PULSE
LIVE10signals / 24h
FEED
ransomthegentlemen reclama a Ecopetrol · CO · Energyransomqilin reclama a City Ambulance Service · Healthcareransomqilin reclama a Famesa · PE · Agriculture and Food Productionransomkrybit reclama a euroins.bg · BG · Financial Servicesransomnova reclama a FMZ Tecnologia em Sistemas · BR · Technologyransomqilin reclama a Heartland Catfish · US · Agriculture and Food Productionransomqilin reclama a Salina Supply · US · Business Servicesransomqilin reclama a St Martha Catholic Church · US · Consumer Servicesransomqilin reclama a The Nueva School · US · Educationransomdragonforce reclama a NewNet · SA · Telecommunicationransomqilin reclama a Sicc · IT · Not Foundransomqilin reclama a KLD Labs · US · Technologyransomqilin reclama a Armara · FR · Not Foundransomqilin reclama a AK Preparedness · Business Servicesransomthegentlemen reclama a Ecopetrol · CO · Energyransomqilin reclama a City Ambulance Service · Healthcareransomqilin reclama a Famesa · PE · Agriculture and Food Productionransomkrybit reclama a euroins.bg · BG · Financial Servicesransomnova reclama a FMZ Tecnologia em Sistemas · BR · Technologyransomqilin reclama a Heartland Catfish · US · Agriculture and Food Productionransomqilin reclama a Salina Supply · US · Business Servicesransomqilin reclama a St Martha Catholic Church · US · Consumer Servicesransomqilin reclama a The Nueva School · US · Educationransomdragonforce reclama a NewNet · SA · Telecommunicationransomqilin reclama a Sicc · IT · Not Foundransomqilin reclama a KLD Labs · US · Technologyransomqilin reclama a Armara · FR · Not Foundransomqilin reclama a AK Preparedness · Business Services
CVE Watch349,552 in full archive

Vulnerabilities exploitable today

10,455in current view

Single score combining CVSS, KEV membership and EPSS. Every CVE with its own record — timeline from publication to active exploitation.

In KEV catalog1,647
New KEV · 24H0
Exploit Today ≥ 701,582

Distribution · last window

  • Critical
    1,333
  • High
    4,373
  • Medium
    3,748
  • Low
    298
Filters

