE-2026-24754MEDIUM 5.4

    Kiteworks, a private data network platform used for secure file sharing and collaboration, contains a stored cross-site scripting (XSS) vulnerability in its Secure Data Forms feature. An authenticated user with legitimate access could craft malicious input that persists in the application and executes in other users' browsers when they view the affected form. This allows the attacker to steal session tokens, perform actions on behalf of victims, or harvest sensitive data passing through their sessions. The vulnerability requires prior authentication and user interaction (clicking a link or viewing a page), limiting but not eliminating its risk. Kiteworks versions before 9.3.0 are affected; upgrading resolves the issue.

  • CVE-2026-24755MEDIUM 5.4

    Kiteworks, a platform for secure data sharing and management, contains a flaw in its Secure Data Forms feature that allows logged-in users to change permissions on files and folders belonging to other users. The vulnerability stems from the system not properly verifying whether a user actually owns or has authority over a resource before allowing permission changes. An attacker with valid credentials could exploit this to gain access to, or revoke access from, other users' sensitive data without authorization.

  • CVE-2026-26378MEDIUM 5.4

    Koha, an open-source library management system, contains a cross-site scripting (XSS) vulnerability in its Invoice feature file upload functionality. An authenticated attacker can craft a malicious file upload that executes arbitrary code in the browsers of users who interact with the uploaded invoice. The vulnerability affects Koha version 25.11 and earlier. Exploitation requires an attacker to have valid library system credentials and user interaction—typically a staff member viewing or processing the invoice.

  • CVE-2026-27351MEDIUM 5.4

    Sekander Badsha Crew HRM contains a missing authorization vulnerability that allows authenticated users to perform actions they should not be permitted to perform due to incorrectly configured access controls. An attacker with valid login credentials can exploit weak permission checks to modify data or disrupt availability, even if their role should restrict such access.

  • CVE-2026-33244MEDIUM 5.4

    React Router versions 7.5.1 through 7.13.1 contain a cross-site scripting (XSS) vulnerability when used in Framework Mode with pre-rendering. If your application redirects users to untrusted URLs and generates static HTML files during build time, attackers can inject malicious scripts into those pre-rendered pages. This vulnerability does not affect applications using the more common Declarative Mode or Data Mode routing approaches. The issue has been fixed in version 7.13.2.

  • CVE-2026-34460MEDIUM 5.4

    NamelessMC, a website platform for Minecraft servers, contains a vulnerability in how it handles OAuth authentication callbacks. When a user logs in via OAuth (a third-party authentication method), the application fails to verify a security token called a 'state parameter' before accepting the login. An attacker can exploit this by crafting a malicious link that tricks a victim into logging in with the attacker's own account credentials. Once clicked, the victim's session becomes authenticated as the attacker, potentially granting unauthorized access to the victim's account on that NamelessMC instance. The vulnerability affects NamelessMC versions 2.2.4 and earlier.

  • CVE-2026-34507MEDIUM 5.4

    OpenClaw versions before 2026.4.29 contain a flaw that allows authenticated users to bypass security policies protecting sensitive admin commands. Specifically, attackers can circumvent message delivery restrictions (DM-only policy) and sender authorization checks (allowFrom policy), enabling them to execute administrative functions from contexts or senders that should be blocked. The vulnerability requires an attacker to already have authentication credentials, limiting its blast radius but creating insider risk and account compromise scenarios.

  • CVE-2026-40930MEDIUM 5.4

    A parsing flaw in libpng 1.8.0's APNG (Animated PNG) handler can cause specially crafted image data to be misinterpreted. When the parser encounters certain frame chunks in an APNG file, it clears internal state flags but fails to skip over the actual chunk data and checksum. On the next data processing call, bytes from the ignored chunk can masquerade as a new chunk header, potentially leading to integrity violations or denial of service. An attacker needs user interaction—typically opening a malicious PNG file—to trigger the issue.

