☆
P0
CVE-2026-20253
CRITICAL
9.8
0.882
249.6
Splunk
Enterprise
CWE-306
Splunk Enterprise Missing Authentication for Critical Function Vulnerability
KEV EPSS↑ CWE! ⛓ SUPPLY 🗺 ATT&CK
☆
P0
CVE-2026-34910
CRITICAL
10.0
0.786
229.3
Ubiquiti
UniFi OS
CWE-20
Ubiquiti UniFi OS Improper Input Validation Vulnerability
KEV EPSS↑ CWE! 🗺 ATT&CK
☆
P0
CVE-2026-48907
CRITICAL
9.8
0.804
225.3
Widget Factory
Joomla Content Editor
CWE-284
Widget Factory Joomla Content Editor Improper Access Control Vulnerability
KEV EPSS↑ 🧩 JOOMLA
☆
P0
CVE-2026-20230
HIGH
8.6
0.417
176.6
Cisco
Unified Communications Manager
CWE-918
Cisco Unified Communications Manager Server-Side Request Forgery (SSRF) Vulnerability
KEV EPSS↑ CWE! 🗺 ATT&CK
☆
P0
CVE-2026-48282
MAJ
CRITICAL
10.0
0.286
169.3
Adobe
ColdFusion
CWE-22
Adobe ColdFusion Path Traversal Vulnerability
KEV EPSS↑ CWE! 🗺 ATT&CK
☆
P0
CVE-2026-34909
CRITICAL
10.0
0.023
137.7
Ubiquiti
UniFi OS
CWE-22
Ubiquiti UniFi OS Path Traversal Vulnerability
KEV CWE! 🗺 ATT&CK
☆
P0
CVE-2026-56290
MAJ
CRITICAL
9.8
0.029
137.3
Joomlack
Page Builder
CWE-434
Joomlack Page Builder Improper Access Control Vulnerability
KEV CWE! 🧩 JOOMLA 🗺 ATT&CK
☆
P0
CVE-2026-48908
MAJ
CRITICAL
9.8
0.016
135.7
JoomShaper
SP Page Builder
CWE-434
JoomShaper SP Page Builder Unrestricted Upload of File with Dangerous Type Vulnerability
KEV CWE! 🧩 JOOMLA 🗺 ATT&CK
☆
P0
CVE-2026-48939
MAJ
CRITICAL
9.8
0.015
135.6
iCagenda
iCagenda
CWE-434
iCagenda Unrestricted Upload of File with Dangerous Type Vulnerability
KEV CWE! 🧩 JOOMLA 🗺 ATT&CK
☆
P0
CVE-2026-12569
CRITICAL
9.8
0.012
135.3
PTC
Windchill and FlexPLM
CWE-20
PTC Windchill and FlexPLM Improper Input Validation Vulnerability
KEV CWE! 🗺 ATT&CK
☆
P0
CVE-2026-15409
NOUVEAU
CRITICAL
10.0
0.000
135.0
SonicWall
SMA1000 Appliances
CWE-918
SonicWall SMA1000 Appliances Server-Side Request Forgery Vulnerability
KEV CWE! 🗺 ATT&CK
☆
P0
CVE-2025-67038
CRITICAL
9.8
0.009
134.9
Lantronix
EDS5000
CWE-94
Lantronix EDS5000 Code Injection Vulnerability
KEV CWE! 🗺 ATT&CK
☆
P0
CVE-2026-56291
NOUVEAU
CRITICAL
9.8
0.008
134.8
Balbooa
Forms
CWE-434
Balbooa Forms Unrestricted Upload of File with Dangerous Type Vulnerability
KEV CWE! 🧩 JOOMLA 🗺 ATT&CK
☆
P0
CVE-2026-34908
CRITICAL
10.0
0.025
132.9
Ubiquiti
UniFi OS
CWE-284
Ubiquiti UniFi OS Improper Access Control Vulnerability
KEV
☆
P0
CVE-2026-45659
HIGH
8.8
0.032
131.7
Microsoft
SharePoint Server
CWE-502
Microsoft SharePoint Server Deserialization of Untrusted Data Vulnerability
KEV CWE! 🗺 ATT&CK
☆
P0
CVE-2026-48558
CRITICAL
10.0
0.012
131.4
SimpleHelp
SimpleHelp
CWE-347
SimpleHelp Authentication Bypass Vulnerability
KEV 🗺 ATT&CK
☆
P0
CVE-2026-45414
NOUVEAU
HIGH
8.5
0.000
126.0
rubygems
decidim
CWE-287
Decidim: JWT-backed authentication can be replayed across organizations
CWE! 🦠 RANSOM 📡 ITW ⛓ SUPPLY 🗺 ATT&CK
☆
P0
CVE-2026-55255
MAJ
HIGH
8.4
0.006
121.1
Langflow
Langflow
CWE-639
Langflow Authorization Bypass Through User-Controlled Key Vulnerability
