Trending Vulnerabilities

CVE-2026-35273 is a critical vulnerability in Oracle PeopleSoft Enterprise PeopleTools, specifically the Updates Environment Management / Environment Management Hub (EMHub, also referenced as PSEMHUB) component, affecting supported versions 8.61 and 8.62. Oracle describes it as a missing authentication for critical function issue, and multiple supporting reports characterize exploitation as unauthenticated remote code execution over HTTP. Additional reporting indicates the issue may involve a pre-authentication Java deserialization condition within PSEMHUB, though Oracle’s public description emphasizes authentication failure rather than implementation detail. Successful exploitation allows a remote attacker to reach privileged functionality in the EMHub component without credentials and achieve compromise of the PeopleSoft application infrastructure, up to full takeover of the affected PeopleTools instance.

CVE-2026-20262 is an authenticated remote arbitrary file creation/overwrite vulnerability in the web UI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage. The flaw is caused by improper validation of user-supplied input during a file upload process at an affected API endpoint, with path traversal characteristics that allow writes outside intended directories. By sending a crafted HTTP request, an attacker with valid credentials can create or overwrite arbitrary files on the underlying operating system. Cisco states that the written file can subsequently be used to elevate privileges to root. The issue affects multiple versions and all deployment types of Catalyst SD-WAN Manager, including on-prem, Cloud-Pro, Cisco Managed Cloud, and FedRAMP deployments, and Cisco has confirmed active exploitation in the wild.

CVE-2026-10520 is a critical OS command injection vulnerability in Ivanti Sentry (formerly MobileIron Sentry) affecting versions prior to R10.5.2, R10.6.2, and R10.7.1. The flaw allows a remote unauthenticated attacker to reach an exposed Sentry endpoint and inject attacker-controlled input into a system-level command, resulting in remote code execution as root. Supporting reporting indicates the vulnerable code path is in the ConfigServiceController class and is reachable via a POST request to the unauthenticated endpoint /mics/api/v2/sentry/mics-config/handleMessage. The issue appears to stem from an internal configuration command API accepting untrusted input without proper sanitization or authentication enforcement, causing crafted MICS configuration data to be executed by a backend handler with root privileges.

CVE-2026-20253 is a critical missing-authentication flaw in the PostgreSQL Sidecar Service used by Splunk Enterprise 10.x. In affected versions, the PostgreSQL sidecar recovery endpoints lack authentication controls, allowing any network-reachable attacker to invoke file-related operations without credentials. Splunk’s advisory describes the core issue as arbitrary file creation or truncation through the sidecar service endpoint. Supporting technical analysis indicates the vulnerable functionality is exposed via recovery endpoints such as /v1/postgres/recovery/backup and /v1/postgres/recovery/restore, reachable through Splunk Web proxy paths like /en-US/splunkd/__raw/v1/postgres/recovery/backup. The backupFile parameter can be abused for path traversal and arbitrary file creation/truncation, while attacker-controlled database connection parameters can cause Splunk to interact with attacker-controlled PostgreSQL infrastructure. Researchers further showed this file-operation primitive can be chained with PostgreSQL restore behavior, use of Splunk’s local .pgpass credentials, and PostgreSQL large-object export functionality such as lo_export to obtain arbitrary file write and ultimately remote code execution as the Splunk service account. Affected Splunk Enterprise versions are 10.0.0 through 10.0.6 and 10.2.0 through 10.2.3; 9.4 and earlier are not affected, and 10.4 is listed as unaffected.

CVE-2026-50751 is a critical improper-authentication flaw in Check Point Remote Access VPN, Mobile Access, and Spark Firewall deployments that use the deprecated IKEv1 key exchange path. The vulnerability is caused by a logic-flow weakness in Remote Access and Mobile Access certificate validation during the IKEv1 handshake/phase-1 exchange. Under affected configurations, a remote attacker can manipulate the IKEv1 authentication flow so the gateway accepts the session as authenticated without successfully validating a legitimate user password, certificate, or corresponding private key. Public reporting also indicates the issue affects certificate-based, certificate-with-enrollment, and mixed authentication modes on legacy IKEv1 remote-access paths.