  • CVE-2026-42547MEDIUM 5.4

    IRIS, a web platform used by incident response teams to collaborate and share investigation details, contains an authorization flaw in versions before 2.4.28 that allows users to create alerts falsely attributed to customers they don't manage. When combined with cross-site scripting vulnerabilities, attackers can also steal alerts belonging to other customers. This means a low-privileged user could pollute another team's alert stream with fraudulent incidents or harvest sensitive investigation data.

  • CVE-2026-42951MEDIUM 5.4

    A vulnerability in Danelec MacGregor Voyage Data Recorder (VDR) devices allows authenticated users to download a complete backup file that exposes sensitive account credentials and password hashes. While an attacker must already have valid user credentials to exploit this issue, successful exploitation grants access to password material that could enable lateral movement or privilege escalation within maritime network environments. The vulnerability is classified as medium severity due to the authentication requirement, though the disclosure of password hashes represents a meaningful step toward further compromise.

  • CVE-2018-25387MEDIUM 5.3

    HaPe PKH 1.1 contains a cross-site request forgery (CSRF) vulnerability that enables attackers to change administrator passwords without needing to log in. An attacker can trick an authenticated administrator into visiting a malicious website or clicking a crafted link, which silently submits a forged request to modify admin credentials. This allows complete account takeover of administrative users.

  • CVE-2018-25397MEDIUM 5.3

    PHP-SHOP 1.0 is vulnerable to cross-site request forgery (CSRF), a class of attack where malicious actors craft hidden web forms designed to trick authenticated administrators into unknowingly adding new admin accounts. An attacker creates a deceptive webpage containing a concealed form that automatically submits admin account creation requests when an authenticated admin visits the page. This allows the attacker to gain administrative control without needing the victim's credentials.

  • CVE-2018-25435MEDIUM 5.3

    ZeusCart 4.0 is vulnerable to a cross-site request forgery (CSRF) attack that allows an attacker to trick administrators into unknowingly deactivating customer accounts. By crafting a malicious webpage or email link, an attacker can force an admin to submit a request that disables customer access without their knowledge or consent. The attack requires only that an administrator visit an attacker-controlled page while logged into their ZeusCart admin panel.

  • CVE-2024-27891MEDIUM 5.3

    Arista EOS devices that simultaneously use MACsec (a security protocol encrypting layer 2 traffic) and egress Access Control Lists (ACLs) on the same network interfaces may fail to enforce the intended ACL policies on outgoing traffic. This means packets that should be blocked by policy could be allowed to leave the device, or conversely, traffic that should be permitted might be incorrectly denied—effectively breaking the network's egress filtering controls.

  • CVE-2025-12714MEDIUM 5.3

    A widely used WordPress SEO plugin has a security hole that allows anyone on the internet—even without a WordPress account—to change critical SEO settings and site metadata. An attacker could modify your site's homepage title, meta descriptions, breadcrumb labels, and social media preview information without permission. This creates two problems: it can tank your search engine rankings, and it opens the door to injecting malicious content that visitors see across your site.

  • CVE-2025-53302MEDIUM 5.3

    CVE-2025-53302 is a missing authorization vulnerability in Anton Shevchuk's Constructor framework that allows unauthenticated attackers to access functionality that should be restricted by access control rules. An attacker can reach protected features without proper credentials or permissions, potentially exposing sensitive operations or data. The vulnerability affects Constructor versions up to and including 1.6.5.

  • CVE-2026-10075MEDIUM 5.3

    DreamMaker, a product from Interinfo, contains a path traversal flaw that lets unauthenticated attackers list or read filenames from any directory on the affected system without requiring authentication or user interaction. An attacker can craft requests using absolute path manipulation to traverse the filesystem and discover file structures that should remain hidden. While this does not allow direct file content theft or system modification, it exposes the directory layout and naming conventions, which can aid reconnaissance in a broader attack chain.

