Application security news, updated daily (if there is any news to share).
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.
CVE-2026-6270 is a Critical middleware inheritance flaw in `@fastify/middie` that can let unauthenticated requests reach child-plugin routes when auth middleware is registered in a parent scope.
A critical Dgraph Alpha debug endpoint leak lets unauthenticated attackers read the admin token from `/debug/pprof/cmdline` and access `/admin/*` endpoints.
Fastify disclosed a High-severity body-schema validation bypass where a leading space in `Content-Type` skips `schema.body.content` validation in affected 5.x deployments.
CVE-2026-33807 discloses a critical `@fastify/express` middleware path-doubling bug enabling complete bypass of Express authz/rate-limit controls for routes inside affected child plugin scopes.
CVE-2026-33805 discloses a Critical `Connection` header ordering flaw in `@fastify/reply-from`/`@fastify/http-proxy` that lets clients strip proxy-injected security headers upstream.
Eclipse Jetty disclosed and patched a High-severity HTTP/1.1 request-smuggling flaw in chunk-extension parsing, impacting multiple Jetty branches used behind proxies and load balancers.
CVE-2026-34457 is a Critical auth bypass in `oauth2-proxy` auth_request deployments where health-check User-Agent matching can grant unauthenticated access to protected upstreams.
A GitHub security advisory discloses Critical rules-engine expression injection in OpenRemote `openremote-manager` <=1.21.0, where `write:rules` users can execute arbitrary server code.
CVE-2026-32271 is a High-severity Craft Commerce SQL injection in the `TotalRevenue` widget that lets any authenticated control panel user chain to server-side RCE in affected 4.x/5.x releases.
Wordfence reports active exploitation of an unauthenticated RCE in the WordPress plugin `Kali Forms` (<=2.4.9) via `form_process`, fixed in 2.4.10.
CVE-2026-6204 reports a High-severity authenticated RCE in `librenms/librenms` before `26.3.0`, where admins can abuse Binary Locations and `GET /ajax/netcmd` to run attacker-controlled code.
CVE-2026-1116 reports a High-severity XSS in `parisneo/lollms` (<2.2.0) where unsanitized message content can execute in other users’ browsers.
A High-severity WebGPU out-of-bounds write in `Mesa` can occur due to untrusted allocation sizing, affecting versions before `25.3.6` and `26.0.0` before `26.0.1`.
CVE-2026-3690 reports a High auth bypass in `openclaw` canvas endpoints where IP-based fallback can grant unauthenticated access in NAT/VPN/Kubernetes networks.
An oss-security post highlights Roundcube’s fix for a pre-auth arbitrary file write in redis/memcache session handling, impacting internet-exposed Roundcube deployments before 1.5.14/1.6.14.
CVE-2026-31845 reports a Critical reflected XSS in Rukovoditel CRM <=3.6.4’s Zadarma telephony API endpoint, enabling unauthenticated attackers to execute JavaScript in victims’ browsers.
A GitHub advisory reports High unauthenticated SSRF in Arcane <=1.17.2, letting remote attackers probe internal services via `/api/templates/fetch` using a user-supplied URL.
CVE-2026-40175 reports a Critical Axios header-injection gadget chain that can turn upstream prototype pollution into SSRF/request-smuggling and AWS IMDSv2 credential theft in axios <1.15.0.
CVE-2026-5144 reports a High privilege-escalation flaw in `BuddyPress Groupblog` <=1.9.3 letting Subscriber+ attackers on WordPress Multisite auto-add users as `administrator`.
CVE-2026-33707 is a critical Chamilo LMS flaw where deterministic `sha1(email)` reset tokens allow unauthenticated password resets, impacting `chamilo/chamilo-lms` <1.11.38 and <2.0.0-RC.3.
An oss-security disclosure reports a Critical pre-auth RCE in Cockpit remote login where attacker-controlled hostname/username reaches `ssh`, impacting Cockpit versions `> 326`.
CVE-2026-40217 reports a High LiteLLM guardrails sandbox escape where authenticated API users bypass regex filtering via bytecode rewriting to execute arbitrary server-side code.
Apache Log4j Core fixed a Medium XmlLayout sanitization flaw (CVE-2026-34480) that can drop log events or trigger logging exceptions when messages contain XML 1.0-forbidden characters.
CVE-2026-1115 is a critical stored XSS in `parisneo/lollms` social posts (versions <2.2.0) that executes in Home Feed viewers’ browsers, including admins.
