238 CVEs tracked today. 25 Critical, 57 High, 64 Medium, 18 Low.
-
CVE-2026-35561
CRITICAL
CVSS 9.1
Browser-based authentication session hijacking in Amazon Athena ODBC driver versions prior to 2.1.0.0 allows remote unauthenticated attackers to intercept authentication sessions, potentially compromising confidentiality and integrity of database access. The vulnerability stems from insufficient authentication security controls (CWE-862) in browser-based authentication flows. Amazon has released patches for Windows, Linux, and macOS platforms. No active exploitation is confirmed via CISA KEV, though the CVSS score of 7.4 reflects high attack complexity requiring precise timing or conditions to exploit successfully.
Authentication Bypass
-
CVE-2026-35560
CRITICAL
CVSS 9.1
Man-in-the-middle attacks can intercept authentication credentials in Amazon Athena ODBC driver versions prior to 2.1.0.0 when connecting to external identity providers due to improper certificate validation (CWE-295). This network-accessible vulnerability (CVSS 7.4) affects deployments using federated authentication with external IdPs, allowing attackers positioned on the network path to capture credentials during the authentication handshake. Amazon has released patched versions 2.1.0.0 across all platforms (Windows, Linux, macOS). No public exploit identified at time of analysis, though the attack complexity is rated high and requires network positioning.
Information Disclosure
-
CVE-2026-35471
CRITICAL
CVSS 9.8
Unauthenticated arbitrary file deletion in goshs HTTP file server allows remote attackers to delete any file or directory on the host system via path traversal. A missing return statement after input validation enables attackers to bypass the '..' check by double-encoding traversal sequences (e.g., %252e%252e), sending requests to '/<traversal>/<target-path>?delete' to trigger os.RemoveAll on arbitrary filesystem paths. The vulnerability affects the default configuration with no authentication or special flags required. Public exploit code exists with a working proof-of-concept shell script demonstrating the attack. CVSS 9.8 (Critical) reflects network accessibility, no authentication requirement, and complete impact to integrity and availability. Vendor-released patch available via GitHub commit 237f3af.
Path Traversal
-
CVE-2026-35393
CRITICAL
CVSS 9.8
Unauthenticated arbitrary file write in goshs (Go Simple HTTP Server) allows remote attackers to overwrite any file on the host filesystem via path traversal in multipart upload endpoints. The vulnerability exists in the default configuration with no authentication required. The upload handler fails to sanitize the directory component of the request path, enabling attackers to escape the webroot using URL-encoded traversal sequences (e.g., /../../target/upload) while the server validates only that paths end with '/upload'. Functional proof-of-concept exploit code is publicly available. EPSS data not available, not listed in CISA KEV.
Path Traversal
-
CVE-2026-35392
CRITICAL
CVSS 9.8
Arbitrary file write in goshs HTTP server allows unauthenticated remote attackers to overwrite any file on the target system via path traversal in PUT requests. The PUT upload handler in goshs (a Go-based simple HTTP server) performs no path sanitization on user-supplied URL paths, enabling direct filesystem access outside the intended webroot through URL-encoded directory traversal sequences (%2e%2e/). CVSS 9.8 reflects network-accessible exploitation requiring no authentication or user interaction. No public exploit identified at time of analysis beyond the proof-of-concept in the security advisory. EPSS data not available, but the trivial exploit complexity (single curl command with --path-as-is flag) and default-vulnerable configuration present significant risk to exposed instances.
Path Traversal
-
CVE-2026-35216
CRITICAL
CVSS 9.0
Remote code execution in Budibase versions prior to 3.33.4 allows unauthenticated attackers to execute arbitrary Bash commands with root privileges inside the application container by exploiting public webhook endpoints that trigger automation workflows. The vulnerability stems from improper neutralization of special elements in OS commands (CWE-78) and requires no authentication, though the CVSS complexity is rated high (AC:H). A vendor-released patch is available in version 3.33.4, with the fix publicly documented in GitHub pull request #18238 and commit f0c731b4.
RCE
Command Injection
-
CVE-2026-35171
CRITICAL
CVSS 9.8
Remote code execution in Kedro (all versions prior to 1.3.0) allows unauthenticated network attackers to execute arbitrary system commands during application startup by poisoning the KEDRO_LOGGING_CONFIG environment variable. The vulnerability stems from unsafe use of Python's logging.config.dictConfig() with the special '()' factory key that enables arbitrary callable instantiation. With CVSS 9.8 (critical severity, network-exploitable, no privileges required, low complexity), this represents a severe supply chain and deployment security risk for data pipeline applications. No public exploit identified at time of analysis, though the attack mechanism is well-documented in Python security literature.
RCE
Code Injection
-
CVE-2026-35039
CRITICAL
CVSS 9.1
Cache key collisions in fast-jwt's custom cacheKeyBuilder implementations enable token confusion attacks, allowing remote attackers to impersonate users and escalate privileges without authentication. The vulnerability affects Node.js applications using fast-jwt with both caching enabled AND custom cache key builder functions that generate non-unique keys. No public exploit identified at time of analysis, though EPSS data unavailable and exploitation likelihood is high given the network-accessible attack vector (AV:N) and low complexity (AC:L). Applications using default caching behavior are NOT affected.
Privilege Escalation
-
CVE-2026-35030
CRITICAL
CVSS 9.4
Authentication bypass in LiteLLM's JWT/OIDC implementation allows unauthenticated attackers to impersonate legitimate users via cache key collision. When JWT authentication is enabled (non-default configuration), the userinfo cache uses only the first 20 characters of the token as a key. Because JWT headers from the same signing algorithm produce identical prefixes, attackers can forge tokens that collide with cached legitimate sessions, inheriting victim identities and permissions. Fixed in v1.83.0. No public exploit identified at time of analysis, but the vulnerability is straightforward to exploit in affected configurations.
Authentication Bypass
-
CVE-2026-34989
CRITICAL
CVSS 9.4
Stored cross-site scripting (XSS) in ci4-cms-erp/ci4ms profile management enables privilege escalation to full administrative compromise. Attackers inject malicious JavaScript payloads through unsanitized profile name fields, which execute persistently across multiple application interfaces including administrative user management pages and public-facing blog views. When administrators access affected pages, the stored payload executes in their browser context, enabling session hijacking and complete account takeover. Vendor patch available per GitHub security advisory. This represents a critical privilege escalation vector requiring immediate remediation in any deployment with multiple user roles.
Privilege Escalation
XSS
-
CVE-2026-34612
CRITICAL
CVSS 9.9
SQL injection in Kestra orchestration platform's flow search endpoint (GET /api/v1/main/flows/search) enables remote code execution on the underlying PostgreSQL host. Authenticated users can trigger the vulnerability by visiting a malicious link, exploiting PostgreSQL's COPY TO PROGRAM feature to execute arbitrary OS commands on the Docker container host. Affects Kestra versions prior to 1.3.7 in default docker-compose deployments. With CVSS 9.9 (Critical) and low attack complexity requiring only low-privilege authentication, this represents a severe risk for container escape and host compromise scenarios.
Docker
SQLi
PostgreSQL
RCE
-
CVE-2026-34208
CRITICAL
CVSS 10.0
Sandbox escape in SandboxJS npm package allows unauthenticated remote attackers to mutate host JavaScript global objects (Math, JSON, etc.) and persist malicious code across sandbox instances. The vulnerability bypasses intended global-write protections by exploiting an exposed constructor callable path (this.constructor.call), enabling arbitrary property injection into host runtime globals. Exploitation probability is HIGH (EPSS not available for recent CVE), with publicly available exploit code demonstrating both immediate host contamination and cross-execution persistence. Critical impact: attacker-controlled globals can hijack application control flow when host code consumes mutated built-ins, escalating to arbitrary command execution when chained with application sinks like execSync().
Node.js
RCE
-
CVE-2026-31818
CRITICAL
CVSS 9.6
Server-Side Request Forgery (SSRF) in Budibase's REST datasource connector (versions prior to 3.33.4) allows authenticated users with low privileges to bypass IP blacklist protections and access internal network resources. The vulnerability stems from a configuration flaw where the BLACKLIST_IPS environment variable is not set by default in official deployments, causing all blacklist checks to fail silently. With CVSS 9.6 (Critical) due to scope change and high confidentiality/integrity impact, this represents a significant risk for organizations using Budibase in cloud or containerized environments. No active exploitation confirmed (not in CISA KEV), but publicly available exploit code exists via the patch disclosure.
SSRF
-
CVE-2026-28798
CRITICAL
CVSS 9.0
Server-side request forgery (SSRF) in ZimaOS web interface allows unauthenticated remote attackers to access internal localhost services when the system is exposed via Cloudflare Tunnel. The vulnerable proxy endpoint (/v1/sys/proxy) enables attackers to bypass network segmentation and reach internal-only endpoints, potentially exposing sensitive local services. Affects ZimaOS versions prior to 1.5.3. EPSS data not available; no public exploit identified at time of analysis, though the attack vector is well-understood given the clear SSRF nature and specific endpoint disclosure.
SSRF
-
CVE-2026-28766
CRITICAL
CVSS 9.2
Unauthenticated access to complete user account data in Gardyn Cloud API allows remote attackers to retrieve sensitive information for all registered users. The vulnerability stems from an unprotected endpoint exposing full account details without authentication checks (CVSS 9.2, AV:N/PR:N). CISA ICS-CERT has published an advisory, indicating exposure in operational technology/IoT contexts. No public exploit identified at time of analysis, though the vulnerability's simplicity (low attack complexity, no privileges required) makes exploitation straightforward once the endpoint is discovered.
Authentication Bypass
-
CVE-2026-28373
CRITICAL
CVSS 9.6
Stackfield Desktop App before version 1.10.2 for macOS and Windows allows arbitrary file writes to the filesystem through a path traversal vulnerability in its decryption functionality when processing the filePath property. A malicious export file can enable attackers to overwrite critical system or application files, potentially leading to code execution or application compromise without requiring user interaction beyond opening the malicious export.
Path Traversal
Apple
Microsoft
-
CVE-2026-25197
CRITICAL
CVSS 9.3
Insecure Direct Object Reference (IDOR) vulnerability in Gardyn Cloud API allows unauthenticated remote attackers to access and modify arbitrary user profiles by manipulating ID parameters in API calls. CVSS:4.0 rates this 9.3 (Critical) with network-accessible attack vector requiring no privileges or user interaction, enabling unauthorized access to high-sensitivity user data and profile modification. CISA ICS-CERT issued advisory ICSA-26-055-03 for this IoT/smart garden system vulnerability. No public exploit identified at time of analysis, though the attack technique (parameter manipulation) is trivial to execute.
Authentication Bypass
-
CVE-2026-5463
CRITICAL
CVSS 9.3
Command injection in pymetasploit3 Python library (versions ≤1.0.6) allows unauthenticated remote attackers to execute arbitrary Metasploit console commands by injecting newline characters into module options like RHOSTS. With a critical CVSS 9.3 score and no public exploit identified at time of analysis, this vulnerability poses significant risk to environments using this library for automated penetration testing workflows. The flaw enables attackers to break command structure in console.run_module_with_output() calls, potentially manipulating Metasploit sessions and executing unintended security operations.
Command Injection
-
CVE-2026-0545
CRITICAL
CVSS 9.1
Remote code execution in MLflow's FastAPI job endpoints allows unauthenticated attackers to submit and execute arbitrary jobs when basic-auth is enabled. Network-accessible attackers (CVSS AV:N, PR:N) can bypass authentication entirely on `/ajax-api/3.0/jobs/*` endpoints when `MLFLOW_SERVER_ENABLE_JOB_EXECUTION=true`, executing privileged operations including shell commands and filesystem modifications through allowlisted job functions. This authentication bypass (CWE-306) also enables job spam, denial of service, and exposure of job execution results. No public exploit identified at time of analysis, though attack complexity is low (AC:L) requiring no user interaction.
Authentication Bypass
RCE
Denial Of Service
Information Disclosure
-
CVE-2026-33107
CRITICAL
CVSS 10.0
Server-side request forgery in Azure Databricks enables unauthenticated remote attackers to achieve full privilege escalation with critical impact across confidentiality, integrity, and availability. The vulnerability carries a maximum CVSS 10.0 score with network-based attack vector, low complexity, and scope change, indicating attackers can leverage the SSRF to break out of Databricks' security boundary and access underlying cloud infrastructure or customer data. No public exploit or active exploitation confirmed at time of analysis, though the low attack complexity suggests straightforward exploitation once attack surface is identified.
Microsoft
SSRF
-
CVE-2026-33105
CRITICAL
CVSS 10.0
Microsoft Azure Kubernetes Service (AKS) contains an improper authorization vulnerability enabling unauthenticated remote attackers to elevate privileges over a network with critical impact across confidentiality, integrity, and availability. The CVSS 10.0 critical rating reflects network-accessible exploitation requiring no authentication, low complexity, and scope change allowing compromise beyond the vulnerable component. No public exploit identified at time of analysis, though the authentication bypass nature and maximum severity warrant immediate priority.
Microsoft
Kubernetes
Authentication Bypass
-
CVE-2026-32213
CRITICAL
CVSS 10.0
Azure AI Foundry improper authorization permits unauthenticated remote attackers to escalate privileges and achieve complete compromise with high impact to confidentiality, integrity, and availability. The CVSS 10.0 rating reflects network-based attack vector with low complexity, no user interaction, and scope change indicating containerization/isolation escape. EPSS and KEV status not provided, but the authentication bypass affecting a cloud AI platform poses severe risk. No public exploit identified at time of analysis.
Microsoft
Authentication Bypass
-
CVE-2026-32211
CRITICAL
CVSS 9.1
Unauthenticated information disclosure in Azure MCP Server allows remote attackers to access sensitive data over the network without authentication. The vulnerability stems from missing authentication controls on critical functions (CWE-306), enabling attackers to bypass security boundaries and extract confidential information with minimal complexity. With CVSS 9.1 (Critical) and network-accessible attack vector requiring no privileges or user interaction, this represents a significant exposure for organizations running affected Azure MCP Server instances. No public exploit identified at time of analysis, though the straightforward authentication bypass nature increases likelihood of rapid weaponization.
Microsoft
Authentication Bypass
-
CVE-2026-32186
CRITICAL
CVSS 10.0
Microsoft Bing contains a server-side request forgery (SSRF) vulnerability that allows elevation of privilege through improperly validated requests. The flaw affects Microsoft Bing across all versions and enables attackers to bypass access controls and escalate privileges by causing the application to make unintended requests to internal or external resources. A vendor-released patch is available.
Microsoft
SSRF
-
CVE-2026-26135
CRITICAL
CVSS 9.6
Server-side request forgery in Azure Custom Locations Resource Provider enables authenticated attackers with low-level privileges to elevate access and exfiltrate sensitive data across scope boundaries via network-based SSRF exploitation. This vulnerability affects Microsoft Azure infrastructure with a CVSS score of 9.6 (Critical), featuring scope change that allows attackers to reach resources beyond the vulnerable component's security context. No public exploit code or active exploitation confirmed at time of analysis, though the low attack complexity and network vector indicate straightforward exploitability once authenticated access is obtained.
Microsoft
SSRF
-
CVE-2026-35562
HIGH
CVSS 8.7
Resource exhaustion in Amazon Athena ODBC driver versions prior to 2.1.0.0 allows unauthenticated remote attackers to trigger denial of service through maliciously crafted input that overwhelms parsing logic. CVSS 7.5 (High) reflects network-accessible attack vector with low complexity and no prerequisites. EPSS data not provided, but no public exploit or CISA KEV listing identified at time of analysis. Amazon has released patches for Windows, Linux, and macOS platforms.
Denial Of Service
-
CVE-2026-35559
HIGH
CVSS 7.1
Out-of-bounds write vulnerability in Amazon Athena ODBC driver (pre-2.1.0.0) allows remote attackers to crash the driver through specially crafted query data, requiring user interaction to process malicious queries. Affected versions include all Amazon Athena ODBC driver releases before 2.1.0.0 across Windows, Linux, and macOS platforms. CVSS 7.1 (High) reflects network-based attack with low complexity but requires user interaction (UI:P) and impacts only availability (VA:H). No public exploit identified at time of analysis. Vendor-released patch version 2.1.0.0 is available for all supported platforms with direct download links provided in AWS security bulletin 2026-013.
Buffer Overflow
Memory Corruption
-
CVE-2026-35558
HIGH
CVSS 7.3
Command injection in Amazon Athena ODBC driver versions prior to 2.1.0.0 allows local attackers to execute arbitrary code or hijack authentication flows through malicious connection parameters during user-initiated database connections. With a CVSS 7.3 rating, the vulnerability requires user interaction but no authentication (CVSS:4.0 AV:L/PR:N/UI:P), enabling high impact to confidentiality, integrity, and availability on the local system. Vendor-released patches are available across all platforms (Windows, Linux, macOS). No public exploit or active exploitation confirmed at time of analysis, though EPSS data not available for risk calibration.
RCE
Command Injection
-
CVE-2026-35536
HIGH
CVSS 7.2
Cookie attribute injection in Tornado web framework versions before 6.5.5 allows unauthenticated remote attackers to manipulate cookie security attributes through crafted characters in domain, path, and samesite parameters of RequestHandler.set_cookie. With CVSS 7.2 and EPSS data unavailable, this represents a moderate integrity and confidentiality risk for web applications using affected Tornado versions. No public exploit identified at time of analysis, though the vulnerability mechanism is straightforward for exploitation.
Code Injection
-
CVE-2026-35535
HIGH
CVSS 7.4
Privilege escalation to root in Sudo ≤1.9.17p2 occurs when setuid/setgid/setgroups system calls fail during the mailer privilege-drop sequence, allowing local attackers with high complexity exploitation to gain full system control. Confirmed actively exploited (CISA KEV). EPSS score and public exploit code status indicate significant real-world risk despite the high attack complexity barrier.
Privilege Escalation
-
CVE-2026-35470
HIGH
CVSS 8.8
SQL injection in OpenSTAManager 2.10.1 and prior allows authenticated users to extract database contents including bcrypt password hashes, customer records, and financial data via unsanitized GET parameters across six vulnerable PHP modules. The righe parameter in confronta_righe.php files is directly concatenated into IN() clauses without parameterization. CVSS 8.8 (High) with network attack vector, low complexity, and low privilege requirement. Vendor-released patch available in version 2.10.2. Exploit reproduction demonstrated via EXTRACTVALUE-based error injection extracting MySQL version, database user, and admin credentials. Confirmed publicly available exploit code exists (GitHub advisory GHSA-mmm5-3g4x-qw39).
SQLi
Information Disclosure
PHP
-
CVE-2026-35218
HIGH
CVSS 8.7
Stored cross-site scripting (XSS) in Budibase's Builder Command Palette (versions prior to 3.32.5) enables authenticated Builder users to inject malicious HTML payloads via entity names (tables, views, queries, automations), achieving session hijacking and account takeover when other Builder-role users invoke the Command Palette. CVSS 8.7 with changed scope reflects the cross-user attack vector. No public exploit identified at time of analysis, though the attack technique is straightforward for authenticated insiders. EPSS data unavailable; patch available in version 3.32.5.
XSS
-
CVE-2026-35214
HIGH
CVSS 8.7
Path traversal in Budibase plugin upload endpoint allows Global Builders to delete arbitrary directories and write files to any accessible filesystem path. Affecting all versions prior to 3.33.4, attackers with high privileges (Global Builder role) can exploit unsanitized filename handling in POST /api/plugin/upload to execute directory traversal attacks remotely with low complexity. CVSS 8.7 (High) with scope change indicates potential container escape or cross-tenant impact. No public exploit identified at time of analysis, though the attack vector is straightforward given the documented path traversal mechanism.
Node.js
Path Traversal
File Upload
-
CVE-2026-35175
HIGH
CVSS 7.2
Privilege escalation in Ajenti panel allows authenticated non-superuser accounts to install arbitrary Python packages, bypassing role-based access controls. Affects installations using the auth_users plugin authentication method. Vendor-released patch available in version 2.2.15. No public exploit identified at time of analysis, though the privilege bypass mechanism is straightforward for authenticated users to abuse.
Authentication Bypass
-
CVE-2026-35167
HIGH
CVSS 7.1
Path traversal in Kedro's versioned dataset loader allows authenticated remote attackers to read arbitrary files outside intended data directories. Kedro versions before 1.3.0 fail to sanitize user-supplied version strings in catalog.load(), DataCatalog.from_config(), and CLI operations, enabling traversal sequences (../) to escape versioned dataset boundaries. Attackers with API or CLI access can exfiltrate sensitive files, poison training data, or access other tenants' data in multi-tenant ML pipelines. EPSS probability indicates moderate exploitation likelihood (specific score not provided), with publicly available exploit code exists via the referenced GitHub pull request demonstrating the vulnerability mechanics. Vendor-released patch available in Kedro 1.3.0.
Path Traversal
-
CVE-2026-35044
HIGH
CVSS 8.8
Remote code execution in BentoML's containerization workflow allows attackers to execute arbitrary Python code on victim machines by distributing malicious bento archives containing SSTI payloads. When victims import a weaponized bento and run 'bentoml containerize', unsanitized Jinja2 template rendering executes attacker-controlled code directly on the host system - bypassing all Docker container isolation. The vulnerability stems from using an unsandboxed jinja2.Environment with the dangerous jinja2.ext.do extension to process user-provided dockerfile_template files. Authentication is not required (CVSS PR:N), though exploitation requires user interaction (UI:R) to import and containerize the malicious bento. No public exploit identified at time of analysis, though the GitHub advisory includes detailed proof-of-concept demonstrating host filesystem compromise.
Python
Docker
RCE
Ssti
-
CVE-2026-35043
HIGH
CVSS 7.8
Command injection in BentoML's cloud deployment path allows remote code execution on BentoCloud build infrastructure via malicious bentofile.yaml configurations. While commit ce53491 fixed command injection in local Dockerfile generation by adding shlex.quote protection, the cloud deployment code path (deployment.py:1648) remained vulnerable, directly interpolating system_packages into shell commands without sanitization. Attackers can inject shell metacharacters through bentofile.yaml to execute arbitrary commands during cloud deployment, enabling supply chain attacks, credential exfiltration, and infrastructure compromise. CVSS 7.8 score reflects local attack vector requiring user interaction, but real-world impact targets cloud CI/CD infrastructure. No public exploit code or active exploitation (CISA KEV) confirmed at time of analysis.
RCE
Command Injection
Docker
Ubuntu
Kubernetes
-
CVE-2026-35042
HIGH
CVSS 7.5
JWT token validation bypass in fast-jwt npm library (all versions through 3.3.3) allows unauthenticated remote attackers to forge tokens with critical header parameters, achieving authentication bypass and security policy circumvention. The library violates RFC 7515 by accepting JWS tokens containing unrecognized 'crit' extensions that MUST be rejected per specification. No public exploit identified at time of analysis, though proof-of-concept code demonstrates trivial exploitation. CVSS 7.5 (High) reflects network-accessible integrity impact with no authentication required (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N). Vendor advisory published via GitHub Security Advisory GHSA-hm7r-c7qw-ghp6.
Authentication Bypass
-
CVE-2026-35037
HIGH
CVSS 7.2
Unauthenticated Server-Side Request Forgery (SSRF) in Ech0's /api/website/title endpoint allows remote attackers to access internal network services, cloud metadata endpoints (AWS IMDSv1 at 169.254.169.254), and localhost-bound resources without authentication. The vulnerability accepts arbitrary URLs via the website_url parameter with zero validation, enabling attackers to probe internal infrastructure and exfiltrate partial response data through HTML title tag extraction. CVSS 7.2 reflects the cross-scope impact (S:C) enabling firewall bypass and credential theft. No public exploit identified at time of analysis, though the attack surface requires zero privileges (PR:N) and trivial complexity (AC:L). Vendor patch available per GitHub security advisory GHSA-cqgf-f4x7-g6wc.
SSRF
Information Disclosure
Microsoft
Redis
-
CVE-2026-35036
HIGH
CVSS 7.5
Unauthenticated server-side request forgery in Ech0's link preview endpoint allows remote attackers to force the application server to perform HTTP/HTTPS requests to arbitrary internal and external targets. The /api/website/title route requires no authentication, performs no URL validation, follows redirects by default, and disables TLS certificate verification (InsecureSkipVerify: true). Attackers can probe internal networks, access cloud metadata services (169.254.169.254), and trigger denial-of-service by forcing the server to download large files into memory via io.ReadAll. Proof-of-concept demonstrates successful exploitation against Docker deployments reaching host-bound services via host.docker.internal. EPSS score not available; no CISA KEV listing indicates this is not yet confirmed as actively exploited in the wild, though publicly available exploit code exists in the GitHub advisory. Vendor-released patch available.
SSRF
Denial Of Service
Apple
Docker
Microsoft
-
CVE-2026-35029
HIGH
CVSS 8.7
Remote code execution in BerriAI LiteLLM (pkg:pip/litellm) prior to v1.83.0 allows authenticated users without admin privileges to execute arbitrary Python code, modify proxy configuration, read server files, and hijack privileged accounts via an improperly protected /config/update endpoint. Authentication requirements not confirmed from available data. No public exploit identified at time of analysis, but the attack surface is well-documented in the vendor advisory. CVSS score unavailable; however, the combination of RCE capability and authentication bypass warrants immediate remediation for all LiteLLM deployments.
RCE
Authentication Bypass
Python
-
CVE-2026-34992
HIGH
CVSS 7.1
IPv6 Pod traffic in Antrea dual-stack Kubernetes clusters transmits in plaintext despite IPsec encryption configuration, exposing inter-node communication to network eavesdropping. Affects Antrea versions prior to 2.6.0, 2.5.2, and 2.4.5 when dual-stack networking is enabled with trafficEncryptionMode: ipsec. Vendor-released patches are available across multiple stable branches. No public exploit identified at time of analysis, though the vulnerability bypasses intended encryption controls and could enable passive network monitoring in multi-tenant or untrusted network environments.
Authentication Bypass
-
CVE-2026-34986
HIGH
CVSS 7.5
Denial of service via panic in go-jose library (versions prior to v4.1.4 and v3.0.5) occurs when decrypting malformed JSON Web Encryption (JWE) objects that specify a key wrapping algorithm (e.g., RSA-OAEP-KW, ECDH-ES+A128KW) but contain an empty encrypted_key field. The panic is triggered during slice allocation in cipher.KeyUnwrap() when processing ciphertext under 16 bytes, causing immediate application termination. No public exploit identified at time of analysis, though EPSS score of 0.00045 (0.045%) indicates low predicted exploitation probability. Applications limiting accepted key algorithms to non-KW types or using GCM-based key wrapping (A128GCMKW, A192GCMKW, A256GCMKW) are unaffected.