KEV
☆
P0
CVE-2026-15410
NOUVEAU
HIGH
7.2
0.000
118.2
SonicWall
SMA1000 Appliances
CWE-94
SonicWall SMA1000 Appliances Code Injection Vulnerability
KEV CWE! 🗺 ATT&CK
☆
P0
CVE-2026-49259
NOUVEAU
HIGH
8.7
0.000
117.2
composer
nukeviet/nukeviet
CWE-79
NukeViet: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE! 🦠 RANSOM 📡 ITW 🗺 ATT&CK
☆
P0
CVE-2026-56155
NOUVEAU
HIGH
7.8
0.000
116.8
Microsoft
Active Directory Federation Services
CWE-1220
Microsoft Active Directory Federation Services Insufficient Granularity of Access Control Vulnerability
KEV 🗺 ATT&CK
☆
P2
CVE-2026-45377
NOUVEAU
MEDIUM
6.5
0.000
109.0
rubygems
decidim-core
CWE-200
Decidim: Private exports can be downloaded through reusable links
🦠 RANSOM 📡 ITW ⛓ SUPPLY 🗺 ATT&CK
☆
P1
CVE-2026-56164
NOUVEAU
MEDIUM
5.3
0.000
106.8
Microsoft
SharePoint Server
CWE-306
Microsoft SharePoint Server Missing Authentication for Critical Function Vulnerability
KEV CWE! 🗺 ATT&CK
☆
P1
CVE-2008-4128
MAJ
MEDIUM
4.3
0.000
100.8
Cisco
IOS
CWE-352
Cisco IOS Cross-Site Request Forgery Vulnerability
KEV CWE! 🗺 ATT&CK
☆
P2
CVE-2026-54250
NOUVEAU
MEDIUM
5.8
0.001
100.0
go
github.com/k3s-io/k3s
CWE-22
K3s: ZIP Archive Path Traversal Vulnerability in etcd Snapshot Decompression
CWE! 🦠 RANSOM 📡 ITW 🗺 ATT&CK
☆
P2
CVE-2026-50157
NOUVEAU
MEDIUM
6.5
0.000
99.0
composer
auth0/symfony
CWE-200
Auth0 Symfony SDK Accepted Bearer Tokens via URL Query Parameter
🦠 RANSOM 📡 ITW
☆
P0
CVE-2026-59856
NOUVEAU
HIGH
7.8
0.002
92.0
Ubuntu
CWE-94
USN-8541-1: Vim vulnerabilities
CWE! 🗺 ATT&CK
☆
P0
CVE-2026-14324
MEDIUM
6.5
0.002
79.2
Ubuntu
CWE-476
USN-8535-1: PipeWire vulnerabilities
🗺 ATT&CK
☆
P1
CVE-2026-59857
NOUVEAU
MEDIUM
5.5
0.001
78.1
Ubuntu
CWE-787
USN-8541-1: Vim vulnerabilities
CWE! 🗺 ATT&CK
☆
P1
CVE-2026-47065
MAJ
CRITICAL
9.8
0.005
74.4
maven
org.apache.mina:mina-core
CWE-502
Apache MINA: Critical Deserialization Allow-list Bypass via resolveProxyClass
CWE! ⛓ SUPPLY 🗺 ATT&CK
☆
P1
CVE-2026-14330
MEDIUM
5.5
0.001
73.1
Ubuntu
CWE-770
USN-8535-1: PipeWire vulnerabilities
🗺 ATT&CK
☆
P1
GHSA-9hc2-hjx8-q6pv
MAJ
CRITICAL
9.6
0.000
72.6
npm
tidgi
CWE-94
TidGi Desktop Remote Code Execution via Malicious TiddlyWiki Repository Import — Tiddler Startup Module Auto-Execution
CWE! ⛓ SUPPLY 🗺 ATT&CK
☆
P1
CVE-2026-45262
NOUVEAU
CRITICAL
9.9
0.000
72.4
composer
facturascripts/facturascripts
CWE-89
FacturaScripts: Authenticated SQL injection in the FacturaScripts REST API filter parameter via parenthesis bypass in `Where::sqlColumn`
PoC CWE! 🗺 ATT&CK
☆
P1
CVE-2026-54052
NOUVEAU
CRITICAL
9.9
0.000
69.4
npm
n8n-mcp
CWE-639
n8n-MCP: Cross-tenant access to workflow version backups in multi-tenant HTTP deployments
⛓ SUPPLY 🗺 ATT&CK
☆
P3
CVE-2026-50131
NOUVEAU
HIGH
8.6
0.003
66.9
npm
@fedify/fedify
CWE-918
Fedify has an incomplete SSRF mitigation after GHSA-p9cg-vqcc-grcx: validatePublicUrl allows special-use IPv4 ranges
CWE! ⛓ SUPPLY 🗺 ATT&CK
☆
P1