  • CVE-2026-10200MEDIUM 5.3

    Assimp, a popular open-source 3D model import library, contains a heap-based buffer overflow vulnerability in its glTF file format parser. An attacker with local access to a system can craft a malicious glTF file with a specially crafted 4x4 matrix to overflow memory and trigger a crash, information disclosure, or potential code execution. The vulnerability affects Assimp versions up to 6.0.4 and has been publicly disclosed.

  • CVE-2026-10224MEDIUM 5.3

    A vulnerability in NousResearch's hermes-agent allows an attacker to consume resources on a server by sending specially crafted requests to a webhook endpoint. The vulnerability affects versions up to 2026.4.30 and can be triggered remotely without authentication. While the technical complexity is low, the impact is limited to availability rather than data breach or system compromise. Public exploit information exists, though NousResearch has not responded to early vendor disclosure attempts.

  • CVE-2026-10229MEDIUM 5.3

    Assimp, a widely-used 3D model import library, contains a heap-based buffer overflow in its Half-Life 1 MDL file loader. An attacker with local system access can craft a malicious .MDL file that, when processed by an application using vulnerable Assimp versions up to 6.0.4, triggers memory corruption. This could lead to information disclosure, data corruption, or process crash. The vulnerability requires local execution and has been publicly disclosed.

  • CVE-2026-10230MEDIUM 5.3

    Assimp, a popular open-source 3D model import library, contains a heap buffer overflow vulnerability in its Half-Life 1 MDL file loader. The vulnerability exists in the animation-reading function and can be triggered by a malicious or crafted MDL file. An attacker with local access can exploit this to read sensitive memory, modify data, or crash the application. The vulnerability affects Assimp versions up to 6.0.4.

  • CVE-2026-10231MEDIUM 5.3

    Assimp, a popular open-source 3D model importing library, contains a heap buffer overflow vulnerability in its Half-Life 1 MDL file loader. By crafting a malicious MDL file that manipulates the animation value counter, an attacker with local system access can trigger memory corruption. This flaw requires the attacker to be already present on the system and execute code that processes a specially crafted model file, making it a local-origin threat rather than a remote network attack.

  • CVE-2026-10232MEDIUM 5.3

    CVE-2026-10232 is a use-after-free vulnerability in Assimp, an open-source 3D model import library, affecting versions up to 6.0.4. The flaw exists in the ASE file parser component and can be triggered by a local attacker with user-level privileges when processing specially crafted ASE (ASCII Scene Export) files. Exploitation could allow an attacker to read sensitive data, modify application state, or crash the process. Because exploitation requires local access and user permissions, the risk is primarily relevant in multi-user systems or scenarios where untrusted ASE files are processed by privileged applications.

  • CVE-2026-10254MEDIUM 5.3

    SourceCodester Pet Grooming Management Software version 1.0 contains a vulnerability that exposes file and directory information to unauthenticated remote attackers. An unknown function in the /admin/ path fails to properly restrict access to sensitive filesystem metadata, allowing adversaries to enumerate files and directories without authentication. While this does not permit direct modification or service disruption, the information disclosure can serve as reconnaissance for subsequent targeted attacks. Public exploit code is available.

  • CVE-2026-10255MEDIUM 5.3

    A remote access control weakness exists in SourceCodester Pharmacy Sales and Inventory System version 1.0. An unauthenticated attacker can exploit the sell_statement function in the application's form controller to bypass authorization checks and gain unauthorized read access to sensitive pharmacy data. The vulnerability requires no special interaction from users and can be triggered over the network. Because exploit code has already been publicly disclosed, active exploitation risk is elevated.

  • CVE-2026-10548MEDIUM 5.3

    NousResearch's hermes-agent contains a flaw in how it synchronizes Anthropic API credentials from local credential files. An attacker with local access can exploit this to bypass authentication controls, potentially gaining unauthorized access to Anthropic services or resources protected by those credentials. The vulnerability affects versions up to 2026.4.23, and exploit code has already been made public, increasing the practical risk.

