Skip to main content
CVE-2026-0875 HIGH This Week

Out-of-bounds write in Autodesk shared components allows local attackers to execute arbitrary code, corrupt data, or crash the application by crafting a malicious MODEL file. The vulnerability requires user interaction to parse the malicious file and affects multiple Autodesk products with no patch currently available.

Denial Of Service Shared Components
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-0874 HIGH This Week

Out-of-bounds write in Autodesk products' CATPART file parser enables local attackers to achieve arbitrary code execution, crash the application, or corrupt data when a user opens a malicious file. The vulnerability requires user interaction and affects shared components across multiple Autodesk products. No patch is currently available.

Denial Of Service Shared Components
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-61982 HIGH This Week

An arbitrary code execution vulnerability exists in the Code Stream directive functionality of OpenCFD OpenFOAM 2506. A specially crafted OpenFOAM simulation file can lead to arbitrary code execution. [CVSS 7.8 HIGH]

RCE Code Injection
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-23225 HIGH PATCH This Week

In the Linux kernel, the following vulnerability has been resolved: sched/mmcid: Don't assume CID is CPU owned on mode switch Shinichiro reported a KASAN UAF, which is actually an out of bounds access in the MMCID management code.

Linux Information Disclosure Red Hat Suse
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-23224 HIGH PATCH This Week

The Linux kernel erofs file system contains a use-after-free vulnerability in direct I/O file-backed mount operations that allows local attackers with user privileges to cause memory corruption and potentially achieve code execution or denial of service. The vulnerability occurs when accessing files through the directio option, where freed memory is subsequently accessed during I/O operations. A patch is not currently available, making this a critical concern for systems running affected Linux kernel versions.

Linux Information Disclosure Memory Corruption Use After Free Red Hat +1
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-23223 HIGH PATCH This Week

Use-after-free vulnerability in Linux kernel XFS subsystem allows local attackers with unprivileged access to cause memory corruption and potential privilege escalation through improper pointer dereferencing in the btree block owner checking function. The flaw stems from attempting to access freed memory due to incorrect temporal ordering of operations when determining cursor aliases. This vulnerability affects all Linux systems using XFS and currently lacks a patch.

Linux Information Disclosure Memory Corruption Use After Free Linux Kernel +2
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-71234 HIGH PATCH This Week

In the Linux kernel, the following vulnerability has been resolved: wifi: rtl8xxxu: fix slab-out-of-bounds in rtl8xxxu_sta_add The driver does not set hw->sta_data_size, which causes mac80211 to allocate insufficient space for driver private station data in __sta_info_alloc().

Linux Memory Corruption Buffer Overflow Linux Kernel Red Hat +1
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-23227 HIGH PATCH This Week

Use-after-free in Linux kernel's Exynos Virtual Display (drm/exynos vidi) driver allows local authenticated users to potentially execute arbitrary code, escalate privileges, or cause denial of service. The vulnerability stems from missing lock protection during concurrent memory allocation/deallocation operations in the vidi_context structure. EPSS score of 0.02% indicates low observed exploitation probability. Vendor patches available across multiple kernel stable branches.

Linux Use After Free Information Disclosure Samsung Memory Corruption
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-33240 HIGH This Week

NVIDIA Megatron Bridge contains a vulnerability in a data shuffling tutorial, where malicious input could cause a code injection. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering. [CVSS 7.8 HIGH]

Code Injection Information Disclosure Megatron Bridge Nvidia RCE
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-33239 HIGH This Week

NVIDIA Megatron Bridge contains a vulnerability in a data merging tutorial, where malicious input could cause a code injection. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering. [CVSS 7.8 HIGH]

Code Injection Information Disclosure Megatron Bridge Nvidia RCE
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-33249 HIGH This Week

NVIDIA NeMo Framework for all platforms contains a vulnerability in a voice-preprocessing script, where malicious input created by an attacker could cause a code injection. [CVSS 7.8 HIGH]

Privilege Escalation Code Injection Information Disclosure AI / ML Nemo
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-33236 HIGH This Week

NVIDIA NeMo Framework contains a vulnerability where malicious data created by an attacker could cause code injection. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering. [CVSS 7.8 HIGH]

Privilege Escalation Code Injection Information Disclosure AI / ML Nemo
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-23599 HIGH This Week

HPE Aruba Networking ClearPass OnGuard Software for Linux contains a local privilege escalation vulnerability that allows authenticated users to execute arbitrary code with root privileges. The flaw requires local access and no user interaction, making it exploitable by any local account on an affected system. No patch is currently available to remediate this issue.

Linux
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-1272 HIGH PATCH This Week

The Linux Kernel lockdown mode for kernel versions starting on 6.12 and above for Fedora Linux has the lockdown mode disabled without any warning. This may allow an attacker to gain access to sensitive information such kernel memory mappings, I/O ports, BPF and kprobes. [CVSS 7.7 HIGH]

Linux Red Hat Suse Linux Kernel
NVD
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-2507 HIGH This Week

When BIG-IP AFM or BIG-IP DDoS is provisioned, undisclosed traffic can cause TMM to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. [CVSS 7.5 HIGH]

Denial Of Service
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-2495 HIGH This Week

Unauthenticated attackers can exploit SQL injection in the WPNakama WordPress plugin (versions up to 0.6.5) through the 'order' parameter in the REST API /wp-json/WPNakama/v1/boards endpoint due to insufficient input escaping. This allows unauthorized extraction of sensitive database information from any WordPress installation running the vulnerable plugin. No patch is currently available.

WordPress SQLi
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-2576 HIGH This Week

Unauthenticated attackers can exploit time-based SQL injection in the Business Directory Plugin for WordPress (versions up to 6.4.2) through an unescaped 'payment' parameter to extract sensitive database information. The vulnerability stems from insufficient input validation and improper query preparation, allowing attackers to append arbitrary SQL commands to existing queries without authentication. No patch is currently available.

WordPress SQLi
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-2670 HIGH This Week

Unauthenticated remote attackers can achieve OS command injection through the delete_file parameter in Advantech WISE-6610's OpenVPN management interface (/cgi-bin/luci/admin/openvpn_apply), enabling arbitrary command execution with high privileges. Public exploit code is available for this vulnerability, and no patch has been released despite vendor notification. The attack requires high-level privileges but involves minimal complexity and poses significant risks to confidentiality, integrity, and availability.

Openvpn Command Injection
NVD GitHub VulDB
CVSS 3.1
7.2
EPSS
0.2%
CVE-2026-1931 HIGH This Week

Stored cross-site scripting in the Rent Fetch WordPress plugin through version 0.32.4 allows unauthenticated attackers to inject malicious scripts via inadequately sanitized keyword parameters. When site visitors access pages containing the injected payload, the scripts execute in their browsers, potentially enabling session hijacking, credential theft, or malware distribution. No patch is currently available for this vulnerability.

WordPress XSS
NVD GitHub
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-2296 HIGH This Week

Arbitrary PHP code execution in Product Addons for WooCommerce plugin (versions up to 3.1.0) through unsafe use of eval() on unsanitized conditional logic operators allows Shop Manager-level and higher-privileged WordPress users to execute malicious code on affected servers. The vulnerability stems from insufficient input validation in the evalConditions() function where user-supplied operator parameters are passed directly to PHP's eval() without sanitization. No patch is currently available.

WordPress PHP Code Injection
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-2019 HIGH This Week

Cart All In One For WooCommerce (WordPress plugin) versions up to 1.1.21. contains a security vulnerability (CVSS 7.2).

WordPress PHP Code Injection
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-1937 HIGH This Week

Unauthorized data modification in YayMail WooCommerce Email Customizer WordPress plugin allows unauthenticated attackers to modify email templates, potentially enabling phishing attacks against customers.

WordPress Privilege Escalation Authentication Bypass
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-22048 HIGH This Week

Configuration deletion and resource denial in StorageGRID versions before 11.9.0.12 and 12.0.0.4 stems from an SSRF flaw in Microsoft Entra ID SSO integration, allowing authenticated attackers to manipulate backend requests. Successful exploitation enables deletion of configuration data or denial of access to storage resources despite requiring valid credentials to initiate the attack.

Azure SSRF
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-1999 HIGH This Week

GitHub Enterprise Server allows authenticated webhook administrators to bypass network restrictions through Server-Side Request Forgery, enabling access to internal services, job queues, and sensitive endpoints on loopback addresses. This affects all versions prior to 3.20 and requires valid credentials with webhook configuration privileges. No patch is currently available, and exploitation could lead to unauthorized data access or disruption of background job processing.

SSRF Enterprise Server
NVD GitHub
CVSS 4.0
7.1
EPSS
0.0%
CVE-2025-71231 HIGH PATCH This Week

In the Linux kernel, the following vulnerability has been resolved: crypto: iaa - Fix out-of-bounds index in find_empty_iaa_compression_mode The local variable 'i' is initialized with -EINVAL, but the for loop immediately overwrites it and -EINVAL is never returned.

Linux Information Disclosure Buffer Overflow Linux Kernel Red Hat +1
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
Prev Page 2 of 2

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy