CVE-2026-47195

CVE-2026-47195 affects the Quest Bot (Discord bot). Prior to version 1.1.6, purge and slowmode commands check only guild-level permissions, not the invoking member’s channel-level permissions. A user without channel moderation rights could still delete messages or modify slowmode via the bot. The...

CVE-2026-47196

CVE-2026-47196 affects Quest Bot (open-source Discord bot). Before v1.1.6, the automod add command could create an empty rule when input is whitespace because it trims but does not reject an empty result; the message listener then checks content.includes("") which is always true, causing deletion...

CVE-2026-53646

Technical details for CVE-2026-53646 are not publicly available in the provided documents. No affected products, impact, or remediation information is provided. Monitor for updates.

CVE-2026-9266

CVE-2026-9266 affects Moxa’s embedded Linux firmware for industrial computers and controllers. The issue is a Missing Required Cryptographic Step, an incomplete remediation of CVE-2026-0714, where TPM2 parameter encryption is undermined by an omission in the authorization session configuration. A...

CVE-2026-11849

The CVE-2026-11849 entry concerns IEI Integration Corp’s iRM-IEI Remote Management with a hardcoded credentials flaw. Affected component: the iRM-IEI Remote Management database (product/vendor specified). Root cause: hardcoded credentials allowing unauthenticated remote access. Impact: attacker c...

CVE-2026-11848

CVE-2026-11848 concerns IEI Integration Corp’s iRM-IEI Remote Management. The publicly documented vulnerability is Missing Authentication, allowing unauthenticated remote attackers to access a function that reveals partial system configuration information. Candidate details across sources indicat...

CVE-2026-48914

CVE-2026-48914 affects QEMU’s virtio-blk device. The issue: the driver does not validate input descriptor sizes when handling virtio-blk SCSI requests, allowing a malicious guest with high privileges to trigger an out-of-bounds write in host heap memory, causing potential DoS of the QEMU process....

CVE-2026-11847

The CVE-2026-11847 entry concerns the iVEC-IEI Virtualization Edge Computer from IEI Integration Corp. Affected component is the system’s path traversal vulnerability that allows authenticated remote attackers to create directories in unintended system paths. Documented impact indicates unauthori...

CVE-2026-11846

Affected product: IEI iVEC-IEI Virtualization Edge Computer by IEI Integration Corp. The CVE describes an Arbitrary File Deletion vulnerability that can be exploited by authenticated remote attackers to delete arbitrary system files or directories, potentially causing data destruction and service...

CVE-2026-11845

The CVE-2026-11845 entry concerns the iVEC-IEI Virtualization Edge Computer from IEI Integration Corp, describing an OS Command Injection vulnerability. The available documents state that privileged remote attackers could inject arbitrary OS commands and execute them on the device, with high impa...

CVE-2026-11844

The CVE-2026-11844 entry concerns IEI Integration Corp’s iVEC-IEI Virtualization Edge Computer. A vulnerability described as Arbitrary File Read could allow privileged remote attackers to read files outside the intended directory scope. According to the provided metrics, exploitability is network...

CVE-2026-50645

CVE-2026-50645 affects Apache CXF during message deserialization, where there is no restriction on the number of attachment headers. This can enable uncontrolled resource consumption and a denial-of-service condition. The issue is mitigated by limiting attachments per message to a default maximum...

CVE-2026-50634

CVE-2026-50634 affects Apache CXF's JwsJsonContainerRequestFilter. The vulnerability allows CXF to process metadata that was not authenticated by the accepted signature, bypassing the assumption that Content-Type or protected HTTP-header metadata came from a verified signature. This can influence...

CVE-2026-50633

The CVE-2026-50633 issue is a JNDI Injection vulnerability in Apache CXF’s JCA integration module (DispatchMDBMessageListenerImpl). The vulnerability allows code execution when an attacker can manipulate the JCA deployment descriptor (ra.xml) or runtime activation parameters. Affected software is...

CVE-2026-50632

CVE-2026-50632 : Apache CXF exposes a JNDI Injection vulnerability in the JMSConfigFactory. The issue arises when untrusted users configure JMS, potentially allowing code execution. Affected versions are addressed by upgrades to 4.2.2 or 4.1.7. The NVD/CVEs and related feeds document this as a co...

CVE-2026-50631

CVE-2026-50631 : A TOCTOU race condition in Apache CXF's AbstractOAuthDataProvider allows concurrent requests to reuse the same Refresh Token when recycleRefreshTokens is false, bypassing single-use semantics and generating multiple valid Access Tokens. This can enable token replay/abuse by multi...