  • CVE-2026-10566MEDIUM 5.3

    A vulnerability exists in FoundationAgents MetaGPT versions up to 0.8.2 that allows local attackers with user-level privileges to trigger unsafe deserialization through manipulation of function arguments in the Message.check_instruct_content handler. An attacker with local access and basic user permissions can exploit this to potentially read, modify, or disrupt system operations. Public exploit code is available, increasing near-term risk for organizations running affected versions.

  • CVE-2026-10597MEDIUM 5.3

    OMICARD EDM, a product developed by ITPison, contains a vulnerability that allows attackers without credentials to access user email addresses by manipulating a specific parameter in a web request. No authentication is required, making this a direct and accessible attack surface. While the vulnerability does not allow attackers to modify data or disrupt service, the unauthorized disclosure of email addresses poses a clear privacy and information-gathering risk.

  • CVE-2026-10650MEDIUM 5.3

    A flaw in libwebsockets (a widely-used WebSocket and networking library) allows attackers to exhaust server resources by manipulating a specific message length parameter in the SSH protocol handler. The vulnerability requires network access but no authentication, and an exploit has already been published. This is a denial-of-service issue that can make affected systems unresponsive without compromising data confidentiality or integrity.

  • CVE-2026-11004MEDIUM 5.3

    CVE-2026-11004 is a memory disclosure vulnerability in Google Chrome's ANGLE graphics library. An attacker who has already compromised Chrome's renderer process can craft a malicious HTML page to read sensitive data from the browser's memory. While this requires prior compromise of the renderer, the ability to extract potentially sensitive information makes it a meaningful security concern for organizations running Chrome.

  • CVE-2026-11005MEDIUM 5.3

    A flaw in ANGLE, the graphics abstraction layer used by Google Chrome on Windows, allows a remote attacker to read sensitive data from Chrome's renderer process memory. The attacker must first compromise the renderer process and trick a user into visiting a malicious webpage. Once those conditions are met, the attacker can extract potentially sensitive information from memory that they shouldn't have access to. This is an out-of-bounds read vulnerability—the code accesses memory locations it wasn't intended to reach.

  • CVE-2026-2128MEDIUM 5.3

    The Breeze WordPress plugin through version 2.5.2 contains a flaw that allows attackers to view content meant only for administrators. When the "Cache Logged-in Users" feature is enabled, the plugin trusts cookie information without properly verifying it belongs to a real, authenticated user. An attacker can craft a fake cookie claiming to be an administrator, and the plugin will serve them the cached pages generated for that admin—exposing private posts, administrative controls, security tokens, and other sensitive data. No authentication or special privileges are required to attempt this attack.

  • CVE-2026-26825MEDIUM 5.3

    A use-of-uninitialized memory vulnerability in libxls 1.6.3 allows attackers to craft malformed XLS files that trigger memory safety issues during file parsing. When the library processes these files, uninitialized heap memory from the OLE (Object Linking and Embedding) layer may be read, leading to unpredictable behavior, incorrect file interpretation, or disclosure of sensitive data from memory. This does not require authentication and affects any application using the vulnerable library to open untrusted XLS files.

  • CVE-2026-33463MEDIUM 5.3

    Kibana contains a flaw where access tokens that should expire at a specific time continue to work indefinitely. An attacker who obtains one of these tokens—even after it should have stopped being valid—can use it to read sensitive information they shouldn't have access to. The vulnerability stems from improper validation of token expiration times, allowing the system to forget when a token was supposed to stop working.

  • CVE-2026-38978MEDIUM 5.3

    Transmission, a popular BitTorrent application, contains a clickjacking vulnerability affecting versions up to and including 4.1.1. The flaw allows an attacker to trick users into performing unintended actions through the application's web interface or RPC (remote procedure call) endpoints by overlaying malicious content on top of legitimate interface elements. This requires user interaction but does not require the attacker to be authenticated or have any special privileges to exploit.

