New
CVE-2026-58077: Joomla Extension - weeblr.com - Unauthenticated stored XSS in 4Analytics < 5.0.2: The Joomla extension 4Analytics is vulnerable to an unauthenticated stored XSS. A specially crafted unauthenticated request may result in website takeover under some circumstances.
CVE-2026-57833: Joomla Extension - weeblr.com - Unauthenticated stored XSS in 4Analytics < 5.0.2: The Joomla extension 4Analytics is vulnerable to an unauthenticated stored XSS in relation to the AI analysis feature.
CVE-2026-57832: Joomla Extension - joomdonation.com - Unauthenticated blind SQL injection in EDocman < 3.9: The Joomla extension EDocman is vulnerable to an unauthenticated SQL injection.
CVE-2026-57831: Joomla Extension - digital-peak.com - Unauthenticated blind SQL injection in DP Calendar 8.18.0 - 10.11.2: The Joomla extension DP Calendar is vulnerable to an unauthenticated SQL injection.
CVE-2026-15804: MetaGuru|HCM - SQL Injection: The HCM developed by MetaGuru has a SQL Injection vulnerability. Authenticated remote attackers can inject SQL commands via specific parameters, thereby compromising the confidentiality, integrity, and availability of database data.
Updated
CVE-2026-15028: Libarchive: heap overflow oob read while parsing a tar archive contains a pax extended header: A flaw was found in libarchive. This vulnerability allows a remote attacker to trigger a heap overflow by providing a specially crafted tar archive. The issue occurs during the parsing of a PAX extended header containing a malformed SUN.holesdata sparse-file attribute. Successful exploitation could le...
CVE-2026-46579: Openshift/router: openshift/router: mtls client certificate spoofing via unstripped x-ssl-client headers on http frontend: A flaw was found in the OpenShift Router. When a Route has `insecureEdgeTerminationPolicy` set to Allow, the HTTP frontend does not remove `X-SSL-Client-*` headers from incoming requests. This allows an unauthenticated attacker to send plain HTTP requests with crafted `X-SS...
CVE-2026-15305: TYPO3 CMS - Unrestricted File Upload in Form Framework: Users were able to upload files with arbitrary MIME types to forms using FileUpload or ImageUpload elements with allowedMimeTypes configured. The restriction was not enforced server-side because the MimeTypeValidator was registered during form building before concrete form definition properties were applied, resulting in the validator neve...
CVE-2026-4647: Binutils: out-of-bounds read in xcoff relocation processing in gnu binutils bfd library: A flaw was found in the GNU Binutils BFD library, a widely used component for handling binary files such as object files and executables. The issue occurs when processing specially crafted XCOFF object files, where a relocation type value is not properly validated before being used. This can cause the progr...
CVE-2026-57830: Joomla Extension - joomshaper.com - Unauthenticated arbitrary file deletion in Helix Ultimate < 2.2.7: The Joomla extension Helix Ultimate is vulnerable to an unauthenticated arbitrary file deletion.
CISA Known Exploited Vulnerabilities
CVE-2026-56164 Microsoft SharePoint Server: Microsoft SharePoint contains a missing authentication for critical function vulnerability that allows an unauthorized attacker to elevate privileges over a network.
CVE-2026-56155 Microsoft Active Directory Federation Services: Microsoft Active Directory Federation Services contains an insufficient granularity of access control vulnerability that allows an authorized attacker to elevate privileges locally.
CVE-2026-15410 SonicWall SMA1000 Appliances: SonicWall SMA1000 Appliances contain a code injection vulnerability which in specific conditions could potentially enable a remote authenticated attacker as administrator to execute arbitrary OS commands.
CVE-2026-15409 SonicWall SMA1000 Appliances: SonicWall SMA1000 Appliances contain a server-side request forgery vulnerability that could allow a remote unauthenticated attacker to potentially cause the appliance to make requests to unintended location.
CVE-2008-4128 Cisco IOS: Cisco IOS 12.4 contains multiple cross-site forgery vulnerabilities that allows remote attackers to execute arbitrary commands via (1) a certain "show privilege" command to the /level/15/exec/- URI, and (2) a certain "alias exec" command to the /level/15/exec/-/configure/http URI.