Skip to main content
CVE-2026-22264 HIGH PATCH This Week

Heap use-after-free in Suricata prior to versions 8.0.3 and 7.0.14 can be triggered via integer overflow when processing packets that generate excessive alert conditions, allowing an attacker to crash the IDS/IPS engine or potentially achieve code execution. Affected deployments using large rulesets are at risk when processing malicious or crafted network traffic designed to trigger simultaneous signature matches. Patches are available for both affected versions.

Use After Free Integer Overflow Suricata Suse
NVD GitHub
CVSS 3.1
7.4
EPSS
0.1%
CVE-2026-21408 HIGH This Week

beat-access for Windows version 3.0.3 and prior allows local attackers with user privileges to execute arbitrary code with SYSTEM-level permissions through insecure DLL search path resolution. An attacker can exploit this vulnerability by placing a malicious DLL in a predictable location, which the application will load and execute during normal operation. No patch is currently available for this vulnerability.

Windows
NVD
CVSS 3.0
7.3
EPSS
0.0%
CVE-2026-24748 HIGH PATCH This Week

Kargo's GetConfig() API endpoint fails to validate Bearer token authenticity, allowing unauthenticated attackers to retrieve sensitive configuration data including Argo CD cluster endpoints and namespaces that could facilitate further attacks. The same authentication bypass affects the RefreshResource endpoint, which can be leveraged for denial-of-service attacks. Versions 1.6.3, 1.7.7, and 1.8.7 and later include patches for this vulnerability.

Golang Kubernetes Information Disclosure Kargo Suse
NVD GitHub
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-23592 HIGH This Week

HPE Aruba Networking Fabric Composer's backup functionality contains insecure file operations that permit authenticated users to execute arbitrary OS commands, resulting in remote code execution on affected systems. An attacker with valid credentials could leverage this vulnerability to gain full system compromise through the backup restoration process. No patch is currently available to remediate this high-severity flaw.

RCE
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-0919 HIGH This Week

Tapo C220 and C520WS network cameras contain an HTTP parser defect that crashes the device when processing requests with excessively long URL paths, allowing unauthenticated remote attackers to trigger repeated denial of service through device reboots. The vulnerability stems from improper error handling that attempts to access unallocated buffers during cleanup operations. No patch is currently available for affected firmware versions.

Denial Of Service Tapo C220 Firmware Tapo C520ws Firmware
NVD VulDB
CVSS 4.0
7.1
EPSS
0.1%
CVE-2026-0918 HIGH This Week

Null pointer dereference in TP-Link Tapo C220 v1 and C520WS v2 cameras allows adjacent network attackers to crash the HTTP service via malformed POST requests with excessive Content-Length headers. Attackers can sustain denial of service through repeated crashes despite automatic device restarts. EPSS score is low (0.03%, 10th percentile), indicating minimal observed exploitation activity. No public exploit code or CISA KEV listing identified at time of analysis.

Null Pointer Dereference Denial Of Service Tapo C220 Firmware Tapo C520ws Firmware
NVD
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-21417 HIGH This Week

Dell CloudBoost Virtual Appliance versions before 19.14.0.0 store sensitive passwords in plaintext, allowing authenticated remote attackers to retrieve credentials and escalate privileges. This vulnerability carries a high availability impact alongside confidentiality and integrity concerns, though exploitation requires substantial technical complexity. No patch is currently available.

Information Disclosure Dell Cloudboost Virtual Appliance
NVD
CVSS 3.1
7.0
EPSS
0.1%
CVE-2026-0705 MEDIUM This Month

Acronis Cloud Manager for Windows before build 6.4.25342.354 is vulnerable to local privilege escalation through improperly configured folder permissions, allowing authenticated users with low privileges to escalate to higher privileges. An attacker with local access and user interaction can exploit this vulnerability to gain full system control. No patch is currently available for this vulnerability.

Windows Privilege Escalation
NVD
CVSS 3.0
6.7
EPSS
0.0%
CVE-2025-14911 MEDIUM This Month

User-controlled chunkSize metadata from MongoDB lacks appropriate validation allowing malformed GridFS metadata to overflow the bounding container. [CVSS 6.5 MEDIUM]

MongoDB Red Hat Suse
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-24829 MEDIUM This Month

Heap-based buffer overflow in is-Engine before version 3.3.4 allows remote attackers to cause denial of service through out-of-bounds memory writes. The vulnerability requires user interaction and network access but has no patch currently available. Affected installations should upgrade to version 3.3.4 or later to mitigate this denial of service risk.

Buffer Overflow Heap Overflow
NVD GitHub
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-24868 MEDIUM PATCH This Month

Firefox's Anti-Tracking privacy protection can be bypassed by unauthenticated remote attackers through user interaction, potentially allowing tracking mechanisms to function despite enabled privacy protections. The vulnerability affects Firefox versions below 147.0.2 and currently has no available patch. An attacker could exploit this to circumvent Firefox's tracking prevention features and monitor user activity.

Mozilla Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-1504 MEDIUM PATCH This Month

Cross-origin data disclosure in Google Chrome's Background Fetch API prior to version 144.0.7559.110 enables remote attackers to steal sensitive information from other websites through specially crafted HTML pages, requiring only user interaction. The vulnerability affects all Chrome users and has a patch available in the latest version.

Google Chrome Red Hat Suse
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-12810 MEDIUM This Month

Improper Authentication vulnerability in Delinea Inc. Secret Server On-Prem (RPC Password Rotation modules).This issue affects Secret Server On-Prem: 11.8.1, 11.9.6, 11.9.25. [CVSS 6.5 MEDIUM]

Authentication Bypass Secret Server
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-24738 MEDIUM PATCH This Month

gmrtd library versions prior to 0.17.2 fail to validate TLV (Tag-Length-Value) data lengths, allowing attackers to specify values up to 4GB that trigger excessive memory allocation and CPU consumption. Applications using gmrtd to parse travel documents from NFC devices or external APIs are vulnerable to denial of service attacks, particularly on resource-constrained environments like mobile devices. A patch is available in version 0.17.2 and later.

Golang Gmrtd Suse
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-0746 MEDIUM This Month

The AI Engine plugin for WordPress versions up to 3.3.2 contains a server-side request forgery vulnerability in the 'get_audio' function that allows authenticated subscribers and higher-privileged users to make arbitrary web requests from the server. When the Public API setting is enabled and allow_url_fopen is active, attackers can query and modify data on internal services accessible to the web application. No patch is currently available for this vulnerability.

WordPress SSRF AI / ML
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-24348 MEDIUM This Month

Ezcast Pro Dongle Ii Firmware versions up to 1.17478.146 is affected by improper input validation (CVSS 6.1).

XSS Ezcast Pro Dongle Ii Firmware
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-11187 MEDIUM POC PATCH This Month

Issue summary: PBMAC1 parameters in PKCS#12 files are missing validation which can trigger a stack-based buffer overflow, invalid pointer or NULL pointer dereference during MAC verification. [CVSS 6.1 MEDIUM]

OpenSSL Buffer Overflow Null Pointer Dereference Denial Of Service RCE +2
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-22262 MEDIUM PATCH This Month

Suricata versions prior to 8.0.3 and 7.0.14 are vulnerable to a stack buffer overflow when processing oversized datasets with the save or state options enabled, allowing an attacker with network access to cause a denial of service. The vulnerability requires specific conditions to trigger but does not require authentication or user interaction. A patch is available in the latest versions.

Stack Overflow Suricata Red Hat Suse
NVD GitHub
CVSS 3.1
5.9
EPSS
0.1%
CVE-2025-66199 MEDIUM POC PATCH This Month

Issue summary: A TLS 1.3 connection using certificate compression can be forced to allocate a large buffer before decompression without checking against the configured certificate size limit. [CVSS 5.9 MEDIUM]

OpenSSL TLS Memory Corruption Denial Of Service Information Disclosure +2
NVD GitHub VulDB
CVSS 3.1
5.9
EPSS
0.1%
CVE-2025-15468 MEDIUM PATCH This Month

Issue summary: If an application using the SSL_CIPHER_find() function in a QUIC protocol client or server receives an unknown cipher suite from the peer, a NULL dereference occurs. [CVSS 5.9 MEDIUM]

OpenSSL TLS Null Pointer Dereference Denial Of Service Red Hat +1
NVD GitHub VulDB
CVSS 3.1
5.9
EPSS
0.1%
CVE-2026-23892 MEDIUM PATCH This Month

OctoPrint versions up to 1.11.5 contain a timing attack vulnerability in API key validation that enables remote extraction of valid API keys through network-based response time analysis. An unauthenticated attacker with network access can exploit the character-by-character comparison method to gradually recover API keys by measuring authentication response delays. The attack's practicality depends heavily on network conditions, but a patch is available in version 1.11.6.

Information Disclosure Octoprint
NVD GitHub
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-24909 MEDIUM PATCH This Month

Path traversal in vlt versions before 1.0.0-rc.10 allows local attackers to write files outside their intended directories during tar archive extraction due to insufficient path sanitization. An attacker with local access could exploit this to overwrite arbitrary files on the system with elevated scope impact. No patch is currently available for this vulnerability.

Path Traversal
NVD GitHub
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-24910 MEDIUM This Month

Bun versions prior to 1.3.5 allow attackers to bypass the trusted dependencies allowlist by creating non-npm packages with names matching legitimate packages, enabling potential code execution through dependency confusion attacks. This local vulnerability affects systems using Bun's package management where an attacker can craft malicious packages with identical names to trusted dependencies. No patch is currently available for affected Node.js and GitHub integrations.

Node.js Github
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-22795 MEDIUM PATCH This Month

Processing a malformed PKCS#12 file in OpenSSL and related TLS libraries can trigger a null pointer dereference due to improper type validation in ASN.1 parsing, causing applications to crash. This vulnerability requires local user interaction to exploit and results only in denial of service, with no impact on data confidentiality or integrity. A patch is available to address this medium-severity issue.

OpenSSL Denial Of Service
NVD GitHub VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-1449 MEDIUM This Month

SQL injection in Hisense TransTech Smart Bus Management System through version 20260113 allows unauthenticated remote attackers to manipulate the key parameter in the TireMng.aspx Page_Load function and execute arbitrary database queries. Public exploit code exists for this vulnerability, and the vendor has not provided a patch or responded to disclosure attempts. An attacker can exploit this over the network without authentication to read, modify, or delete sensitive data.

SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-24116 MEDIUM PATCH This Month

Wasmtime versions 29.0.0 through 41.0.0 on x86-64 platforms with AVX contain an out-of-bounds memory read in the f64.copysign instruction compilation that can cause application crashes when signal-based traps are disabled. In configurations with disabled guard pages, this vulnerability could potentially leak out-of-sandbox data, though the data remains inaccessible to WebAssembly guests without additional Cranelift bugs. Patches are available in versions 36.0.5, 40.0.3, and 41.0.1.

Buffer Overflow Information Disclosure Wasmtime
NVD GitHub
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-15469 MEDIUM POC PATCH This Month

Issue summary: The 'openssl dgst' command-line tool silently truncates input data to 16MB when using one-shot signing algorithms and reports success instead of an error. [CVSS 5.5 MEDIUM]

OpenSSL TLS Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-1489 MEDIUM PATCH CISA This Month

GLib's Unicode case conversion function contains an integer overflow flaw that causes undersized memory allocation when processing extremely large strings, enabling out-of-bounds writes. Applications using GLib for string operations could experience crashes or instability when exposed to specially crafted input. No patch is currently available for this medium-severity vulnerability.