  • CVE-2026-40898MEDIUM 5.3

    quic-go, a Go-based QUIC protocol library, contains a denial-of-service flaw in its HTTP/3 implementation that allows remote attackers to exhaust server and client memory by sending malicious HTTP trailer fields. The vulnerability stems from inadequate validation of decoded trailer sizes—the library checks the compressed frame size but fails to enforce limits on the decompressed result. An attacker can craft QPACK-encoded headers with numerous unique field names or oversized values in the trailer section, forcing unbounded memory allocation and potentially crashing affected services.

  • CVE-2026-41150MEDIUM 5.3

    Mermaid, a popular JavaScript library for creating diagrams from text, contains a denial-of-service vulnerability in versions before 10.9.6 and 11.15.0. The flaw occurs when rendering Gantt charts that use the excludes attribute to block out all dates. An attacker can craft a malicious diagram that, when processed and rendered, causes the application to hang or consume excessive resources, disrupting service availability. The vulnerability only manifests during actual diagram rendering; simply parsing the diagram syntax does not trigger the issue unless the ganttDb.getTasks() function is subsequently called.

  • CVE-2026-41159MEDIUM 5.3

    Mermaid, a popular JavaScript library for creating diagrams from text, contains a CSS injection vulnerability in its configuration options. Attackers can inject malicious CSS through the fontFamily, themeCSS, and altFontFamily settings that breaks out of the intended diagram sandbox and affects the entire web page. This could enable page defacement or extraction of sensitive information through CSS selectors. The vulnerability affects versions before 10.9.6 and 11.15.0, and has been patched in those releases.

  • CVE-2026-41178MEDIUM 5.3

    OpenTelemetry-Go versions 1.41.0 and 1.43.0 contain a denial-of-service vulnerability in their baggage header parsing logic. The removal of size validation allows attackers to send oversized or malformed baggage headers that cause the application to process arbitrarily large inputs, log excessive errors, and potentially exhaust system resources. This is a network-accessible vulnerability requiring no authentication, making it exploitable by any remote actor.

  • CVE-2026-41207MEDIUM 5.3

    A vulnerability exists in Netty's binary HTTP parser (netty-incubator-codec-ohttp) where cryptographic key generation can fail silently and default to all-zero keys without raising an error. This occurs in the HKDF_expand and EVP_HPKE_CTX_export functions, which are supposed to generate random key material for encrypting HTTP responses. Instead of signaling failure, these functions return zero-filled byte arrays that are indistinguishable from legitimate keys. An attacker who understands this behavior could predict the encryption keys and decrypt sensitive response data, compromising the confidentiality of encrypted messages. The issue was resolved in version 0.0.21.Final.

  • CVE-2026-42500MEDIUM 5.3

    CVE-2026-42500 is a denial-of-service vulnerability triggered when software attempts to decode a specially crafted BMP image file with palette colors that reference invalid color table entries. The flaw causes the application to crash rather than handle the malformed data gracefully. An attacker can exploit this by distributing or hosting a malicious BMP file that, when opened or processed, crashes the affected application.

  • CVE-2026-42507MEDIUM 5.3

    CVE-2026-42507 is a moderate security issue affecting Go's net/textproto package where error messages can inadvertently expose or reflect user-supplied input. An attacker could craft malicious input that, when an error occurs, gets embedded into the error message itself. If those messages are logged, displayed to users, or forwarded to monitoring systems, the attacker's injected content appears as legitimate system output. This creates an integrity risk by allowing misleading information to be introduced into logs and alerts.

  • CVE-2025-60477MEDIUM 5.0

    CVE-2025-60477 is a crash vulnerability in GPAC's MP4Box multimedia processing tool. A specially crafted file can trigger a program crash when processed by a local or authenticated user, disrupting media encoding and processing workflows. The vulnerability does not leak data or enable privilege escalation, but it can be weaponized to interrupt legitimate operations or degrade service availability.

  • CVE-2026-10010MEDIUM 5.0

    Google Chrome on Android versions prior to 148.0.7778.216 contain a vulnerability in input handling that allows an attacker who has already compromised Chrome's renderer process to bypass site isolation protections through a specially crafted HTML page. Site isolation is a critical Chrome security boundary designed to keep sensitive data from different websites separate in memory. This flaw undermines that protection, though it requires the attacker to have already gained code execution within the browser engine itself.

  • CVE-2026-10275MEDIUM 5.0

    A buffer overflow vulnerability exists in OpenSC versions up to 0.26.1 within the pkcs11-tool component's key generation functionality. The flaw allows an attacker to overflow a buffer during certificate writing operations, potentially enabling remote code execution or data corruption. Exploitation requires user interaction and specific conditions, making it moderately difficult to weaponize, though a proof-of-concept has already been disclosed.

  • CVE-2026-10533MEDIUM 5.0

    A vulnerability in OpenShift Container Platform allows non-privileged users to circumvent resource quota enforcement by creating pods with a never-restart policy. These pods and their associated Kubernetes events are not counted against quota limits, enabling an attacker to flood the cluster's event database (etcd) with activity. The resulting accumulation degrades API server performance across the entire cluster, affecting all users and workloads.

  • CVE-2026-43979MEDIUM 5.0

    Local Deep Research versions before 1.6.0 contain a vulnerability where user-supplied search queries and metadata are inserted directly into HTML without proper escaping before being converted to PDF. An authenticated user can inject HTML tags that trick the server into making unauthorized web requests (SSRF), bypassing existing security controls. The vulnerability requires valid credentials but poses moderate risk due to potential confidentiality impact.

  • CVE-2026-10039MEDIUM 4.9

    The Frontend Admin plugin for WordPress contains a SQL injection vulnerability that allows authenticated administrators to extract sensitive data from the website's database. The flaw exists in how the plugin processes the 'order' parameter—it fails to properly escape user input before inserting it into database queries. An attacker with administrator privileges can craft a malicious request containing both 'order' and 'orderby' parameters to inject additional SQL commands and retrieve unauthorized information. This vulnerability affects all versions up to and including 3.28.28.

  • CVE-2026-10074MEDIUM 4.9

    DreamMaker, a product developed by Interinfo, contains a vulnerability that allows authenticated administrators or privileged users with local access to read arbitrary files from the system. An attacker with elevated privileges can exploit a path traversal flaw to access sensitive system files they shouldn't normally be able to retrieve, potentially exposing configuration data, credentials, or other protected information.

  • CVE-2026-41412MEDIUM 4.9

    alf.io is an open-source ticketing platform used by conferences and events to manage reservations. The vulnerability lies in how alf.io sandboxes custom extensions (plugins) that users can write to extend functionality. The sandbox was designed to safely run untrusted extension code, but it failed to protect file access. Specifically, extensions have access to an HTTP client tool that includes a method for uploading files. This method does not validate or restrict which files can be read—a malicious extension can read any file that the alf.io application has permission to access on the server, then send that file's contents to an attacker's server. An attacker would need to either write a malicious extension or trick an administrator into installing one, but once active, the extension can quietly exfiltrate sensitive data like configuration files, database credentials, or user records.

  • CVE-2026-10057MEDIUM 4.8

    ITS Intelligent SCADA System contains a stored cross-site scripting (XSS) vulnerability that allows authenticated users with elevated privileges to inject malicious JavaScript code into the application. Once injected, this code persists in the system and executes automatically whenever other users load affected pages in their browsers. This is distinct from reflected XSS because the payload remains embedded in the application, posing a sustained risk to all users who access the compromised content.

