CVE-2026-56782
CVSS 9.8
EPSS 0.0302
Gorse before 0.5.10 contains an authentication bypass vulnerability in the /api/dump and /api/restore endpoints that allows unauthenticated attackers to access protected functionality when admin_api_key is empty, which is the default configuration. Remote attackers can exfiltrate the entire database including user records, items, and feedback data containing personally identifiable information, or completely overwrite the dataset without authentication.
Critical severity issue in affected software published this week.
CVE-2026-13545
CVSS 8.8
EPSS 0.0271
A vulnerability has been found in D-Link DCS-935L 1.10.01. This affects the function sub_400E40 of the file setconf.cgi of the component POST Parameter Handler. Such manipulation of the argument UID leads to os command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
Newly published issue in affected software with notable risk signals for defenders.
CVE-2026-13763
CVSS 9.8
EPSS 0.0047
Inconsistent interpretation of HTTP/2 requests in AWS Application Load Balancer with AWS WAF enabled might allow remote actors to bypass AWS WAF managed rule body inspection via crafted HTTP/2 requests that fragment the request body across frames so that only a partial body is inspected. This issue only impacts HTTP/2 ALB target groups.
To remediate this issue, customers should enable the "Inspect after sufficient data" target group configuration associated to an ALB load balancer. Refer to: ( https://docs.aws.amazon.com/elasticloadbalancing/latest/application/edit-target-group-attributes.html#waf-http2-inspection )
Critical severity issue in affected software published this week.
CVE-2026-13762
CVSS 9.8
EPSS 0.0044
Inconsistent interpretation of HTTP/2 requests in Amazon CloudFront with AWS WAF enabled might allow remote actors to bypass AWS WAF managed rule body inspection via crafted HTTP/2 requests that fragment the request body across frames so that only a partial body is inspected.
This issue was remediated server-side. No customer action is required.
Critical severity issue in affected software published this week.
CVE-2026-57331
CVSS 9.9
EPSS 0.0034
Performer Arbitrary File Deletion in Paid Videochat Turnkey Site <= 7.4.8 versions.
Critical severity issue in affected software published this week.
CVE-2026-58000
CVSS 8.8
EPSS 0.014
luci-proto-openvpn through 0.11.1, fixed in commit e4ff45e, contains a command injection vulnerability in the generateKey ubus method where the cl_meta parameter is interpolated into a shell command without proper escaping or quoting. An authenticated LuCI user with OpenVPN protocol configuration access can inject arbitrary shell metacharacters into cl_meta to execute commands as root via the popen function.
Newly published issue in affected software with notable risk signals for defenders.
CVE-2026-56290
CVSS 9.8
EPSS 0.0033
The Joomla extension Page Builder CK is vulnerable to an unauthenticated arbitrary file upload that allows uploading executable files and leads to full RCE.
Critical severity issue in affected software published this week.
CVE-2026-57999
CVSS 8.8
EPSS 0.0118
luci-app-tailscale-community contains a command injection vulnerability in the tailscale.do_login RPC method that allows authenticated users to execute arbitrary commands as root. The vulnerability exists because user-controlled loginserver and loginserver_authkey parameters are improperly quoted within a double-quoted shell command, allowing shell substitutions like $() to be evaluated by the outer shell before argument processing.
Newly published issue in affected software with notable risk signals for defenders.
CVE-2026-37637
CVSS 9.1
EPSS 0.0047
An issue in Alexantr filemanager v.1.0 allows a remote attacker to execute arbitrary code via the filemanager.php component
Critical severity issue in affected software published this week.
CVE-2026-13564
CVSS 8.8
EPSS 0.0075
A vulnerability was found in Edimax EW-7478APC 1.04. Affected is the function formPPPoESetup of the file /goform/formPPPoESetup of the component POST Request Handler. Performing a manipulation of the argument pppUserName results in stack-based buffer overflow. The attack can be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Newly published issue in affected software with notable risk signals for defenders.