CVE-2026-48558
SimpleHelp contains an authentication bypass in the OIDC flow, allowing unauthenticated attackers to forge tokens and gain full technician access without multi-factor authentication.
Critical vulnerabilities, curated daily for security professionals
See how vulnerabilities affect your specific environment
CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework
A critical vulnerability in curl (CVE-2026-8924, CVSS 9.1) leads Sunday's brief, notable for the library's presence in countless applications, containers, and embedded systems. Yesterday's disclosures include 1 critical vulnerability, down 75% from the prior day, alongside 48 high-priority CVEs, a 17% increase. Beyond the curl flaw, CVE-2026-48558 in SimpleHelp remote support software and CVE-2026-45659 in Microsoft Office SharePoint (both CVSS 9.5) are confirmed under active exploitation. Remote access tooling and collaboration platforms remain attractive targets, with the SimpleHelp and SharePoint activity continuing a pattern of attackers focusing on internet-facing management and document services. Patch availability stands at 0% across today's set, so teams should prioritize vendor advisory monitoring and compensating controls such as network segmentation and access restrictions.
Immediate action: Prioritize SimpleHelp remote support servers and SharePoint deployments given confirmed active exploitation, restricting internet exposure where updates are not yet applied. Inventory curl usage across applications and container images in preparation for CVE-2026-8924 remediation. With no patches currently available for today's disclosures, monitor vendor advisories closely and rely on network segmentation and access controls in the interim.
SimpleHelp contains an authentication bypass in the OIDC flow, allowing unauthenticated attackers to forge tokens and gain full technician access without multi-factor authentication.
An insecure deserialization vulnerability in Microsoft Office SharePoint allows an authorized attacker to execute arbitrary code over a network.
A flaw in curl's cookie parsing logic enables an attacker-controlled origin to inject "super cookies" by bypassing Public Suffix List checks, leading to cross-domain data exposure.
The restaurant-website-php-mysql application contains an authentication vulnerability that allows unauthorized access to the system.
A Use-After-Free vulnerability in Microsoft Edge (Chromium-based) could allow an unauthenticated attacker to execute arbitrary code via network-based vectors.
A Use-After-Free vulnerability in Microsoft Edge (Chromium-based) allows an unauthenticated attacker to execute arbitrary code over a network.
A Use-After-Free vulnerability in Microsoft Edge (Chromium-based) allows an unauthenticated attacker to perform remote code execution.
A use-after-free vulnerability in Microsoft Edge (Chromium-based) allows an unauthenticated remote attacker to execute arbitrary code.
A use-after-free vulnerability in Microsoft Edge (Chromium-based) allows an unauthenticated remote attacker to execute arbitrary code.
Improper input validation in Microsoft Edge (Chromium-based) enables an unauthenticated remote attacker to execute arbitrary code.
A type confusion vulnerability in Microsoft Edge (Chromium-based) allows an unauthenticated remote attacker to execute arbitrary code via a malicious network interaction.
A type confusion vulnerability in Microsoft Edge (Chromium-based) permits an unauthenticated attacker to execute code over a network, potentially impacting system integrity.
Improper input validation in Microsoft Edge (Chromium-based) allows an unauthenticated remote attacker to execute arbitrary code.
A Time-of-check Time-of-use (TOCTOU) race condition in Microsoft Edge for Android allows an unauthenticated, remote attacker to execute arbitrary code.
An improper link resolution vulnerability in Microsoft Edge (Chromium-based) allows an unauthenticated, remote attacker to disclose sensitive information.
A Server-Side Request Forgery (SSRF) vulnerability in Microsoft Edge (Chromium-based) allows an unauthenticated, remote attacker to perform spoofing.
A cross-site scripting (XSS) vulnerability in Microsoft Edge allows an unauthenticated, remote attacker to perform spoofing attacks via network-based input manipulation.
Microsoft Edge (Chromium-based) contains a cross-site scripting (XSS) vulnerability that permits an unauthenticated attacker to perform spoofing over a network.
A relative path traversal vulnerability in Microsoft Edge (Chromium-based) allows an unauthenticated attacker to execute code over a network.
Microsoft Edge for Android contains a vulnerability that allows an unauthorized actor to disclose private personal information over a network.
A vulnerability in Microsoft Edge for Android allows an unauthorized actor to disclose private personal information over a network.