CVE-2026-50630

The CVE-2026-50630 issue affects Apache CXF’s OAuth2 implementation, where the AuthorizationUtils class concatenates the realm parameter into the WWW-Authenticate header without sanitizing CR/LF characters. This can enable header injection or HTTP response splitting if an attacker controls the re...

CVE-2026-50629

The CVE-2026-50629 issue affects Apache CXF’s OAuth2 server where the 'clientId' from HTTP requests is concatenated into log warning messages without sanitizing control characters. This creates log injection risk by allowing arbitrary content in logs. Root cause: unsanitized control characters in...

CVE-2026-50628

CVE-2026-50628 concerns Apache CXF’s OAuthRequestFilter, where a logic error creates an inverted IP binding check: legitimate requests from the bound IP are rejected while requests from other IPs are allowed. Red Hat’s advisory attributes this to the OAuthRequestFilter component of CXF and notes ...

CVE-2026-50627

The CVE-2026-50627 issue affects Apache CXF’s JwtAccessTokenValidator, which fails to validate the aud (Audience) claim in incoming JWT access tokens. As described in multiple sources (NVD/Red Hat/CVE List/etc.), a token issued for one Resource Server could be replayed against a different Resourc...

CVE-2026-49875

Apache CXF is affected by an XML External Entity (XXE) issue described as CVE-2026-49875. The vulnerability arises because EndpointReferenceUtils and W3CMultiSchemaFactory construct a SAXParserFactory without proper JAXP hardening, enabling out-of-band (OOB) external entity resolution. Affected c...

CVE-2026-50623

CVE-2026-50623 affects Apache CXF’s OAuth2 TokenIntrospectionService. A missing 'throw' in the security context check permits access to the introspection endpoint (/services/oauth2/introspect) by any unauthenticated network attacker. This bypass is tied to a safeguard condition when authenticatio...

CVE-2026-12058

Technical details about CVE-2026-12058 are not publicly available in the provided documents. Monitor for updates from the vendor.

CVE-2026-11535

CVE-2026-11535 affects the PcSuite APP. The connected documents describe an authentication mechanism defect in PcSuite that can allow information leakage within Bluetooth range, leading to unauthorized access to victim devices. The NVD and CVE listings repeat the same description of unauthorized ...

CVE-2026-12060

CVE-2026-12060 concerns Heptabase (Hepta Platforms) with an Exposed Dangerous Method or Function vulnerability. The description indicates unauthenticated remote attackers can leverage social engineering to persuade a victim to open or load a malicious webpage inside the Heptabase application, res...

CVE-2026-12059

CVE-2026-12059 concerns the SSH service of Cellopoint’s CelloOS. The vulnerability is described as Improper Access Control that lets authenticated remote attackers bypass enforced command restrictions and execute operating system commands outside the originally authorized scope. Connected CVE rec...

CVE-2026-9271

Technical details for CVE-2026-9271 are not publicly available in the provided documents. Monitor for updates from official sources to obtain affected products, impact, and remediation.

CVE-2026-9269

The CVE pertains to the WordPress plugin “Secure Copy Content Protection and Content Locking” prior to version 5.1.5, which fails to sanitize and escape certain settings. This enables Stored XSS for high-privilege users (e.g., admin), even when unfiltered_html is disallowed (such as in multisite ...

CVE-2026-44892

CVE-2026-44892 affects Netty’s HTTP/3 codec. Before 4.2.15.Final, Http3ConnectionHandler defaults allow an unbounded maximum header size when HTTP3_SETTINGS_MAX_FIELD_SECTION_SIZE isn’t specified, enabling a malicious peer to flood headers and cause memory exhaustion (OutOfMemoryError) with netwo...

CVE-2026-45169

Idira Privileged Access Manager (PAM) Self-Hosted Vault is affected in versions prior to 15.0.3, 14.6.5, 14.2.7, and 14.0.8. The issue is a validation vulnerability where processing unexpected input under certain configurations can cause an unexpected service termination, leading to a localized D...

CVE-2026-47370

Technical details are not publicly available in the provided documents. Monitor for updates on affected UniFi OS devices and remediation guidance.

CVE-2026-48610

CVE-2026-48610 describes an Improper Access Control vulnerability on certain devices running UniFi OS. A remote attacker with network access could cause unauthorized changes to UniFi OS devices. The CVSSv3.1 base score is 8.1 (High) with network attack vector, high impact on confidentiality, inte...