CERT/CC and SecurityWeek report nine Orthanc DICOM Server flaws (CVE-2026-5437–5445) impacting <=1.12.10, enabling DoS, memory leaks, and potential remote code execution.
A GitHub-reviewed advisory reports High-severity unauthenticated SSRF in `PraisonAI` where attacker-controlled `webhook_url` makes the server POST to internal services, including cloud metadata endpoints.
GitHub and CVE records report a High OIDC login-path flaw in Vikunja <2.3.0 where email fallback skips TOTP, issuing JWTs without second-factor verification.
wolfSSL disclosed a High-severity certificate validation flaw where OpenSSL-compat chain verification can accept forged leaf certs, impacting wolfSSL `<= 5.9.0` users of `wolfSSL_X509_verify_cert()`.
YesWeHack reports a Critical auth bypass in WordPress `login-with-azure` (Entra ID/Azure AD SSO) <=2.2.5 enabling forged `id_token` logins as any user; patched in 2.2.6.
Wordfence reports a High-severity arbitrary file deletion flaw in `wpForo Forum` `<= 3.0.2` that lets authenticated Subscriber+ attackers delete server files, with no known patch available.
CVE-2025-62718 discloses a Critical Axios NO_PROXY hostname normalization bypass affecting `axios < 1.15.0`, enabling proxy misrouting and practical SSRF to loopback/internal services.
JVN reports multiple CrewAI vulnerabilities where prompt injection can lead to remote code execution, SSRF, and arbitrary local file reads in agent deployments.
A Critical advisory reports an unauthenticated authorization bypass in `goshs` that allows writes/deletes inside `.goshs`-protected folders, enabling attackers to remove the ACL and expose protected data.
CVE-2026-39980 discloses a Critical OpenCTI template-sanitization flaw affecting `opencti < 6.9.5`, where users with Manage customization can execute arbitrary JavaScript during notifier template execution.
A High-severity SiYuan flaw let malicious Mermaid diagrams trigger zero-click Windows NTLMv2 hash disclosure and blind SSRF/tracking requests, impacting `siyuan < 3.6.4`.
Spring disclosed CVE-2026-22750 where `spring.ssl.bundle` is silently ignored in Spring Cloud Gateway `4.2.0`, causing gateways to use default SSL settings instead of intended bundles.
CVE-2026-29145 is a Critical Apache Tomcat/Tomcat Native flaw where CLIENT_CERT authentication may not fail as expected when soft-fail is disabled, impacting multiple supported branches.
Apache Tomcat disclosed an important CBC padding-oracle flaw in the clustering `EncryptInterceptor`, impacting Tomcat 9.0.13+, 10.0.0-M1+, and 11.0.0-M1+ deployments using default configuration.
A GitHub advisory reports High-severity FTP command injection in `basic-ftp` 5.2.0 where CRLF in file paths can split control-channel commands; patched in 5.2.1.
A High-severity CI4MS install-guard bypass can let unauthenticated attackers re-enter setup and overwrite `.env`, enabling full takeover in deployments running `ci4ms` < `0.31.4.0`.
GitLab’s Apr 8 patch release fixes a High unauthenticated GraphQL DoS (CVE-2025-12664) affecting GitLab CE/EE 13.0+ prior to patched 18.8.9/18.9.5/18.10.3.
CVE-2026-5173 is a High-severity GitLab CE/EE access-control flaw where authenticated users can invoke unintended server-side methods via websocket connections across multiple supported branches.
A new High-severity Jetty flaw can leak JASPI authentication state across requests on the same thread, breaking access control and enabling privilege escalation in affected branches.
GitHub’s advisory reports Marimo’s unauthenticated `/terminal/ws` WebSocket can spawn a PTY shell for pre-auth RCE on exposed self-hosted instances, including default Docker deployments.
Six Apart released Movable Type updates addressing critical Listing Framework code injection and SQL injection risks when the admin console or Data API is reachable by attackers.
Wordfence reports a critical unauthenticated RCE in the WordPress `Quick Playground` plugin (<=1.3.1) via exposed REST endpoints that allow path-traversal PHP uploads.
A High-severity DoS in React Server Components lets unauthenticated attackers spike CPU via crafted requests to Server Function endpoints in `react-server-dom-*` 19.0.0–19.2.4.
CVE-2026-33229 reports a High-severity XWiki Platform sandbox bypass where users with Script right can execute arbitrary scripts and fully compromise the XWiki instance.
