New

CVE-2025-62233: Apache DolphinScheduler: Deserialization of untrusted data in RPC: Deserialization of Untrusted Data vulnerability in Apache DolphinScheduler RPC module. This issue affects Apache DolphinScheduler:  Version >= 3.2.0 and < 3.3.1. Attackers who can access the Master or Worker nodes can compromise the system by creating a StandardRpcRequest, injecting a malicious class type into it, and sending RP...

CVE-2026-41044: Apache ActiveMQ, Apache ActiveMQ Broker, Apache ActiveMQ All: Authenticated user can perform RCE via DestinationView MBean exposed by Jolokia: Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ, Apache ActiveMQ Broker, Apache ActiveMQ All. An authenticated attacker can use the admin web console page to construct a malicious brok...

CVE-2026-41043: Apache ActiveMQ, Apache ActiveMQ Web: ActiveMQ Web Console - XSS vulnerability when browsing queues: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apache ActiveMQ, Apache ActiveMQ Web. An authenticated attacker can show malicious content when browsing queues in the web console by overriding the content type to be HTML (instead of XML) and by inje...

CVE-2026-40466: Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ: Possible bypass of CVE-2026-34197 via HTTP discovery second-stage URI: Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ. An authenticated attacker may bypass the fix in CVE-2026-34197 by adding a connector using an HTTP D...

CVE-2026-6272: A client holding only a read JWT scope can still register itself as a signal provider through the production kuksa.val.v2 OpenProviderStream API by sending ProvideSignalRequest. 1. Obtain any valid token with only read scope. 2. Connect to the normal production gRPC API (kuksa.val.v2). 3. Open OpenProviderStream. 4. Send ProvideSignalRequest for a target signal ID. 5. Wait for the broker to for...

Updated

CVE-2026-6732: Libxml2: libxml2: denial of service via crafted xsd-validated document: A flaw was found in libxml2. This vulnerability occurs when the library processes a specially crafted XML Schema Definition (XSD) validated document that includes an internal entity reference. An attacker could exploit this by providing a malicious document, leading to a type confusion error that causes the application to c...

CVE-2026-6393: BetterDocs <= 4.3.11 - Missing Authorization to Authenticated (Subscriber+) Unauthorized AI API Usage: The BetterDocs plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 4.3.11. This is due to a missing capability check in the generate_openai_content_callback() function, which relies solely on a nonce rather than verifying user permissions. This makes it ...

CVE-2026-3565: Taqnix <= 1.0.3 - Cross-Site Request Forgery to Account Deletion via 'taqnix_delete_my_account' AJAX Action: The Taqnix plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.3. This is due to a missing nonce verification in the taqnix_delete_my_account() function, where the check_ajax_referer() call is explicitly commented out on line 883. Th...

CVE-2026-5121: Libarchive: libarchive: arbitrary code execution via integer overflow in iso9660 image processing: A flaw was found in libarchive. On 32-bit systems, an integer overflow vulnerability exists in the zisofs block pointer allocation logic. A remote attacker can exploit this by providing a specially crafted ISO9660 image, which can lead to a heap buffer overflow. This could potentially allow for ar...

CVE-2026-41044: Apache ActiveMQ, Apache ActiveMQ Broker, Apache ActiveMQ All: Authenticated user can perform RCE via DestinationView MBean exposed by Jolokia: Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ, Apache ActiveMQ Broker, Apache ActiveMQ All. An authenticated attacker can use the admin web console page to construct a malicious brok...

CISA Known Exploited Vulnerabilities

CVE-2026-39987 Marimo Marimo: Marimo contains an pre-authorization remote code execution vulnerability, allowing an unauthenticated attacked to shell access and execute arbitrary system commands.

CVE-2026-33825 Microsoft Defender: Microsoft Defender contains an insufficient granularity of access control vulnerability that could allow an authorized attacker to escalate privileges locally.

CVE-2025-48700 Synacor Zimbra Collaboration Suite (ZCS): Synacor Zimbra Collaboration Suite (ZCS) contains a cross-site scripting vulnerability that could allow attackers to execute arbitrary JavaScript within the user's session, potentially leading to unauthorized access to sensitive information.

CVE-2024-27199 JetBrains TeamCity : JetBrains TeamCity contains a relative path traversal vulnerability that could allow limited admin actions to be performed.

CVE-2023-27351 PaperCut NG/MF : PaperCut NG/MF contains an improper authentication vulnerability that could allow remote attackers to bypass authentication on affected installations via the SecurityRequestFilter class.