Window

Severity

Flags

Vulnerabilities6,561–6,600 · 10,455
CVECVSSEPSSKEVRExploitTitleMod.
CVE-2026-113594.3 MED
15.9%
5The Memberships and User Profiles for WooCommerce – ProfileGrid WooCommerce Integration plugin for WordPress is vulnerable to unauthorized plugin installation and activation in versions up to, and including, 3.4. This is due to a missing capability check and missing nonce validation on the pg_install_profilegrid() AJAX handler registered via wp_ajax_pg_install_profilegrid. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install and activate the ProfileGrid plugin from wordpress.10d
CVE-2026-5478210.0 CRI
15.9%
5CoreWCF is a port of the service side of Windows Communication Foundation (WCF) to .NET Core. Prior to 1.8.1 and 1.9.1, CoreWCF SAML 1.1 and SAML 2.0 token validation does not correctly resolve the issuer signing key or require signed tokens when IdentityConfiguration is used with federated bindings, allowing an unauthenticated remote attacker to impersonate any principal the trusted STS could issue. This issue is fixed in versions 1.8.1 and 1.9.1.9d
CVE-2025-127996.5 MED
15.9%
5A flaw was found in Jastow. Jastow is vulnerable to Cross-Site Scripting (XSS) attack. If using a set of combined configuration to allow unescaped characters in URL with embedded Undertow and Jastow, a server might be vulnerable to improper input handling.10d
CVE-2026-57997.5 HIG
15.9%
5Authorization bypass through User-Controlled key vulnerability in Idvlabs Software and Consulting Services Inc. Ontime allows Exploitation of Trusted Identifiers. This issue affects Ontime: through 04052026.12d
CVE-2026-57307.5 HIG
15.9%
5Authorization bypass through User-Controlled key vulnerability in Idvlabs Software and Consulting Services Inc. Ontime allows Exploitation of Trusted Identifiers. This issue affects Ontime: through 04052026.12d
CVE-2026-579516.5 MED
15.9%
5Mythic before 3.4.0.60 contains a broken hasura permission filter on the payload_build_step table with an always-satisfied _or condition that bypasses operation-scoped access controls. Authenticated operators and spectators can query payload_build_step to read step_stdout, step_stderr, step_name, and step_description across all operations on the server.5d
CVE-2026-592557.1 HIG
15.8%
5BloodHound through 9.4.0, fixed in commit 8f79035, contains a missing authorization vulnerability in the custom-nodes API endpoints that allows any authenticated user to modify the global graph schema. Attackers with valid session tokens can create, update, or delete custom node types affecting all users and tenants by invoking unprotected POST, PUT, and DELETE operations on the custom-nodes endpoints.4d
CVE-2026-618583.3 LOW
15.8%
5ImageMagick before 7.1.2-26 contains a policy bypass vulnerability in the APNG encoder and external delegates due to missing validation checks. Attackers can write files to disallowed paths by bypassing configured policy restrictions through the APNG encoding process.5d
CVE-2026-546016.3 MED
15.8%
5FastGPT is an open source AI knowledge base platform. From 4.14.17 to before 4.15.0-beta4, FastGPT allows an authenticated tenant user to call POST /api/core/dataset/collection/create/reTrainingCollection in a way that persists a server-owned datasetId value from another tenant. This creates mixed dataset objects and downstream dataset, collection, and training endpoints then make authorization decisions from inconsistent ownership anchors, allowing cross-tenant read, update, and delete access when mixed object ids are known. This issue is fixed in version 4.15.0-beta4.11d
CVE-2026-50007
15.8%
5Actual is an open-source personal finance application. Prior to 26.7.0, a missing authorization issue allows a shared user with user_access on a budget file to perform owner-only file management actions. A non-owner shared user can call file-management endpoints intended for higher-privilege users, including /delete-user-file, /reset-user-file, and /user-create-key, because requireFileAccess treats ordinary shared access as sufficient for file-management operations that should be restricted to the file owner or an administrator. This issue is fixed in version 26.7.0.11d
CVE-2026-590967.5 HIG
15.8%
5Dapr Sentry's OIDC discovery endpoint derives the issuer and jwks_uri of the /.well-known/openid-configuration document from the request Host, honoring an attacker-controlled X-Forwarded-Host header without validation when no allowed-hosts list is configured (the default), and serves the document with a one-hour public cache lifetime. A remote unauthenticated attacker can poison the discovery document so relying parties performing dynamic (unpinned) discovery fetch the JWKS from an attacker-controlled server, causing attacker-signed JWTs to be accepted. Exploitation requires the OIDC server enabled without a configured jwt-issuer or oidc-allowed-hosts.5d