  • CVE-2026-10058MEDIUM 4.8

    ITS Intelligent SCADA System contains a stored cross-site scripting (XSS) flaw that lets high-privilege attackers inject malicious JavaScript into the system. When other users load affected pages, that injected code runs in their browsers automatically. This is a persistence threat—the malicious script stays in the system until removed, affecting anyone who accesses the compromised page.

  • CVE-2026-34127MEDIUM 4.8

    A stored cross-site scripting (XSS) vulnerability exists in TP-Link's TL-SG108PE v5 managed switch web interface. When an administrator imports a configuration file containing malicious code in the SYSNAM parameter, that code is stored without proper sanitization. The next time an administrator accesses the web management interface, the injected script executes in their browser. This could allow an attacker (who must already have administrator credentials) to steal session cookies, modify switch settings, or extract sensitive information from the management interface.

  • CVE-2026-36460MEDIUM 4.8

    Dovestones Software's ADPhonebook application before version 4.0.1.1 contains a Cross-Site Scripting (XSS) vulnerability in its administrative configuration API. An authenticated administrator can inject malicious JavaScript code into various system configuration sections, which is then stored and executed in the browsers of other users who access those settings. This requires both admin privileges and user interaction (a victim must view the affected configuration), limiting but not eliminating the risk.

  • CVE-2026-10070MEDIUM 4.7

    A flaw in macrozheng mall versions up to 1.0.3 allows an authenticated administrator with high privileges to bypass authorization controls on the super admin password update endpoint. An attacker with admin credentials could manipulate requests to the /admin/update/ path and gain unauthorized access to sensitive administrative functions. The vulnerability requires valid admin-level authentication and cannot be exploited anonymously from the network.

  • CVE-2026-10155MEDIUM 4.7

    A SQL injection vulnerability exists in Bdtask Multi-Store Inventory Management System version 1.0 within the Accounts Report Handler. An authenticated attacker can manipulate the 'dtpToDate' parameter in the accounts report search function to inject malicious SQL commands. While the vulnerability requires high privileges to exploit, successful attacks could leak sensitive financial data, modify account records, or disrupt reporting functionality. Public exploit code is available, increasing real-world risk.

  • CVE-2026-10171MEDIUM 4.7

    A SQL injection vulnerability exists in code-projects Online Music Site version 1.0 that allows authenticated administrators to manipulate the ID parameter in the album update functionality. An attacker with admin credentials can inject malicious SQL commands through the /Administrator/PHP/AdminUpdateAlbum.php endpoint, potentially compromising database integrity and confidentiality. The vulnerability has been publicly disclosed and exploit code is available, increasing the likelihood of active exploitation.

  • CVE-2026-10237MEDIUM 4.7

    A SQL injection vulnerability was identified in SourceCodester Water Billing Management System version 1.0. An authenticated administrator can manipulate the ID parameter in the user management interface to inject malicious SQL commands, potentially reading or modifying sensitive database records. The vulnerability requires administrative privileges to exploit but poses a risk to data integrity and confidentiality within billing systems. Public proof-of-concept code exists, elevating the practical risk of exploitation.

  • CVE-2026-10248MEDIUM 4.7

    SourceCodester's Pharmacy Sales and Inventory System version 1.0 and earlier contains a CSV injection vulnerability in its supplier creation interface. An authenticated attacker with high privileges can inject malicious CSV formulas through the Address or Company Name fields when exporting supplier data, potentially causing data corruption, formula execution, or information disclosure when a user opens the exported file in a spreadsheet application.

  • CVE-2026-10583MEDIUM 4.7

    A server-side request forgery (SSRF) vulnerability exists in nextlevelbuilder GoClaw versions up to 3.11.3. The flaw is located in the TTS Configuration Endpoint's Import function, which fails to properly validate or restrict outbound HTTP requests. An authenticated attacker with high privileges can exploit this to make the affected server initiate requests to internal or external systems on their behalf, potentially accessing sensitive internal resources or launching further attacks. The vulnerability has been publicly disclosed.

