6.9
CVE-2026-7398 - florensiawidjaja BioinfoMCP Upload Endpoint app.py upload path traversal
A weakness has been identified in florensiawidjaja BioinfoMCP up to 7ada7918b9e515604d3c0ae264d3a9af10bf6e54. This vulnerability affects the function Upload of the file bioinfo_mcp_platform/app.py of the component Upload Endpoint. This manipulation of the argument Name causes path traversal. The atβ¦
6.3
CVE-2026-27105 - Improper Link Resolution Before File Access Enables Arbitrary File Write
Dell/Alienware Purchased Apps, versions prior to 1.1.31.0, contain an Improper Link Resolution Before File Access ('Link Following') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Arbitrary File Write
4.8
CVE-2026-7439 - AgentFlow Local Web API Content-Type Validation Bypass
AgentFlow's local web API accepts non-JSON content types on POST /api/runs and POST /api/runs/validate endpoints without enforcing application/json validation, allowing attackers to bypass trust-boundary enforcement on sensitive operations. Attackers can exploit this content-type validation weaknesβ¦
6.5
CVE-2026-41499 - Wazuh: Multiple Heap-based NULL WRITE Buffer Underflows in parse_uname_string()
Wazuh is a free and open source platform used for threat prevention, detection, and response. From version 4.0.0 to before version 4.14.4, multiple heap-based out-of-bounds WRITE vulnerabilities exist in parse_uname_string() (remoted_op.c). This function processes OS identification data from agentsβ¦
4.8
CVE-2026-7397 - NousResearch hermes-agent file_tools.py _check_sensitive_path symlink
A security flaw has been discovered in NousResearch hermes-agent 0.8.0. This affects the function _check_sensitive_path of the file tools/file_tools.py. The manipulation results in symlink following. Attacking locally is a requirement. The exploit has been released to the public and may be used forβ¦
9
CVE-2026-30893 - Wazuh cluster sync path traversal in decompress_files() enables arbitrary file write and code execuβ¦
Wazuh is a free and open source platform used for threat prevention, detection, and response. From version 4.4.0 to before version 4.14.4, a path traversal vulnerability in Wazuh's cluster synchronization extraction routine allows an authenticated cluster peer to write arbitrary files outside the iβ¦
6.5
CVE-2026-28221 - Wazuh: Pre-auth stack-based buffer overflow in wazuh-remoted print_hex_string() due to signed char β¦
Wazuh is a free and open source platform used for threat prevention, detection, and response. From version 4.8.0 to before version 4.14.4, a stack-based buffer overflow exists in print_hex_string() in wazuh-remoted. The bug is triggered when formatting attacker-controlled bytes using sprintf(dst_buβ¦
6.5
CVE-2026-26206 - Wazuh: API brute-force protection bypass via race condition in login attempt tracking
Wazuh is a free and open source platform used for threat prevention, detection, and response. From version 4.0.0 to before version 4.14.4, Wazuh's server API brute-force protection for POST /security/user/authenticate can be bypassed by sending concurrent authentication requests. Although the confiβ¦
4.4
CVE-2026-26204 - Wazuh: Heap-based NULL WRITE Buffer Underflow in GetAlertData
Wazuh is a free and open source platform used for threat prevention, detection, and response. From version 1.0.0 to before version 4.14.4, a heap-based out-of-bounds WRITE occurs in GetAlertData, resulting in writing a NULL byte exactly 1 byte before the start of the buffer allocated by strdup. Dueβ¦
10
CVE-2026-26015 - Unauthenticated RCE in DocsGPT MCP STDIO Configuration
DocsGPT is a GPT-powered chat for documentation. From version 0.15.0 to before version 0.16.0, an attacker accessing both the official DocsGPT website or any local and public deployment, can craft a malicious payload bypassing the "MCP test" behavior to achieve arbitrary remote code execution (RCE)β¦