CVE-2026-35490 reports a Critical decorator-ordering auth bypass in `changedetection.io` `< 0.54.8`, exposing multiple routes (including backup download) without any login.
Wordfence published CVE-2026-3296, a critical unauthenticated PHP object injection in the WordPress `everest-forms` plugin (<= 3.4.3) triggered when admins view submitted form entries.
CVE-2026-1114 is a Critical weak-JWT-signing-secret issue in `parisneo/lollms` <2.2.0 that enables offline key brute-force and forged admin tokens over the network.
CVE-2026-33439 is a critical pre-auth Java deserialization RCE in OpenIdentityPlatform OpenAM <16.0.6, where jato.clientSession can execute commands via crafted serialized objects.
CVE-2026-39324 is a critical flaw in `rack-session` 2.0.0–2.1.1 where cookie decrypt failures fall back to a default decoder, accepting crafted sessions without secrets.
CVE-2026-35523 is a High auth bypass in `strawberry-graphql` `< 0.312.3` where legacy `graphql-ws` clients can skip `connection_init` and reach subscriptions unauthenticated.
CVE-2026-31842 reports a High HTTP request desync in Tinyproxy <=1.11.3 where `Transfer-Encoding: Chunked` can hang backends and bypass request-body inspection controls.
CVE-2026-39363 is a High Vite dev-server WebSocket file-read issue affecting `vite` 6.x/7.x/8.x, enabling attackers to exfiltrate arbitrary host files when reachable without an `Origin` header.
Wordfence reports a Critical unauthenticated authorization bypass in WordPress `userspn` (Users manager – PN) `<= 1.1.15` enabling arbitrary user meta updates and account takeover conditions.
Wordfence published CVE-2026-5465, a High IDOR in WordPress `ameliabooking` <=2.1.3 that lets authenticated Provider users reset passwords for arbitrary accounts, including admins.
AWS published a security bulletin for three High issues in Research and Engineering Studio (RES) that enable authenticated command injection and AWS permission escalation in impacted releases.
CVE-2026-35442 is a High-severity Directus flaw where authenticated users can bypass `conceal` masking via `min`/`max` + `groupBy`, exposing API tokens and TOTP secrets.
CVE-2026-0740 is a critical unauthenticated arbitrary file upload in Ninja Forms - File Uploads for WordPress <=3.3.26, enabling uploads that may lead to code execution.
CVE-2026-34208 discloses a Critical SandboxJS sandbox-integrity escape affecting `SandboxJS` <0.8.36, where untrusted code can mutate host global objects via `this.constructor.call()`.
Newly published CVE-2019-25675 details union-based SQL injection in `eDirectory` login that can authenticate as admin and read arbitrary PHP files via `language_file.php`.
CVE-2019-25673 reports a High-severity arbitrary file upload in `UniSharp/laravel-filemanager` enabling authenticated users to upload PHP files and execute code via the working directory path.
CVE-2019-25687 reports a Critical unauthenticated RCE in `Pegasus CMS` 1.0 where `submit.php` evaluates attacker-supplied PHP via the `extra_fields.php` plugin.
A newly published CVE record reports a High-severity authenticated upload/deserialization RCE in `phpBB` <=3.2.3, with a public ExploitDB PoC using `phar://`.
A report says attackers are exploiting React2Shell (CVE-2025-55182) in unpatched, internet-exposed Next.js apps to automate credential theft from compromised servers at scale.
VulnCheck disclosed a High-severity authenticated command injection in `VA MAX <= 8.3.4` that enables remote code execution via `changeip.php`, with a public Exploit-DB reference.
A GitHub advisory reports a High-severity isolation flaw in Venueless where privileged API users in one world can delete user accounts in other worlds.
CVE-2026-3445 is a High-severity authorization bug in `ProfilePress` that lets authenticated subscribers manipulate checkout proration to obtain paid lifetime memberships without paying.
CVE-2026-35218 reports a High stored XSS in Budibase where Builder users can inject HTML into entity names, executing code when others open the Command Palette. ([raw.githubusercontent.com](https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/35xxx/CVE-2026-35218.json))
Budibase disclosed a critical unauthenticated RCE where public webhook-triggered automations with a Bash step can execute attacker-controlled commands as `root` in self-hosted deployments.
Zohocorp disclosed a High-severity stored XSS in ManageEngine Exchange Reporter Plus builds `5801` and below, enabling script injection when users view the Non-Owner Mailbox Permission report.
Tornado disclosed a High-severity cookie attribute injection issue in `RequestHandler.set_cookie` affecting versions `< 6.5.5`, enabling crafted `domain`/`path`/`samesite` values to inject extra attributes.
Wordfence disclosed a High-severity unauthenticated stored XSS in `Visitor Traffic Real Time Statistics` (<= 8.4) that executes when an admin views the Traffic by Title report.
Wordfence disclosed a High-severity IDOR in `WCFM – Frontend Manager for WooCommerce` `<= 6.7.25`, letting authenticated Vendor+ users modify any order or delete/modify posts regardless of ownership.
Wordfence disclosed a High-severity path traversal in WordPress `wpForo Forum` `<= 2.4.16`, letting authenticated subscribers delete arbitrary server files by deleting crafted posts.
CVE-2026-34838 is a critical authenticated RCE in `Intermesh/groupoffice` via unsafe settings deserialization, affecting versions prior to `6.8.156`, `25.0.90`, and `26.0.12`.
CVE-2026-34840 fixes a High-severity OneUptime SAML SSO signature-binding flaw affecting `oneuptime` <10.0.42, enabling low-privilege users to authenticate as other project users.
Wordfence reports High-severity path traversal in WordPress `perfmatters` <= `2.5.9.1` enabling Subscriber+ users to delete arbitrary files (including `wp-config.php`) and take over sites.
Progress warns ShareFile Storage Zones Controller v5 users about critical auth-bypass and upload RCE flaws, recommending upgrades to `v5.12.4` or any `v6` release.
CVE-2026-32145 is a High-severity multipart parser limit bypass in `wisp` < `2.2.2`, enabling unauthenticated attackers to exhaust memory or disk via oversized form posts.
CVE-2026-34076 discloses an unauthenticated SSRF in Clerk’s `clerkFrontendApiProxy` that can exfiltrate `Clerk-Secret-Key` in several `@clerk/*` server SDKs used by Node.js backends.
A Critical advisory for `convoypanel/panel` reports JWT signature verification was missing in SSO, allowing remote attackers to forge tokens and authenticate as arbitrary users.
CVE-2026-34528 is a High-severity logic flaw in `filebrowser` < `2.62.2` where self-signup can inherit command execution rights and run arbitrary shell commands.
Joomla disclosed a High-severity improper access control flaw in core web services impacting Joomla CMS 4.0.0–5.4.3 and 6.0.0–6.0.3, fixed in 5.4.4 and 6.0.4.
CVE-2026-29014 reports a critical unauthenticated PHP code injection in MetInfo CMS 7.9–8.1, letting remote attackers execute arbitrary code and fully compromise servers.
Wordfence reports CVE-2026-4347, a High-severity unauthenticated arbitrary file move in the `mw-wp-form` WordPress plugin <=5.1.0 that can enable site takeover and RCE.
CVE-2026-34751 is a critical flaw in `payload` and `@payloadcms/graphql` < `3.79.1`, letting unauthenticated attackers perform actions as users initiating password resets. ([raw.githubusercontent.com](https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/34xxx/CVE-2026-34751.json))
A Rack multipart parsing flaw enables unauthenticated disk exhaustion via chunked uploads without `Content-Length`, impacting `rack` < `2.2.23`, `3.1.21`, and `3.2.6`.
Wordfence reports W3 Total Cache `<= 2.9.3` leaks the `W3TC_DYNAMIC_SECURITY` token in page source via a crafted User-Agent, impacting sites using fragment caching.
CVE-2026-34070 is a High-severity path traversal in `langchain-core` <1.2.22 that can expose host files when user-influenced prompt configs reach legacy `load_prompt*` APIs.
CVE-2026-4800 is a High-severity code injection in `lodash` <4.18.0 where untrusted `_.template` `options.imports` key names can execute code at compile time.
CVE-2026-34449 reports a critical cross-origin RCE affecting SiYuan `< 3.6.2`, where a malicious website can inject JavaScript via the API under a permissive CORS policy.
CVE-2026-33032 reports a critical unauthenticated access flaw in `nginx-ui` <=2.3.5 where `/mcp_message` exposes MCP tools, enabling remote Nginx config takeover.
CVE-2026-3256 reports `HTTP::Session` through 0.53 defaults to predictable session ID generation, risking session hijack in Perl web apps that rely on defaults.
CVE-2026-25099 discloses a High-severity unrestricted file upload in Bludit’s optional API plugin, where an attacker with an API token can reach server-side code execution.
A critical Handlebars.js flaw lets attackers inject JavaScript via crafted AST objects passed to `Handlebars.compile()`, impacting `handlebars` npm users on versions `>=4.0.0,<4.7.9`.
CVE-2026-33992 reports an authenticated SSRF in `pyload` allowing internal service access and cloud metadata exfiltration on self-hosted instances prior to the patched build.
WSA-2026-0002 discloses eight WebKitGTK/WPE WebKit flaws (SOP/CSP bypass, sandbox escape, XSS, crashes) affecting versions before 2.52.1 and fixed in 2.52.1.
Hitachi disclosed a High-severity XSS in Ops Center Analyzer and Infrastructure Analytics Advisor that can expose sensitive UI data; Ops Center Analyzer is fixed in 11.0.5-00.
CVE-2026-33696 reports a critical prototype pollution flaw in n8n XML and GSuiteAdmin nodes that can let low-privileged workflow editors achieve remote code execution.
CVE-2024-58341 discloses a High-severity unauthenticated SQL injection in OpenCart Core’s product search endpoint, enabling database data extraction via blind techniques in affected deployments.
CVE-2026-33344 is a High-severity path traversal in Dagu’s web API letting low-privileged authenticated users traverse outside the DAGs directory via `%2F`-encoded slashes.
CVE-2026-33307 reports a High-severity client-certificate chain length handling bug in `mod_gnutls` that can crash Apache HTTPD when client cert verification is enabled.
A CVEProject record reports a critical unauthenticated RCE chain in `WWBN/AVideo` `<= 26.0`, where CloneSite endpoints leak keys, dump databases, and reach command injection.
CVE-2026-30849 reports a critical SOAP API authentication bypass in MantisBT on MySQL-family backends, letting attackers log in as any user via crafted SOAP requests.
CVEProject published CVE-2026-32968, a critical unauthenticated OS command injection in `com_mb24sysapi` enabling remote code execution on mbCONNECT24-class gateways running firmware `<=2.19.3`.
Wordfence disclosed a critical unauthenticated account-destruction bug in `WP DSGVO Tools (GDPR)` <=3.1.38 that irreversibly anonymizes non-admin users via a crafted AJAX request.
CVE-2026-33293 is a High-severity path traversal in WWBN AVideo (<26.0) letting attackers with clone credentials delete arbitrary server files via `deleteDump`, causing DoS and weakening defenses.
Wordfence disclosed a High-severity unauthenticated arbitrary-method-call flaw in the WordPress `reviewx` plugin (`<= 2.2.12`), potentially enabling information disclosure or limited RCE.
Wordfence published a High-severity unauthenticated time-based SQL injection in the WordPress `WP Maps` plugin (`wp-google-map-plugin`) affecting versions up to 4.9.1, enabling remote database data extraction.
CVE-2019-25582 describes a High-severity arbitrary file download in i-doit CMDB 1.12, letting authenticated users fetch sensitive server files via crafted `index.php` requests.
curl/libcurl disclosed and patched a redirect edge case that could leak OAuth2 bearer tokens to a redirected hostname when .netrc matches.
CVE-2026-31816 reports a critical Budibase auth-bypass where adding a webhook-like path in the query string can skip authorization and CSRF checks on server APIs.
Go 1.26.1 and 1.25.8 ship five security fixes across crypto/x509, html/template, net/url, and os, addressing XSS, URL parsing, and certificate-verification failures.
Cloudflare-published CVE-2026-2835 describes a critical Pingora request smuggling flaw that can desync proxy/backend request framing.
Zammad published advisory ZAA-2026-06 for a critical SQL injection in Zammad 6.5.x.
CVE-2026-27971 reports a critical unauthenticated RCE in Qwik's server$ RPC unsafe deserialization affecting @builder.io/qwik <=1.19.0, where require() is available at runtime.
A GitHub-reviewed advisory reports a High-severity path normalization mismatch in @fastify/middie that can bypass path-scoped auth middleware.
Apache disclosed CVE-2026-23982, a High-severity authorization bypass in Superset versions before 6.0.0 enabling low-privilege users to access restricted data via dataset SQL overwrite.
Jenkins published a security advisory fixing a High-severity stored XSS in core that can be abused by users with node configuration/disconnect permissions; update is available.