CVE-2026-50551
NOUVEAU
CRITICAL
9.9
0.004
64.9
go
github.com/siyuan-note/siyuan/kernel
CWE-79
SiYuan: Stored XSS to RCE via Unsanitized Attribute View Asset Cell Content
CWE! 🗺 ATT&CK
☆
P1
GHSA-hgjx-r89m-m7v4
MAJ
CRITICAL
9.9
0.000
64.4
composer
facturascripts/facturascripts
CWE-22
FacturaScripts: Path traversal in UploadedFile::move() via getClientOriginalName() — arbitrary file write outside MyFiles/ leading to RCE
CWE! 🗺 ATT&CK
☆
P1
CVE-2026-61667
NOUVEAU
CRITICAL
9.9
0.000
64.4
pip
DIRAC
CWE-89
DIRAC is vulnerable to RCE in FileCatalog DatasetManager via SQL injection + eval
CWE! 🗺 ATT&CK
☆
P3
GHSA-g936-7jqj-mwv8
MAJ
CRITICAL
9.0
0.000
64.0
go
github.com/almeidapaulopt/tsdproxy
CWE-200
TSDProxy: Internal proxy auth token forwarded to backend services enables management API escalation
⛓ SUPPLY 🗺 ATT&CK
☆
P3
CVE-2026-48779
MAJ
HIGH
7.5
0.008
63.9
npm
ws
CWE-400
ws: Memory exhaustion DoS from tiny fragments and data chunks
PoC ⛓ SUPPLY 🗺 ATT&CK
☆
P3
CVE-2026-54448
NOUVEAU
HIGH
0.0
0.003
60.3
go
github.com/aquasecurity/trivy
CWE-400
Trivy: Helm chart tar bomb causes OOM via unbounded io.ReadAll in parser
🦠 RANSOM 📡 ITW
☆
P1
CVE-2026-41283
MAJ
CRITICAL
9.9
0.007
60.3
pip
mistral
CWE-749
OpenStack Mistral allows Arbitrary Remote Code Execution when the API is exposed
🗺 ATT&CK
☆
P3
CVE-2026-59955
NOUVEAU
HIGH
7.5
0.000
60.0
maven
com.ctrip.framework.apollo:apollo
CWE-20
Apollo ConfigService access key authentication bypass via raw config file appId parsing
CWE! ⛓ SUPPLY 🗺 ATT&CK
☆
P3
CVE-2026-59954
NOUVEAU
HIGH
7.5
0.000
60.0
maven
com.ctrip.framework.apollo:apollo
CWE-20
Apollo ConfigService access key authentication bypass via appId parsing and non-canonical matching
CWE! ⛓ SUPPLY 🗺 ATT&CK
☆
P1
CVE-2026-54159
NOUVEAU
CRITICAL
10.0
0.000
60.0
composer
prestashop/ps_facetedsearch
CWE-74
prestashop/ps_facetedsearch: PHP Object Injection in faceted search cache allows unauthenticated RCE
🧩 PRESTASHOP 🗺 ATT&CK
☆
P3
CVE-2026-54174
NOUVEAU
HIGH
8.3
0.000
59.8
go
chainguard.dev/apko
CWE-345
melange: Incomplete package integrity verification allows data section substitution
⛓ SUPPLY 🗺 ATT&CK
☆
P3
CVE-2026-50006
NOUVEAU
CRITICAL
9.1
0.000
59.6
go
github.com/julien040/anyquery
CWE-22
Anyquery: Arbitrary File Write (AFW) which could lead to Remote Code Execution (RCE) via Unrestricted ATTACH DATABASE in Server Mode
CWE! 🗺 ATT&CK
☆
P1
CVE-2026-45579
NOUVEAU
CRITICAL
9.9
0.000
59.4
pip
DIRAC
CWE-95
DIRAC is vulnerable to RCE in RequestManager due to eval on untrusted input
🗺 ATT&CK
☆
P3
CVE-2026-54065
NOUVEAU
HIGH
8.7
0.000
57.2
composer
nukeviet/nukeviet
CWE-22
NukeViet: Path Traversal to Arbitrary File Deletion in Edit Comment Function
CWE! 🗺 ATT&CK
☆
P3
CVE-2026-54064
NOUVEAU
HIGH
8.7
0.000
57.2
composer
nukeviet/nukeviet
CWE-79
NukeViet: Multiple Anti-XSS Filter Bypasses Leading to Stored XSS in News Module
CWE! 🗺 ATT&CK
☆
P3
CVE-2026-45263
NOUVEAU
HIGH
8.0
0.000
56.0
composer