CVE-2026-47365

CVE-2026-47365 affects WordPress Toolkit (before 6.11.0) as used in cPanel & WHM. An argument injection flaw enables remote authenticated users to bypass cross-tenant authorization and run arbitrary wp-toolkit CLI commands as another account. The description and connected records confirm the affe...

CVE-2026-48613

Affects phpBB forums that were upgraded from versions prior to 3.3.8 and have not been updated to 3.3.11 or newer. The issue lies in the profile field migration process where user-supplied profile field data is not properly sanitized, allowing an SQL injection. The vulnerability enables execution...

CVE-2026-48611

CVE-2026-48611 describes improper authentication checks in an OAuth implementation that can allow account hijacking even when OAuth is not configured or enabled, leading to unauthorized access in default installations. The public records do not specify targeted products, versions, vendor names, o...

CVE-2026-47366

CVE-2026-47366 describes an improper verification of access permissions in the Administration Control Panel . An authenticated administrator could modify permissions and grant rights beyond their authorized level, resulting in privilege escalation within the administrative interface. The document...

CVE-2026-47368

CVE-2026-47368 describes a path traversal vulnerability in certain UniFi OS devices. The issue could allow an attacker with network access to obtain data from UniFi OS devices or instances. The CVSS vector indicates a network, low complexity, no privileges required, with high confidentiality impa...

CVE-2026-47367

CVE-2026-47367 affects UID Enterprise Agent. An Improper Input Validation vulnerability could let a network-adjacent, low-privilege attacker trigger a Command Injection on the host. CVSSv3.1 base score 9.9 (CRITICAL) with network access, low attack complexity, and high impact on confidentiality, ...

CVE-2026-47369

Technical details (affected products/versions/root cause/fixes) are not publicly available in the provided documents. Monitor for updates.

CVE-2026-48612

Technical details such as affected product, versions, root cause, and remediation are not publicly provided in the supplied documents. Monitor for updates.

CVE-2026-20746

PingDirectory (Ping Identity) is affected; copying virtual attributes that reference ds-privilege-name values can exhaust the Java heap when recent login history is enabled. The root cause is in virtual attribute handling within affected PingDirectory versions, enabling only authorized users to t...

CVE-2026-11933

Technical details (affected products, versions, root cause, and remediation) are not publicly available in the provided documents. Please monitor for updates.

CVE-2026-9125

Summary: CVE-2026-9125 affects the Presto Player plugin for WordPress (up to version 4.2.0). The root cause is insufficient input sanitization and output escaping in the getOverlays() function, which copies the link_url shortcode attribute directly into the overlay configuration without scheme va...

CVE-2026-45170

CVE-2026-45170 concerns Idira Privilege Cloud Connector, where versions prior to 1.1.100504 may not enforce TLS certificate validation under certain conditions/configurations. This could enable a potential security bypass affecting confidentiality, integrity, and availability, as indicated by the...

CVE-2026-54073

VeraCrypt 1.26.29 is affected by CVE-2026-54073; a security fix is included in version 1.26.29 with Argon2id KDF for non-system volumes and other updates. The connected PT security notes confirm 1.26.29 as the fix release and list CVE-2026-54073 and CVE-2026-53762 as addressed. Remediation: upgra...

CVE-2026-0183

PT-2026-48834 aggregates an advisory from openSUSE noting CVE-2026-0183 affects RoundcubeMail and backported in SLE-15-SP6/SP7. It documents XSS and SQL injection flaws and a denial-of-service issue disclosed by LinuxSecurity/OpenSUSE context. The advisory links to backport mitigations, but the e...

CVE-2025-35273

CVE-2025-35273 is a server-side request forgery vulnerability in Oracle PeopleSoft. PT Security documents that ShinyHunters exploited this 0-day to target 100+ organizations, including ~300 endpoints across ~100 institutions, with roughly 68% in higher education. The vulnerability was remotely ex...

CVE-2026-54052

Technical details for CVE-2026-54052 are not publicly available in the provided documents. No affected products, impact, or remediation are specified. Monitor for updates from the connected sources and the CVE entry.

CVE-2026-53762

VeraCrypt 1.26.29 is released with security fixes including CVE-2026-53762 and CVE-2026-54073. The update adds Argon2id KDF for non-system volumes and includes driver/EFI, Linux/macOS fixes as part of system encryption improvements (and UEFI CA 2023 support). The PT Security entries PT-2026-48872...

CVE-2026-53510

Technical details for CVE-2026-53510 are not publicly available in the provided documents. Monitor for updates; no affected products, vectors, or remediation can be confirmed from the given sources.