CVE-2026-48907 is a critical improper access control vulnerability in Widget Factory's Joomla Content Editor (JCE) extension for Joomla. The flaw affects JCE versions 1.0.0 through 2.9.99.4 and resides in the profile import workflow, including the unauthenticated endpoint /index.php?option=com_jce&task=profiles.import. Due to missing authorization checks, an unauthenticated attacker can create a new editor profile without logging in. The import handling does not sufficiently restrict uploaded content to valid profile/XML data, allowing arbitrary PHP files to be staged and uploaded. Supporting reporting indicates the upload path invokes Joomla file handling in an unsafe manner, including use of File::upload with $allow_unsafe = true, which bypasses normal extension safety controls. An attacker can then request the uploaded PHP file and execute arbitrary code on the server as the web server user. Public exploit code and automated exploitation in the wild have been reported, and CISA added the issue to the KEV catalog.

CVE-2026-54420 is a UNIX symbolic link following vulnerability in the LiteSpeed user-end cPanel plugin before 2.4.8, as distributed with LiteSpeed WHM PlugIn before 5.3.2.0. On shared hosting servers running CloudLinux/CageFS, the plugin improperly handles user-controlled symlinks supplied by a tenant who already has FTP access or web shell access. This symlink mishandling allows a low-privileged user to abuse privileged plugin operations and escape normal tenant isolation, resulting in local privilege escalation. The issue has been reported as actively exploited in the wild since May 2026.

CVE-2026-50656, publicly referred to as RoguePlanet, is a local elevation-of-privilege vulnerability in the Microsoft Malware Protection Engine used by Microsoft Defender. Based on the provided reporting and Microsoft advisory context, the flaw is rooted in improper link resolution before file access and is exploited via a time-of-check to time-of-use race condition in Defender’s file-handling or scanning workflow. During scanning, Defender validates or opens a file path and later re-accesses the target; an attacker can win the race by substituting the checked object, such as through link or path manipulation, before the privileged engine uses it. Because the engine runs as NT AUTHORITY\SYSTEM, successful exploitation can cause attacker-controlled code or a substituted payload to execute in a SYSTEM context. Public proof-of-concept reporting indicates the exploit can spawn a SYSTEM command prompt and affects fully patched Windows 10 and Windows 11 systems at the time of disclosure.

CVE-2026-0257 is an authentication bypass vulnerability affecting the GlobalProtect portal and gateway components of Palo Alto Networks PAN-OS. The issue allows a remote unauthenticated attacker to bypass security restrictions and establish an unauthorized VPN connection. Supporting reporting indicates exploitation is tied to deployments using GlobalProtect authentication override cookies under a specific certificate configuration, particularly where the same certificate is used for both the HTTPS service and authentication override cookie encryption/decryption. Rapid7 reported that PAN-OS processes the incoming authentication override cookie by base64 decoding and decrypting it in the function identified as main_DecryptAppAuthCookie, and then implicitly trusts the decrypted cookie contents without signature verification. In the vulnerable configuration, an attacker can obtain the public key exposed via the HTTPS service, forge a cookie for an arbitrary user, and have the appliance accept it as valid authentication. Panorama and Cloud NGFW are reported as not affected.

CVE-2026-48558 is a critical authentication bypass vulnerability in SimpleHelp affecting versions 5.5.15 and earlier and 6.0 pre-release versions. The flaw exists in the OpenID Connect (OIDC) authentication flow: when OIDC is configured, SimpleHelp accepts identity tokens submitted during login without verifying their cryptographic signature. Because the application trusts unsigned or improperly validated identity assertions, a remote unauthenticated attacker can forge a token containing arbitrary identity claims and have it accepted as valid. In vulnerable deployments, this allows the attacker to create or authenticate as a Technician user and obtain a fully authenticated technician session without possessing legitimate credentials. The issue is specifically tied to improper validation of OIDC/JWT identity assertions rather than the traditional local username/password path.

CVE-2026-39813 is a critical path traversal vulnerability in the Fortinet FortiSandbox JRPC API affecting FortiSandbox 4.4.0 through 4.4.8 and 5.0.0 through 5.0.5. The flaw is described as a '../filedir' path traversal issue in the JRPC API and can be triggered by specially crafted HTTP requests. According to the provided content, a remote unauthenticated attacker can exploit the vulnerability to bypass authentication, which Fortinet and multiple reports characterize as an API privilege-escalation condition. The issue has been associated with Fortinet advisory FG-IR-26-112 and a CVSS score of 9.1.

CVE-2026-11645 is a high-severity out-of-bounds read and write vulnerability in the V8 JavaScript and WebAssembly engine used by Google Chrome and other Chromium-based products. Google describes the issue as affecting Google Chrome prior to 149.0.7827.103, where a remote attacker can trigger out-of-bounds memory access via a crafted HTML page and achieve arbitrary code execution inside the browser sandbox. Supporting reporting indicates the bug is rooted in V8 TurboFan optimization logic, specifically range analysis that can incorrectly compute the maximum value of loop- or bitwise-modified variables and wrongly eliminate runtime bounds checks. Additional reporting also notes a possible trigger condition involving stale ElementsKind assumptions after array layout transitions, leading optimized native code to use invalid size or offset assumptions. The resulting condition can produce invalid reads and writes outside an array backing store, causing memory corruption.