  • CVE-2026-42329MEDIUM 4.7

    Iris, a web platform used by incident responders to collaborate and share technical details during security investigations, contains an open redirect vulnerability in versions before 2.4.28. An attacker can craft a malicious link within the application that tricks users into visiting an external website under the attacker's control. This is a social engineering risk rather than a direct system compromise—the attack depends on user interaction and targets the trust users place in links shared within their incident response platform.

  • CVE-2026-46159MEDIUM 4.7

    A race condition in the Linux kernel's btrfs filesystem driver can leak uninitialized kernel memory to unprivileged local users. The vulnerability exists in the ioctl handler that reports storage space information. When block groups are concurrently removed by the system during the space query operation, the kernel copies more data to userspace than it actually wrote, exposing sensitive kernel memory. An attacker with local access can exploit this timing window to read information that should not be accessible.

  • CVE-2026-33462MEDIUM 4.6

    A path traversal flaw in Kibana's dashboard management allows an authenticated user with basic permissions to craft a malicious dashboard identifier. When an administrator deletes this dashboard, the deletion request bypasses security controls and targets unintended internal endpoints—potentially destroying user accounts or other critical resources. The vulnerability requires an administrator to take action on the malicious object, making it a privilege-escalation path rather than a self-executing exploit.

  • CVE-2026-36174MEDIUM 4.6

    GNCC GP5 devices running version 7.1.76 transmit sensitive wireless network credentials in readable form to the serial console during normal operation. An attacker with physical access to the device's serial port can intercept these credentials, compromising network security. This is a localized but consequential exposure for organizations operating these devices in shared or less-controlled physical environments.

  • CVE-2026-36178MEDIUM 4.6

    A flaw in the factory reset process of GNCC GP5 v7.1.76 leaves sensitive cryptographic keys and related data intact on the device's storage partition even after a factory reset is performed. An attacker with physical access to the device could potentially recover this material and use it to decrypt or impersonate the original user's configuration and encrypted content.

  • CVE-2026-36180MEDIUM 4.6

    GNCC GP5 version 7.1.76 has a security weakness that allows an attacker with physical access to the machine to temporarily modify read-only system files and binaries during a single boot session. The vulnerability exploits bind-mount mechanisms—a Linux/Unix filesystem technique—to circumvent protections meant to keep critical system files locked down. While the attacker needs to be physically present and the changes only persist until reboot, this represents a meaningful integrity risk for systems in shared, controlled, or potentially hostile physical environments.

  • CVE-2026-10814MEDIUM 4.5

    Milvus, a popular vector database, contains a weakness in how it generates hash identifiers for grantee access control. An attacker with local access and sufficient privileges could exploit weak cryptographic hashing in the Grantee ID Hash Handler to potentially forge or predict access control identifiers, leading to unauthorized data access or modification. The vulnerability requires high technical complexity to exploit and is rated as medium severity.

  • CVE-2026-10100MEDIUM 4.4

    The Simple Custom Login Page plugin for WordPress contains a security flaw that allows administrators to inadvertently inject malicious code into the login page viewed by all users. When a site admin configures colors for the login page through the plugin's settings, an attacker with admin access can craft CSS injection payloads in those color fields. Because the plugin doesn't properly validate these inputs before displaying them, an attacker can break out of the intended styling context and insert arbitrary CSS rules. This enables phishing attacks—for example, by hiding the real login form or overlaying a fake one to steal credentials.

  • CVE-2026-3620MEDIUM 4.4

    The Word Replacer plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability affecting all versions through 0.4. An attacker with administrator-level access can inject malicious scripts through the plugin's 'replacement' parameter. These scripts persist in the WordPress database and execute whenever any user visits an affected page, potentially allowing credential theft, session hijacking, or defacement. The vulnerability stems from inadequate input validation and output encoding in the plugin code.