A deserialization and improper input validation vulnerability exists in kirilkirkov Ecommerce-CodeIgniter-Bootstrap, potentially allowing unauthenticated remote code execution or system impact.
Dell PowerProtect Data Domain is vulnerable to OS Command Injection, allowing an authenticated administrator to execute arbitrary commands on the underlying operating system.
Dell PowerProtect Data Domain is susceptible to an OS Command Injection vulnerability, allowing authenticated administrators to execute arbitrary commands.
Dell PowerProtect Data Domain is susceptible to OS command injection, allowing an authenticated administrator to execute arbitrary commands on the underlying operating system.
The myVesta control panel contains an authenticated remote code execution vulnerability due to improper neutralization of special elements in OS commands.
A flaw in libcurl's HTTP/3 implementation allows for potential information leakage when an attacker replaces a legitimate server with an impostor during a cached SSL session.
A memory exhaustion vulnerability in curl allows a malicious server to crash the application by flooding it with WebSocket PING frames that lack an upper bound on memory allocation.
The UTT HiPER 1250GW router is vulnerable to a stack-based buffer overflow, which may lead to memory corruption and potential unauthorized command execution.
Trail of Bits fickling is vulnerable to deserialization of untrusted data and incomplete input validation, allowing potential arbitrary code execution.
Trail of Bits fickling is susceptible to a protection mechanism failure, allowing for potential exploitation of the deserialization process.
The HestiaCP panel cronjob feature contains a broken access control vulnerability that allows authenticated users to escalate privileges.
A vulnerability in the Kong Konnect Model Context Protocol (MCP) server allows for improper input validation, potentially leading to security impacts.
A code injection vulnerability in tiddly-gittly TidGi-Desktop allows for arbitrary command execution via improper input handling.
A critical SQL injection vulnerability in the employer/login.php file of code-projects Internship Management System 1.0 allows for unauthenticated remote command injection.
A SQL injection vulnerability exists in SourceCodester Multi-Vendor Online Grocery Management System 1.0, potentially allowing unauthenticated remote attackers to manipulate database queries.
An improper authorization vulnerability in SourceCodester Multi-Vendor Online Grocery Management System 1.0 allows for incorrect privilege assignment, potentially leading to unauthorized access.
A SQL injection vulnerability exists in itsourcecode Online Hotel Management System 1.0, enabling unauthenticated remote attackers to interfere with database operations.
A SQL injection vulnerability exists in code-projects Online Job Portal 1.0, allowing unauthenticated attackers to execute arbitrary database queries.
A SQL injection vulnerability exists in SourceCodester Simple and Nice Shopping Cart Script 1.0, enabling unauthenticated attackers to manipulate database queries.
A SQL injection vulnerability in SourceCodester Simple and Nice Shopping Cart Script 1.0 allows unauthenticated attackers to conduct malicious database operations.
A SQL injection vulnerability in the /admin/mensproductdeletequery.php file of SourceCodester Simple and Nice Shopping Cart Script 1.0 allows remote attackers to execute arbitrary SQL commands.
A SQL injection vulnerability exists in the test_input function of /saveVote.php in code-projects Online Voting System 1.0, allowing unauthenticated remote attackers to execute malicious SQL commands.
A SQL injection vulnerability in the login component of code-projects Online Voting System allows unauthenticated attackers to compromise the system via the `test_input` function.
A SQL injection vulnerability exists in the SourceCodester Class and Exam Timetabling System, allowing unauthenticated remote attackers to manipulate the `ID` argument in `/edit_class2.php`.
A SQL injection vulnerability in the CodeAstro Apartment Visitor Management System allows unauthenticated remote attackers to execute malicious queries via the `Username` argument in `/index.php`.
A SQL injection vulnerability in SourceCodester Class and Exam Timetabling System 1.0 allows remote, unauthenticated attackers to execute arbitrary SQL commands via the ID parameter in edit_course.php.
A path traversal vulnerability exists in the kirilkirkov Ecommerce-CodeIgniter-Bootstrap application, potentially allowing unauthorized access to files.
A heap-based buffer overflow vulnerability in GIMP's Paint Shop Pro (PSP) file parser may allow for arbitrary code execution.
A flaw in Gitea Open Source Git Server, specifically related to authentication, allows for potential security bypass.
A vulnerability in Gitea allows authenticated users to perform unauthorized actions or access data due to improper authorization and ID handling.