CVE-2026-42824 is a Microsoft 365 Copilot Enterprise vulnerability chain, dubbed SearchLeak by Varonis, that Microsoft describes as improper neutralization of special elements used in a command in M365 Copilot. The issue allowed attacker-controlled input delivered through Copilot Enterprise Search to be interpreted as executable prompt/command content rather than inert search text, enabling unauthorized retrieval of data available to the victim through Copilot’s Microsoft 365/Graph-backed access. Public reporting describes exploitation via a crafted Copilot Search URL using the q parameter to inject instructions that caused Copilot to search the victim’s mailbox, OneDrive, SharePoint, calendar, meeting notes, and other accessible enterprise content. The demonstrated chain then leveraged streamed HTML rendering before sanitization completed, allowing an injected img tag to be processed, and abused Bing Search by Image as a server-side fetch path to bypass CSP restrictions and exfiltrate the retrieved data to an attacker-controlled endpoint. Microsoft’s advisory classifies the issue as command injection resulting in information disclosure over a network.

CVE-2026-39808 is a critical OS command injection vulnerability in an unspecified FortiSandbox API endpoint/component affecting Fortinet FortiSandbox versions 4.4.0 through 4.4.8. The flaw is caused by improper neutralization of special elements used in an OS command, allowing attacker-controlled input from crafted HTTP requests to reach OS command execution logic without sufficient sanitization. Multiple sources in the provided content describe the issue as pre-authentication and remotely exploitable over the network, enabling unauthorized code or command execution on the underlying FortiSandbox system.

CVE-2026-25089 is a critical OS command injection vulnerability in the WEB UI of Fortinet FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS. The flaw is caused by improper neutralization of special elements used in an OS command, allowing attacker-controlled input to reach OS command execution contexts. The provided content indicates exploitation is performed via specifically crafted HTTP requests and multiple sources associate the vulnerable path with the web UI 'start VNC' feature, including crafted JSON input in a second-order injection scenario. Affected versions include FortiSandbox 5.0.0 through 5.0.5, FortiSandbox 4.4.0 through 4.4.8, all FortiSandbox 4.2 versions, FortiSandbox Cloud 5.0.4 through 5.0.5, and FortiSandbox PaaS 5.0.4 through 5.0.5. The issue is pre-authentication and remotely reachable over the network through the management web interface.

CVE-2026-53435 is a deserialization vulnerability in Jenkins affecting Jenkins 2.567 and earlier and Jenkins LTS 2.555.2 and earlier. Jenkins can be induced to deserialize attacker-controlled types from a submitted config.xml, provided those types are defined in Jenkins core or installed plugins. The issue arises from unsafe handling of deserialized objects combined with subsequent HTTP routing into those objects, allowing attacker-planted objects to handle requests after deserialization. Public analysis describes exploitation via crafted config.xml content that injects unexpected Jenkins-core objects into configuration containers, after which the attacker can reach those objects through Stapler-routed URLs. This can be leveraged to impersonate arbitrary users, send HTTP requests on their behalf, access the Script Console to execute arbitrary code, and read arbitrary files from the Jenkins controller.

CVE-2026-4020 is a sensitive information exposure vulnerability in the Gravity SMTP plugin for WordPress affecting all versions up to and including 2.1.4. The issue is caused by a REST API endpoint at /wp-json/gravitysmtp/v1/tests/mock-data that is registered with a permission_callback that unconditionally returns true, allowing unauthenticated access. When the request includes the query parameter page=gravitysmtp-settings, the plugin's register_connector_data() logic populates internal connector data and the endpoint returns an approximately 365 KB JSON System Report. Exposed data can include PHP version, loaded extensions, web server version, document root path, database server type and version, WordPress version, WordPress configuration details, active plugins and their versions, active theme, database table names, and API keys, secrets, or OAuth tokens configured for Gravity SMTP email delivery integrations.