Memory Corruption Buffer Overflow
NVD VulDB
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-22796 MEDIUM PATCH This Month

OpenSSL's PKCS#7 signature verification fails to validate ASN1_TYPE union members before access, allowing attackers to trigger null pointer dereference crashes by submitting malformed PKCS#7 data. Applications performing signature verification or using PKCS7_digest_from_attributes() directly are vulnerable to denial of service attacks. A patch is available to address this type confusion vulnerability.

OpenSSL Denial Of Service
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-24806 MEDIUM This Month

Improper Control of Generation of Code ('Code Injection') vulnerability in liuyueyi quick-media (plugins/svg-plugin/batik-codec-fix/src/main/java/org/apache/batik/ext/awt/image/codec/png modules). This vulnerability is associated with program files PNGImageEncoder.Java.

Apache Java Code Injection RCE
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.1%
CVE-2025-41728 MEDIUM This Month

A low privileged remote attacker may be able to disclose confidential information from the memory of a privileged process by sending specially crafted calls to the Device Manager web service that cause an out-of-bounds read operation under certain circumstances due to ASLR and thereby potentially copy confidential information into a response. [CVSS 5.3 MEDIUM]

Buffer Overflow Information Disclosure
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-24347 MEDIUM This Month

Ezcast Pro Dongle Ii Firmware versions up to 1.17478.146 is affected by improper input validation (CVSS 5.3).

Code Injection Ezcast Pro Dongle Ii Firmware
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-14971 MEDIUM This Month

Link Invoice Payment for WooCommerce (WordPress plugin) versions up to 2.8.0. is affected by missing authorization (CVSS 5.3).

WordPress PHP
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-22263 MEDIUM PATCH This Month

Suricata versions up to 8.0.3 contains a vulnerability that allows attackers to slowdown over multiple packets (CVSS 5.3).

Information Disclosure Suricata Red Hat Suse
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-24489 MEDIUM PATCH This Month

HTTP header injection in the Gakido Python HTTP client prior to version 0.1.1 allows unauthenticated attackers to inject arbitrary headers into requests by embedding CRLF or null byte sequences in user-supplied header values and names. An attacker could leverage this to manipulate HTTP requests and potentially bypass security controls or perform request smuggling attacks. The vulnerability has been patched in version 0.1.1 with header sanitization functions, though no patch is currently available for affected systems.

Python
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-24473 MEDIUM PATCH This Month

Hono versions before 4.11.7 contain an information disclosure vulnerability in the static file serving middleware for Cloudflare Workers that allows unauthenticated remote attackers to read sensitive environment keys through path traversal. The lack of proper input validation enables attackers to access internal asset keys that should remain protected. A patch is available in version 4.11.7 and later.

Information Disclosure Hono
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-24472 MEDIUM PATCH This Month

Hono versions up to 4.11.7 contains a vulnerability that allows attackers to private or authenticated responses being cached and subsequently exposed to unau (CVSS 5.3).

Information Disclosure Hono
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-1213 MEDIUM PATCH This Month

All versions of askbot before and including 0.12.2 allow an attacker authenticated with normal user permissions to modify the profile picture of other application users.This issue affects askbot: 0.12.2.

Authentication Bypass Askbot
NVD GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-24807 MEDIUM This Month

Improper Verification of Cryptographic Signature vulnerability in liuyueyi quick-media (plugins/svg-plugin/batik-codec-fix/src/main/java/org/apache/batik/ext/awt/image/codec/util modules). This vulnerability is associated with program files SeekableOutputStream.Java.

Apache Java Jwt Attack Information Disclosure
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-24398 MEDIUM PATCH This Month

Hono's IP Restriction Middleware fails to properly validate IPv4 octet ranges, allowing attackers to bypass IP-based access controls by submitting malformed addresses with values exceeding 255. This affects all users relying on Hono's IP filtering mechanisms for authentication or authorization. A patch is available in version 4.11.7 and later.