facturascripts/facturascripts
CWE-1236
FacturaScripts: CSV formula injection in CSVExport allows authenticated low-priv users to plant payloads that execute when an admin opens the export
PoC
☆
P3
GHSA-7xw9-549r-8jrc
MAJ
HIGH
8.5
0.000
56.0
pip
DIRAC
CWE-89
DIRAC: SQL injection and lack of access control in PilotManager service
CWE! 🗺 ATT&CK
☆
P3
CVE-2026-45376
NOUVEAU
MEDIUM
6.8
0.000
55.8
rubygems
decidim-admin
CWE-89
Decidim: Admin user search allows SQL injection through similarity-based sorting
CWE! ⛓ SUPPLY 🗺 ATT&CK
☆
P3
CVE-2026-44891
NOUVEAU
HIGH
7.5
0.000
55.0
maven
io.netty:netty-codec-stomp
CWE-400
Netty: Denial of Service via Unbounded Headers in StompSubframeDecoder
⛓ SUPPLY
☆
P3
CVE-2026-45378
NOUVEAU
HIGH
7.5
0.000
55.0
rubygems
decidim-verifications
CWE-200
Decidim: Verification documents can be downloaded through reusable links
⛓ SUPPLY
☆
P3
CVE-2026-45804
MAJ
HIGH
7.5
0.000
55.0
pip
diffusers
CWE-367
Diffusers: TOCTOU Trust Remote Code Bypass
⛓ SUPPLY 🗺 ATT&CK
☆
P3
CVE-2026-48118
NOUVEAU
HIGH
8.2
0.000
54.2
composer
nukeviet/nukeviet
CWE-79
NukeViet: Unauthenticated Reflected XSS in Comment Module
CWE! 🗺 ATT&CK
☆
P3
CVE-2026-54446
NOUVEAU
HIGH
8.1
0.000
53.6
pip
netlicensing-mcp
CWE-306
NetLicensing-MCP: Unauthenticated Use of Server-Side NetLicensing API Key in HTTP Mode
CWE! 🗺 ATT&CK
☆
P3
CVE-2026-45573
NOUVEAU
MEDIUM
6.4
0.000
53.4
rubygems
decidim-core
CWE-918
Decidim: Push subscriptions can be abused for server-side requests
CWE! ⛓ SUPPLY 🗺 ATT&CK
☆
P3
CVE-2026-54628
NOUVEAU
HIGH
8.6
0.000
51.6
go
github.com/julien040/anyquery
CWE-284
Anyquery: Server-Side Request Forgery (SSRF) via Unrestricted SQLite Virtual Table Modules in Server Mode
☆
P3
GHSA-pqg7-v6wh-3pfp
MAJ
HIGH
8.5
0.000
51.0
go
github.com/almeidapaulopt/tsdproxy
CWE-74
TsDProxy: X-Forwarded-For header injection allows IP spoofing in proxied requests to backend services
☆
P3
CVE-2026-54087
NOUVEAU
HIGH
7.6
0.000
50.6
composer
easycorp/easyadmin-bundle
CWE-79
EasyAdmin: Stored Cross-Site Scripting (XSS) via uploaded files served inline in FileField and ImageField
CWE! 🗺 ATT&CK
☆
P3
CVE-2026-54629
NOUVEAU
HIGH
7.5
0.000
50.0
go
github.com/julien040/anyquery
CWE-22
Anyquery: Local File Read (LFR) via Unrestricted SQLite Virtual Table Modules in Server Mode
CWE! 🗺 ATT&CK
☆
P3
CVE-2026-45693
NOUVEAU
HIGH
7.5
0.000
50.0
composer
facturascripts/facturascripts
CWE-22
FacturaScripts: Unauthenticated Path Traversal in Static File Controllers Reads Private MyFiles Documents
CWE! 🗺 ATT&CK
☆
P3
CVE-2026-37462
MAJ
HIGH
7.3
0.003
49.1
go
github.com/osrg/gobgp/v4
CWE-190
GoBGP: Integer underflow in the BGPUpdate.DecodeFromBytes function
CWE! 🗺 ATT&CK
☆
P3
CVE-2025-32781
NOUVEAU
MEDIUM
6.5
0.000
49.0
maven
com.ctrip.framework.apollo:apollo
CWE-639
Apollo Portal: There is a risk of unauthorized access to the Apollo configuration center
⛓ SUPPLY
☆
P3
CVE-2026-54171
NOUVEAU
MEDIUM
6.5
0.000
49.0
rubygems
excon
—
Excon does not redact additional sensitive/risky headers when following redirects
⛓ SUPPLY
☆
P3
CVE-2026-5241
MAJ
HIGH
8.0
0.005
48.6
pip
transformers
CWE-829
huggingface/transformers: Arbitrary Code Execution During Model Initialization in the LightGlue Model Loading Path
🗺 ATT&CK
☆
P3
CVE-2026-61699
NOUVEAU
HIGH
8.1
0.000
48.6
go
github.com/forgekeep/nebula-mesh
CWE-299
nebula-mesh: Certificate revocation is never enforced at the mesh
🗺 ATT&CK
☆
P3
CVE-2026-61668
NOUVEAU
HIGH
8.1
0.000
48.6
pip
DIRAC
CWE-295
DIRAC: Pilot code downloaded over unverified HTTPS connection
☆
P3
CVE-2026-55372
NOUVEAU
HIGH
7.2
0.000
48.2
composer
nukeviet/nukeviet
CWE-918
NukeViet: Pre-authentication SSRF via X-Forwarded-Host
CWE! 🗺 ATT&CK
☆
P3
GHSA-7rx3-5wx3-5v76
MAJ
HIGH
7.7
0.000
46.2
go
github.com/forgekeep/nebula-mesh
CWE-862
Nebula-mesh allows non-admin operators to disable webhook SSRF protection via `allow_private`
☆
P3
CVE-2026-50158
NOUVEAU
HIGH
7.7
0.000
46.2
go
github.com/eat-pray-ai/yutu
CWE-73
yutu: Arbitrary File Write via MCP `caption-download` Tool
☆
P3
CVE-2026-45415
NOUVEAU
MEDIUM
6.0
0.000
46.0
rubygems
decidim-verifications
CWE-285
Decidim: CSV census record endpoints improper authorization
⛓ SUPPLY 🗺 ATT&CK
☆
P3
CVE-2024-29033
MAJ
HIGH
7.5
0.006
45.7
pip
oauthenticator
CWE-285
GoogleOAuthenticator.hosted_domain incorrectly verifies membership of an Google organization/workspace
🗺 ATT&CK
☆
P3
CVE-2026-50125
NOUVEAU
HIGH
7.5
0.000
45.0
go
github.com/StacklokLabs/mkp
CWE-400
MKP: Unbounded Pod Log Read via Attacker-Controlled `limitBytes`/`tailLines` Causes Memory Exhaustion
🗺 ATT&CK
☆
P3
CVE-2026-50013
NOUVEAU
HIGH
7.5
0.000
45.0
go
github.com/SpectoLabs/hoverfly
CWE-362
Hoverfly: Process Crash via Concurrent Map Write Race Condition in Diff Mode
☆
P3
GHSA-xf7x-x43h-rpqh
MAJ
HIGH
7.5
0.000
45.0
pip
json-repair
CWE-835
json_repair: Circular JSON Schema `$ref` causes unbounded CPU DoS
☆
P3
CVE-2026-45572
NOUVEAU
MEDIUM
4.8
0.000
43.8
rubygems
decidim-core
CWE-94
Decidim: HTML content blocks allow stored script execution
CWE! ⛓ SUPPLY 🗺 ATT&CK
☆
P3
CVE-2026-54163
NOUVEAU
MEDIUM
4.7
0.000
43.2
rubygems
secure_headers
CWE-79
Secure Headers: CSP directive injection via sandbox, plugin_types, and report_to when given untrusted input
CWE! ⛓ SUPPLY 🗺 ATT&CK
☆
P3
CVE-2026-48589
MAJ
LOW
5.4
0.004
42.8
maven
org.apache.shiro:shiro-jakarta-ee
CWE-601
Apache Shiro’s Jakarta EE module used the HTTP Referer header in certain cases to issue redirect after a user login
⛓ SUPPLY 🗺 ATT&CK
☆
P3
CVE-2026-45086
NOUVEAU
MEDIUM
5.4
0.000
42.4
rubygems
decidim-demographics
CWE-284
Decidim: Forms admin question editor lacks authorization
⛓ SUPPLY
☆
P3
CVE-2024-27091
MAJ
MEDIUM
6.1
0.004
42.0
pip
geonode
CWE-79
GeoNode: Stored XSS to full account takeover
CWE! 🗺 ATT&CK
☆
P3
CVE-2026-44168
NOUVEAU
LOW
0.0
0.006
40.7
Ubuntu
—
USN-8536-1: MariaDB vulnerabilities
🗺 ATT&CK
☆
P3
CVE-2026-42011
NOUVEAU
LOW
0.0
0.005
40.6
Ubuntu
—
USN-8539-1: GnuTLS vulnerabilities
🗺 ATT&CK
☆
P3
CVE-2026-12725
NOUVEAU
LOW
0.0
0.004
40.5
Ubuntu
—
USN-8542-1: Dnsmasq vulnerabilities
🗺 ATT&CK
☆
P3
CVE-2026-42012
NOUVEAU
LOW
0.0
0.004
40.4
Ubuntu
—
USN-8539-1: GnuTLS vulnerabilities
🗺 ATT&CK
☆
P3
CVE-2026-12969
NOUVEAU
LOW
0.0
0.002
40.3
Ubuntu
—
USN-8542-1: Dnsmasq vulnerabilities
🗺 ATT&CK
☆
P3
CVE-2026-44169
NOUVEAU
LOW
0.0
0.002
40.2
Ubuntu
—
USN-8536-1: MariaDB vulnerabilities
🗺 ATT&CK
☆
P3
CVE-2026-6039
NOUVEAU
LOW
0.0
0.002
40.2
Ubuntu
—
USN-8534-1: LibreOffice vulnerabilities
☆
P3
CVE-2026-6040
NOUVEAU
LOW
0.0
0.001
40.1
Ubuntu
—
USN-8534-1: LibreOffice vulnerabilities
☆
P3
CVE-2026-47709
NOUVEAU
LOW
0.0
0.000
40.0
Ubuntu
—
USN-8526-2: libheif vulnerabilities
☆
P3
CVE-2026-47714
NOUVEAU
LOW
0.0
0.000
40.0
Ubuntu
—
USN-8526-2: libheif vulnerabilities
☆
P3
CVE-2026-11771
NOUVEAU
LOW
0.0
0.000
40.0
Ubuntu
—
USN-8540-1: OpenVPN vulnerabilities
🗺 ATT&CK
☆
P3
CVE-2026-12932
NOUVEAU
LOW
0.0
0.000
40.0
Ubuntu
—
USN-8540-1: OpenVPN vulnerabilities
🗺 ATT&CK
☆
P3
GHSA-q3v2-xj35-9grx
MAJ
MEDIUM
4.9
0.000
39.4
nuget
Umbraco.AI
CWE-200
Umbraco.AI discloses sensitive application configuration values
⛓ SUPPLY 🗺 ATT&CK
☆
P3
CVE-2026-45330
NOUVEAU
MEDIUM
4.9
0.000
39.4
rubygems
decidim-verifications
CWE-200
Decidim: Verification admins can access supplied IDs from other organizations
⛓ SUPPLY
☆
P3
CVE-2026-50018
NOUVEAU
MEDIUM
6.5
0.000
39.0
go
github.com/SpectoLabs/hoverfly
CWE-400
Hoverfly: Denial of Service via Goroutine Leak in Remote Post-Serve Actions
🗺 ATT&CK
☆
P3
CVE-2026-6657
MAJ
MEDIUM
6.1
0.002
36.8
pip
jupyter-server
CWE-346
jupyter-server is vulnerable to CORS origin validation bypass when the `allow_origin_pat` configuration is used
☆
P3
CVE-2026-10802
MAJ
LOW
4.3
0.003
36.2
npm
@keystone-6/core
CWE-400
Keystone: GraphQL API Endpoint Lacks Query Depth Limits
⛓ SUPPLY 🗺 ATT&CK
☆
P3
CVE-2026-48681
MAJ
MEDIUM
5.9
0.006
36.1
pip
ironic
CWE-23
OpenStack Ironic allows file overwrite via directory traversal during deployment with a crafted ISO image
☆
P3
CVE-2026-55608
NOUVEAU
MEDIUM
4.2
0.000
35.2
npm
n8n-mcp
CWE-200
n8n-MCP: Incorrect authorization can expose default-scope workflow version backups in multi-tenant HTTP mode
⛓ SUPPLY 🗺 ATT&CK
☆
P3
CVE-2026-46447
MAJ
MEDIUM
5.8
0.003
35.1
pip
ironic
CWE-669
OpenStack Ironic allows Boot Script Injection
☆
P3
CVE-2026-55513
NOUVEAU
MEDIUM
5.4
0.000
32.4
go
github.com/forgekeep/nebula-mesh
CWE-613
nebula-mesh: Web UI host creation ignores configured enrollment token TTL and mints 24-hour bearer enrollment tokens
☆
P3
CVE-2026-39835
MAJ
MEDIUM
5.3
0.004
32.3
go
golang.org/x/crypto
CWE-295
golang.org/x/crypto is vulnerable to invoking server panic during CheckHostKey/Authenticate flow
🗺 ATT&CK
☆
P3
CVE-2026-54335
NOUVEAU
LOW
3.7
0.000
32.2
npm
@feathersjs/commons
CWE-1321
Prototype pollution in @feathersjs/commons _.merge via JSON-parsed __proto__
⛓ SUPPLY 🗺 ATT&CK
☆
P3
CVE-2026-44545
MAJ
MEDIUM
5.3
0.003
32.2
pip
daphne
CWE-770
daphne: Unauthenticated attackers can cause excessive memory consumption by sending arbitrarily large WebSocket messages/frames
🗺 ATT&CK
☆
P3
CVE-2026-55512
NOUVEAU
MEDIUM
5.3
0.000
31.8
go
github.com/forgekeep/nebula-mesh
CWE-400
nebula-mesh: Unauthenticated OIDC login endpoint allocates unbounded in-memory state entries without rate limiting
🗺 ATT&CK
☆
P3
CVE-2026-45710
NOUVEAU
LOW
3.5
0.000
26.0
composer
facturascripts/facturascripts
CWE-79
FacturaScripts: Stored XSS in WidgetVariante and WidgetSubcuenta modal lists via HTML-attribute decoding of `Tools::noHtml`-escaped quotes inside `onclick=`
CWE! 🗺 ATT&CK
☆
P3
CVE-2026-44546
MAJ
LOW
3.7
0.002
22.4
pip
daphne
CWE-444
daphne: WebSocket handshake header smuggling through autobahn splitlines() mishandling of non-standard line separators
☆
P3
CVE-2026-10801
MAJ
LOW
3.6
0.001
21.7
pip
ms-swift
CWE-327
ms-swift: Image Cache Hash Collision via Missing Dimension Metadata
☆
P3
CVE-2026-10766
MAJ
LOW
3.6
0.001
21.7
pip
mlrun
CWE-327
mlrun: DataFrame hash collisions can cause dataset artifact path conflicts and silent data corruption
☆
P3
CVE-2025-61670
NOUVEAU
LOW
3.3
0.002
20.0
rust
wasmtime-c-api-impl
CWE-772
Wasmtime: Memory leak in C API with `externref` and `anyref` types
☆
P3
CVE-2026-7666
MAJ
LOW
3.1
0.002
18.8
pip
django
CWE-319
Django fails to prevent reuse of a partially-initialized connection after a failed `STARTTLS` handshake
🗺 ATT&CK
☆
P3
CVE-2026-6009
MAJ
HIGH
0.0
0.005
15.6
maven
net.sf.jasperreports:jasperreports
CWE-502
Jaspersoft Reports: Java Deserialization Vulnerability Lleads to Remote Code Execution (RCE)
CWE! ⛓ SUPPLY 🗺 ATT&CK
☆
P3
CVE-2026-10783
MAJ
LOW
2.5
0.001
15.1
pip
gradio
CWE-327
Gradio: Audio cache key ignores metadata when saving numpy audio outputs
☆
P3
CVE-2026-7888
MAJ
HIGH
0.0
0.002
5.2
composer
concrete5/concrete5
CWE-502
Concrete CMS is vulnerable to PHP Object Injection via unserialize() calls in the Workflow, Form block, and File/Set components
CWE! 🗺 ATT&CK
☆
P3
CVE-2026-44300
NOUVEAU
HIGH
0.0
0.000
5.0
go
github.com/opencost/opencost
CWE-20
OpenCost ServiceKey Endpoint Unauthorized Credential Overwrite/Injection
CWE! 🗺 ATT&CK
☆
P3
CVE-2026-52827
NOUVEAU
HIGH
0.0
0.000
5.0
composer
kimai/kimai
CWE-287
Kimai: Pre-2FA KIMAI_SESSION cookie grants full authenticated REST API access, bypassing TOTP
CWE! 🗺 ATT&CK
☆
P3
CVE-2026-52823
NOUVEAU
MEDIUM
0.0
0.000
5.0
composer
kimai/kimai
CWE-352
Kimai: Login CSRF in the Timesheet Stop and Restart API Endpoints Allows Unauthorized State Changes
CWE! 🗺 ATT&CK
☆
P3
CVE-2026-49992
NOUVEAU
MEDIUM
0.0
0.000
5.0
composer
kimai/kimai
CWE-352
Kimai: Login CSRF in Default Team Creation Endpoints Allows Unauthorized Team and Permission Structure Changes
CWE! 🗺 ATT&CK
☆
P3
CVE-2026-47677
NOUVEAU
CRITICAL
0.0
0.000
5.0
composer
facturascripts/facturascripts
CWE-287
FacturaScripts: Account takeover of any 2FA-enabled user
CWE! 🗺 ATT&CK
☆
P3
GHSA-h4g2-xfmw-q2c9
MAJ
HIGH
0.0
0.000
5.0
pip
clauster
CWE-306
Clauster: Non-loopback deployments can serve the dashboard unauthenticated when auth.enabled is unset
CWE! 🗺 ATT&CK
☆
P3
CVE-2026-50141
NOUVEAU
HIGH
0.0
0.002
0.3
go
go.woodpecker-ci.org/woodpecker/v3
CWE-290
Woodpecker gRPC agent_id metadata can be spoofed- cross-tenant agent impersonation
☆
P3
CVE-2026-61549
NOUVEAU
HIGH
0.0
0.000
0.0
go
go.woodpecker-ci.org/woodpecker/v3
CWE-269
Woodpecker: Privilege escalation via unrestricted serviceAccountName in the Kubernetes backend
🗺 ATT&CK
☆
P3
CVE-2026-53603
NOUVEAU
HIGH
0.0
0.000
0.0
go
github.com/forgekeep/nebula-mesh
CWE-312
nebula-mesh: Operator session tokens stored in plaintext in the database
☆
P3
CVE-2026-53604
NOUVEAU
HIGH
0.0
0.000
0.0
go
github.com/forgekeep/nebula-mesh
CWE-212
nebula-mesh: CA private key not zeroized on web mobile-bundle error paths
☆
P3
GHSA-mqxv-9rm6-w8qc
MAJ
HIGH
0.0
0.000
0.0
go
github.com/lin-snow/ech0
CWE-770
Ech0: ParseAcceptLanguage `_` separator bypass enables ~70x CPU amplification via Accept-Language header in i18n.Middleware
☆
P3
CVE-2026-52828
NOUVEAU
MEDIUM
0.0
0.000
0.0
composer
kimai/kimai
CWE-862
Kimai: ExportTemplate CRUD Missing Authorization Check Allows Unauthorized TEAMLEAD Access
☆
P3
CVE-2026-52826
NOUVEAU
MEDIUM
0.0
0.000
0.0
composer
kimai/kimai
CWE-285
Kimai: Improper Authorization in Project, Customer, and Activity Rate Edit Endpoints Allows Cross-Scope Rate Manipulation
☆
P3
CVE-2026-52825
NOUVEAU
MEDIUM
0.0
0.000
0.0
composer
kimai/kimai
CWE-285
Kimai has Improper Authorization in Team Member and Team Activity Assignment APIs Which Allows Expansion of Team Scope Beyond Authorized Visibility
☆
P3
CVE-2026-52824
NOUVEAU
CRITICAL
0.0
0.000
0.0
composer
kimai/kimai
CWE-1188
Kimai: Default APP_SECRET in Docker Image Enables Cookie Forgery and Account Takeover
🗺 ATT&CK
☆
P3
CVE-2026-52822
NOUVEAU
MEDIUM
0.0
0.000
0.0
composer
kimai/kimai
CWE-285
Improper Authorization in Kimai Timesheet Restart and Duplicate Allows New Timesheets After Project Access Revocation
☆
P3
CVE-2026-52821
NOUVEAU
MEDIUM
0.0
0.000
0.0
composer
kimai/kimai
CWE-639
Kimai: Improper Authorization Through Activity Creation with Preset Project Allows Creation Under Unauthorized Projects
☆
P3
CVE-2026-52820
NOUVEAU
MEDIUM
0.0
0.000
0.0
composer
kimai/kimai
CWE-639
Kimai: Timesheet PATCH/POST allows assigning to project outside user's team via query_builder OR-bypass
☆
P3
CVE-2026-52819
NOUVEAU
MEDIUM
0.0
0.000
0.0
composer
kimai/kimai
CWE-863
Kimai: Teamlead authorization bypass in GET /api/timesheets allows reading other users' timesheet records without being teamlead of the target
🗺 ATT&CK
☆
P3
GHSA-8f6j-263m-g72x
MAJ
MEDIUM
0.0
0.000
0.0
pip
app-store-server-library
CWE-295
Apple App Store Server Python Library: SignedDataVerifier accepts stale OCSP GOOD responses and can bypass certificate revocation checks