CVE-2025-8088 is a path traversal vulnerability affecting the Windows version of WinRAR, including reporting that WinRAR 7.12 was vulnerable and that related Windows command-line utilities, UnRAR.dll, and the portable UnRAR source code were also affected. The flaw is exploitable through crafted RAR archives that abuse NTFS Alternate Data Streams (ADS) and traversal sequences during extraction, allowing files embedded in the archive to be written outside the intended extraction directory. Observed exploit chains hide a malicious payload behind a decoy document, such as a PDF, using composite names like a visible file plus an ADS payload, then traverse into attacker-chosen locations such as the Windows Startup folder. When the archive is opened or extracted by a vulnerable WinRAR version, the hidden payload can be silently dropped to that location without adequately enforcing extraction path restrictions. Public reporting states this can lead to arbitrary code execution, commonly by planting a .lnk, HTA, VBScript, PowerShell loader, or DLL-loading chain that executes at next logon. The vulnerability was discovered in the wild by ESET researchers Anton Cherepanov, Peter Košinár, and Peter Strýček and was exploited beginning at least July 18, 2025.

CVE-2026-5027 is a path traversal vulnerability in Langflow affecting the POST /api/v2/files endpoint. The endpoint fails to properly sanitize the filename parameter supplied in multipart form data, allowing traversal sequences such as '../' to escape the intended upload directory and write attacker-controlled files to arbitrary filesystem locations. Reporting indicates the flaw can be leveraged toward remote code execution depending on where files can be written and how the target system uses those files. Multiple sources in the provided content state that Langflow's default unauthenticated auto-login behavior allows an attacker to obtain a valid session token with a single unauthenticated request, making the vulnerable endpoint reachable without credentials in default deployments.

CVE-2026-10187 is a remotely exploitable stack-based buffer overflow in the Totolink N300RH Web Management Interface, affecting firmware version 6.1c.1353_B20190305. The flaw is in the setWiFiBasicConfig function within wireless.so. According to the provided content, improper handling of the KeyStr argument allows an attacker to supply crafted input that overflows a stack buffer. The issue is reachable remotely via the network through the device's web management component, and public exploit code is reported to be available.

CVE-2026-46316, dubbed ITScape, is a guest-to-host escape vulnerability in the Linux kernel's KVM/arm64 implementation, specifically in the vGIC-ITS emulation code under arch/arm64/kvm/vgic/. The bug is in vgic_its_invalidate_cache(), which iterates the per-ITS translation cache with xa_for_each() and drops references with vgic_put_irq(). Due to incorrect handling during xa_erase(), the code can drop the reference for the iterated pointer rather than only the entry actually removed. Because invalidation can be invoked concurrently from multiple contexts that do not exclude one another, the same cache entry can be observed, erased, and put multiple times. This creates a double-put condition that can prematurely free an IRQ-related entry while it is still mapped by an ITE, resulting in a use-after-free/memory corruption condition in host kernel context. Public reporting states this can be triggered entirely from a guest on affected arm64 KVM hosts and can be leveraged for host kernel code execution.

CVE-2026-22872 affects Capsule, a multi-tenancy and policy-based framework for Kubernetes. The vulnerability is in the Capsule Controller's TenantResource RawItems processing logic. While the controller forcibly sets the namespace for submitted resources, that safeguard is ineffective for cluster-scoped Kubernetes objects, which do not belong to a namespace. Because the Capsule Controller runs with cluster-admin privileges by default, a tenant administrator with Tenant Owner privileges can submit TenantResource RawItems that cause the controller to create cluster-scoped resources such as ClusterRole or ValidatingWebhookConfiguration on their behalf. This allows a tenant administrator to bypass intended authorization boundaries and abuse the controller's elevated privileges for cross-tenant and cluster-level actions. The issue is fixed in Capsule version 0.13.0.

CVE-2026-42530 is a use-after-free vulnerability in NGINX Open Source's ngx_http_v3_module when the server is configured to use the HTTP/3 QUIC module. A remote, unauthenticated attacker can send a specially crafted HTTP/3 session that reopens a QPACK encoder stream, triggering a use-after-free condition in the NGINX worker process. The flaw affects HTTP/3 processing and can cause the worker process to restart. Under conditions where Address Space Layout Randomization (ASLR) is disabled, or where the attacker can otherwise bypass ASLR, the memory corruption may be leveraged for code execution.

CVE-2026-12221 is a stack-based buffer overflow vulnerability affecting Yealink SIP-T46U firmware version 108.86.0.118. The flaw is in the Firmware Chunk Upload Handler exposed via /api/upgrade/upgrade, specifically involving the use of sprintf. According to the available description, manipulation of the uid/start_offset argument can trigger the overflow, indicating insufficient bounds checking when attacker-controlled input is copied into a stack buffer. The issue is reachable from within the local network, and a public exploit has been reported.