Authentication Bypass Hono
NVD GitHub
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-24771 MEDIUM PATCH This Month

Hono's ErrorBoundary JSX component before version 4.11.7 fails to properly sanitize user-controlled input, allowing attackers to inject and execute arbitrary JavaScript in victims' browsers through reflected XSS. The vulnerability requires user interaction and network access but can compromise the confidentiality and integrity of affected applications. A patch is available in version 4.11.7.

XSS Hono
NVD GitHub
CVSS 3.1
4.7
EPSS
0.0%
CVE-2025-68160 MEDIUM PATCH This Month

Issue summary: Writing large, newline-free data into a BIO chain using the line-buffering filter where the next BIO performs short writes can trigger a heap-based out-of-bounds write. [CVSS 4.7 MEDIUM]

OpenSSL Memory Corruption Denial Of Service Buffer Overflow
NVD GitHub VulDB
CVSS 3.1
4.7
EPSS
0.0%
CVE-2026-23683 MEDIUM This Month

Insufficient authorization checks in SAP Fiori App Intercompany Balance Reconciliation allow authenticated users to access data beyond their intended permissions, resulting in privilege escalation with limited confidentiality impact. An attacker with valid credentials can exploit this flaw to view sensitive financial reconciliation information they should not have access to. No patch is currently available.

SAP Privilege Escalation
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-24688 MEDIUM PATCH This Month

Pypdf versions up to 6.6.2 is affected by loop with unreachable exit condition (infinite loop) (CVSS 4.3).

Python Pypdf Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-1484 MEDIUM PATCH CISA This Month

GLib's Base64 encoder miscalculates buffer boundaries when handling extremely large inputs due to integer type misuse, potentially causing out-of-bounds memory writes. Applications processing untrusted large Base64 data could experience crashes or unpredictable behavior, though code execution is not indicated by the vector constraints. No patch is currently available for this medium-severity vulnerability.

Buffer Overflow Memory Corruption
NVD VulDB
CVSS 3.1
4.2
EPSS
0.1%
CVE-2025-55095 MEDIUM This Month

The function _ux_host_class_storage_media_mount() is responsible for mounting partitions on a USB mass storage device. When it encounters an extended partition entry in the partition table, it recursively calls itself to mount the next logical partition. [CVSS 4.2 MEDIUM]

Stack Overflow Buffer Overflow Threadx Usbx
NVD GitHub
CVSS 3.1
4.2
EPSS
0.0%
CVE-2026-24797 POC This Week

Out-of-bounds Write vulnerability in neka-nat cupoch (third_party/libjpeg-turbo/libjpeg-turbo modules). This vulnerability is associated with program files tjbench.C.

Buffer Overflow
NVD GitHub
EPSS
0.1%
CVE-2025-69418 MEDIUM PATCH This Month

Issue summary: When using the low-level OCB API directly with AES-NI or<br>other hardware-accelerated code paths, inputs whose length is not a multiple<br>of 16 bytes can leave the final partial block unencrypted and unauthenticated.<br><br>Impact summary: The trailing 1-15 bytes of a message may be exposed in<br>cleartext on encryption and are not covered by the authentication tag,<br>allowing an attacker to read or tamper with those bytes without detection.<br><br>The low-level OCB encrypt and decrypt routines in the hardware-accelerated<br>stream path process full 16-byte blocks but do not advance the input/output<br>pointers. [CVSS 4.0 MEDIUM]

OpenSSL Information Disclosure
NVD GitHub VulDB
CVSS 3.1
4.0
EPSS
0.0%
CVE-2026-22261 LOW PATCH Monitor

Suricata versions up to 8.0.3 contains a vulnerability that allows attackers to severe slowdowns (CVSS 3.7).

Information Disclosure Suricata
NVD GitHub
CVSS 3.1
3.7
EPSS
0.1%
CVE-2026-24870 LOW Monitor

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in ixray-team ixray-1.6-stcop.This issue affects ixray-1.6-stcop: before 1.3. [CVSS 3.7 LOW]

Information Disclosure Ix Ray Engine 1 6
NVD GitHub
CVSS 3.1
3.7
EPSS
0.0%
Prev Page 3 of 4 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy