Security Vulnerabilities
CVE-2026-21509
Reliance on untrusted inputs in a security decision in Microsoft Office allows an unauthorized attacker to bypass a security feature locally.
Known exploited
CVSS Score
7.8
EPSS Score
0.093
Published
2026-01-26
There is a Cross‑Site Scripting (XSS) issue in Esri ArcGIS Pro versions 3.6.0 and earlier. ArcGIS Pro is a desktop application, and exploitation is limited to local users interacting with the application; no privileged role or elevated permissions are required beyond standard local user access. A local attacker can supply malicious strings that may be rendered and executed when a specific dialog within ArcGIS Pro is opened. This issue is fixed in ArcGIS Pro version 3.6.1.
CVSS Score
5.0
EPSS Score
0.0
Published
2026-01-26
Tanium addressed an improper input validation vulnerability in Discover.
CVSS Score
2.7
EPSS Score
0.0
Published
2026-01-26
Tanium addressed an uncontrolled resource consumption vulnerability in Discover.
CVSS Score
4.9
EPSS Score
0.0
Published
2026-01-26
Improper header parsing may lead to request smuggling has been identified in Hiawatha webserver version 11.7 which allows an unauthenticated attacker to access restricted resources managed by Hiawatha webserver.
CVSS Score
5.3
EPSS Score
0.0
Published
2026-01-26
Tomahawk auth timing attack due to usage of `strcmp` has been identified in Hiawatha webserver version 11.7 which allows a local attacker to access the management client.
CVSS Score
3.3
EPSS Score
0.0
Published
2026-01-26
A Double Free in XSLT `show_index` has been identified in Hiawatha webserver version 11.7 which allows an unauthenticated attacker to corrupt data which may lead to arbitrary code execution.
CVSS Score
6.5
EPSS Score
0.001
Published
2026-01-26
An issue in continuous.software aangine v.2025.2 allows a remote attacker to obtain sensitive information via the excel-integration-service template download module, integration-persistence-service job listing module, portfolio-item-service data retrieval module endpoints
CVSS Score
7.5
EPSS Score
0.001
Published
2026-01-26
Incorrect access control in the importUser function of SpringBlade v4.5.0 allows attackers with low-level privileges to arbitrarily import sensitive user data.
CVSS Score
9.9
EPSS Score
0.0
Published
2026-01-26
Stack overflow vulnerability in eslint before 9.26.0 when serializing objects with circular references in eslint/lib/shared/serialization.js. The exploit is triggered via the RuleTester.run() method, which validates test cases and checks for duplicates. During validation, the internal function checkDuplicateTestCase() is called, which in turn uses the isSerializable() function for serialization checks. When a circular reference object is passed in, isSerializable() enters infinite recursion, ultimately causing a stack overflow.
CVSS Score
5.5
EPSS Score
0.0
Published
2026-01-26