CVE-2026-105388.0 HIG
15.8%
5Messaging consumer functionality allows deserialization of user-controlled data without sufficient restriction of allowed object types in the out of support Control-M/Server and Control-M/Enterprise Manager versions 9.0.20.x and potentially earlier. This issue may allow an authenticated attacker to trigger unintended server-side behavior through crafted serialized content.18d
CVE-2026-255674.3 MED
15.8%
5WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in the card comment creation API. The endpoint accepts an authorId from the request body, allowing an authenticated user to spoof the recorded comment author by supplying another user's identifier.5d
CVE-2026-622338.8 HIG
15.8%
5grav-plugin-api before 1.0.6 fails to validate super-admin status in createApiKey, generate2fa, and disable2fa endpoints, allowing non-super api.users.write managers to escalate to super-admin. Attackers can mint API keys bound to super-admin accounts or strip 2FA from super-admin users to achieve full instance takeover.2d
CVE-2026-622178.8 HIG
15.8%
5OpenClaw 2026.5.14-beta.1 before 2026.5.27 contain an authorization flaw in the QQBot exec approvals feature. When the feature is enabled and reachable, a lower-trust caller or configured input path could execute or persist actions beyond the caller's intended authorization, allowing non-allowlisted senders to perform unauthorized operations.1d
CVE-2026-54526
15.8%
5Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to 3.7.15 and 4.0.6, the allow-list fix for CVE-2026-31892 is incomplete because workflow/util/merge.go ValidateUserOverrides and SanitizeUserWorkflowSpec walk only the top-level fields of WorkflowSpec via reflection, and WorkflowSpec.ArtifactGC is allow-listed wholesale; the struct behind that field, WorkflowLevelArtifactGC, has a PodSpecPatch sub-field whose contents flow unmodified into util.ApplyPodSpecPatch on the artifact-GC pod, the same sink the original fix closed for WorkflowSpec.PodSpecPatch, so a user submitting a Workflow under templateReferencing: Strict or Secure (against a referenced WorkflowTemplate that declares an output artifact and setting spec.artifactGC.strategy: OnWorkflowCompletion) can still inject an arbitrary strategic merge patch into the artifact-GC pod, including hostPath volumes, privileged: true, arbitrary image and command, and hostNetwork: true, defeating the stated purpose of Strict/Secure reference mode. This issue is fixed in versions 3.7.15 and 4.0.6.2d
CVE-2026-137418.8 HIG
15.8%
5The Digits: WordPress Mobile Number Signup and Login plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 9.1.0.5. This is due to missing authorization and role validation in the `dig_update_wpwc_custom_fields()` function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to escalate their privileges to Administrator by submitting a forged `digits_reg_userrole` value during profile update, granted the site administrator has configured the built-in DIGITS User Role field.3d
CVE-2026-579968.8 HIG
15.8%
5phpMyFAQ before 4.1.5 contains a privilege escalation vulnerability in the user/add API endpoint that allows non-SuperAdmin administrators to create SuperAdmin accounts. A delegated administrator with USER_ADD/EDIT/DELETE permissions can call POST /admin/api/user/add with isSuperAdmin: true and attacker-chosen credentials to create a SuperAdmin account, then authenticate as that account to achieve full instance takeover.3d
CVE-2026-55881
15.8%
5OpenReplay is a self-hosted session replay suite. From 1.22.0 before 1.27.0, getFirstMob returned 15-second presigned S3 download URLs for a session's DOM-replay recording based solely on the session path parameter, while validateProjectAccess checked only that the project belonged to the requester's tenant and did not verify that the session belonged to that project, allowing any authenticated low-privilege user to read another tenant's first 15 seconds of session-replay recording data. This issue is fixed in version 1.27.0.6d
CVE-2026-122248.8 HIG
15.8%
5The Dokan Pro plugin for WordPress is vulnerable to privilege escalation via update_capabilities REST Endpoint in all versions up to, and including, 5.0.4. This is due to the `update_capabilities()` REST handler accepting arbitrary capability strings from the request body and passing them directly to WP_User::add_cap() with no allowlist validation, only verifying that the caller holds the dokandar capability. This makes it possible for authenticated attackers with a self-provisioned Vendor-level access and above, on sites with the Vendor Staff module enabled, to grant arbitrary WordPress capabilities, including administrator, to any vendor_staff account, leading to a full site takeover.18d
CVE-2026-503997.8 HIG
15.8%
5Out-of-bounds read in Windows Kernel allows an authorized attacker to elevate privileges locally.4d
CVE-2026-491737.8 HIG
15.8%
5Use after free in Windows Kernel allows an authorized attacker to elevate privileges locally.4d
CVE-2026-155847.5 HIG
15.8%
5A privilege escalation vulnerability was found in the incluster-checks tool for OpenShift. The tool creates privileged debug pods with host filesystem access in the shared default namespace, where any user with the standard edit role can exec into them and obtain root access on cluster nodes.5d
CVE-2026-577057.5 HIG
15.8%
5Missing Authorization vulnerability in Nexcess Event Tickets event-tickets allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Event Tickets: from n/a through <= 5.28.5.6d
CVE-2026-573787.5 HIG
15.8%
5Missing Authorization vulnerability in Phil Kurth Advanced Forms advanced-forms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Advanced Forms: from n/a through <= 1.9.3.7.6d
CVE-2026-614287.3 HIG
15.8%
5PraisonAI AgentMail versions before 4.6.78 lack signature verification in webhook mode, allowing unauthenticated attackers to inject messages with spoofed sender addresses. Attackers can POST crafted message.received events to the webhook endpoint to inject arbitrary content into the agent and trigger replies to attacker-controlled addresses, bypassing sender allow/block lists.6d
CVE-2026-140118.1 HIG
15.8%
5Out of bounds read in SurfaceCapture in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: Medium)18d
CVE-2026-561827.8 HIG
15.7%
5Integer overflow or wraparound in Windows NTFS allows an authorized attacker to elevate privileges locally.4d
CVE-2026-561767.8 HIG
15.7%
5Out-of-bounds read in Windows Win32K - GRFX allows an authorized attacker to elevate privileges locally.4d
CVE-2026-504997.8 HIG
15.7%
5Heap-based buffer overflow in Windows Print Spooler Components allows an authorized attacker to elevate privileges locally.4d
CVE-2026-504867.8 HIG
15.7%
5Use after free in Windows Runtime allows an authorized attacker to elevate privileges locally.4d
CVE-2026-504807.8 HIG
15.7%
5Heap-based buffer overflow in Windows Web Proxy Auto-Discovery Protocol (WPAD) allows an authorized attacker to elevate privileges locally.2d
CVE-2026-504667.8 HIG
15.7%
5Use after free in Windows Brokering File System allows an authorized attacker to elevate privileges locally.4d
CVE-2026-504417.8 HIG
15.7%
5Untrusted pointer dereference in Windows Resilient File System (ReFS) allows an authorized attacker to elevate privileges locally.4d
CVE-2026-504357.8 HIG
15.7%
5Buffer over-read in Windows Overlay Filter allows an authorized attacker to elevate privileges locally.4d
CVE-2026-504138.8 HIG
15.7%
5Use after free in Windows Runtime allows an authorized attacker to elevate privileges locally.4d
CVE-2026-504007.8 HIG
15.7%
5Stack-based buffer overflow in Windows App Installer allows an authorized attacker to elevate privileges locally.3d
CVE-2026-491757.8 HIG
15.7%
5Heap-based buffer overflow in Windows DNS allows an authorized attacker to elevate privileges locally.3d
CVE-2026-50279
15.7%
5Craft CMS is a content management system (CMS). IN versions 5.0.0-RC1 and above prior to 5.9.21, theEntriesController::actionSaveEntry() performs entry-edit permission checks before request-controlled author changes are applied to the model, allowing for authorship spoofing. The subsequent author mutation path accepts attacker-supplied authors / author parameters and allows the change when the current user is one of the old authors. Because the controller does not re-run authorization after mutating the author list, a low-privileged user can reassign an entry’s authorship to another user without holding the dedicated peer-author-change permission. This issue has been fixed in version 5.9.21.17d
CVE-2026-567775.0 MED
15.7%
5n8n before 2.25.7 and 2.26.x before 2.26.2 contains an abstract syntax tree (AST) security validator bypass in the Python Code node. An authenticated user with permission to create or modify workflows containing a Python Code node can bypass the validator and access the task executor module namespace. The issue only affects self-hosted instances where the Python Task Runner is enabled; where N8N_BLOCK_RUNNER_ENV_ACCESS is configured to allow it, this can disclose environment variables accessible to the task runner process.17d