Denial Of Service
-
CVE-2026-34824
HIGH
CVSS 7.5
Thread exhaustion in Mesop WebSocket handler (pkg:pip/mesop) allows unauthenticated remote attackers to crash applications via message flooding. The framework spawns unbounded OS threads for each received WebSocket message without rate limiting or pooling, enabling complete denial of service with minimal bandwidth. CVSS 7.5 (High). Publicly available exploit code exists. EPSS data not provided, but the low attack complexity (AC:L) and zero authentication requirement (PR:N) combined with working proof-of-concept significantly elevate real-world exploitation risk. Vendor-released patch available in version 1.2.5 (commit 760a207).
Python
Denial Of Service
-
CVE-2026-34780
HIGH
CVSS 8.3
Context isolation bypass in Electron applications enables privilege escalation when VideoFrame objects are bridged to the main world. Attackers with XSS capabilities can leverage improperly bridged WebCodecs API VideoFrame objects to escape the isolated context and access Node.js APIs exposed in preload scripts. CVSS 8.4 (High) with network attack vector requiring high complexity and user interaction. No public exploit identified at time of analysis, though proof-of-concept development is feasible given the detailed vendor disclosure.
Node.js
Information Disclosure
XSS
-
CVE-2026-34774
HIGH
CVSS 8.1
Use-after-free memory corruption in Electron framework (versions <39.8.1, <40.7.0, <41.0.0) allows unauthenticated remote attackers to potentially execute arbitrary code when offscreen rendering is enabled and child windows are permitted. The vulnerability triggers when a parent offscreen WebContents is destroyed while child windows remain active, causing subsequent paint operations to dereference freed memory. EPSS data not available; no public exploit identified at time of analysis. Fixed versions released by vendor.
Use After Free
Memory Corruption
Buffer Overflow
Microsoft
-
CVE-2026-34771
HIGH
CVSS 7.5
Use-after-free in Electron framework allows memory corruption when handling fullscreen, pointer-lock, or keyboard-lock permission requests in apps with asynchronous `session.setPermissionRequestHandler()` callbacks. Affects npm package electron versions prior to 41.0.0-beta.8, 40.7.0, 39.8.0, and 38.8.6. Remote attackers can trigger memory corruption or crashes if the requesting frame navigates or window closes while the permission handler is pending. EPSS data not available; no public exploit identified at time of analysis. Vendor-released patches available across all affected major version branches.
Use After Free
Memory Corruption
Buffer Overflow
-
CVE-2026-34770
HIGH
CVSS 7.0
Use-after-free in Electron's powerMonitor module allows local attackers to trigger memory corruption or application crashes through system power events. All Electron applications (versions <38.8.6, <39.8.1, <40.8.0, <41.0.0-beta.8) that subscribe to powerMonitor events (suspend, resume, lock-screen) are vulnerable when garbage collection frees the PowerMonitor object while OS-level event handlers retain dangling pointers. Exploitation requires local access and specific timing conditions (CVSS 7.0 HIGH, AC:H). No public exploit identified at time of analysis, though the technical details are publicly documented in the GitHub security advisory.
Use After Free
Memory Corruption
Microsoft
Apple
Buffer Overflow
-
CVE-2026-34769
HIGH
CVSS 7.7
Command line injection in Electron via undocumented commandLineSwitches webPreference enables sandbox escape and security control bypass when applications spread untrusted configuration objects into webPreferences. Attackers can inject arbitrary command-line switches to disable renderer process sandboxing or web security protections, achieving local code execution with elevated privileges. CVSS 7.8 (High) with attack complexity HIGH requiring user interaction. No public exploit identified at time of analysis, though technical disclosure is public via GitHub advisory.
RCE
-
CVE-2026-34607
HIGH
CVSS 7.2
Path traversal in Emlog CMS 2.6.2 and earlier enables authenticated administrators to achieve remote code execution by uploading malicious ZIP archives containing directory traversal sequences. The emUnZip() function fails to sanitize entry paths during plugin/template uploads and backup imports, allowing arbitrary file writes including PHP webshells. CVSS 7.2 (High) with network attack vector and low complexity. No vendor-released patch identified at time of analysis; publicly available exploit code exists via GitHub Security Advisory GHSA-2jg8-rmhm-xv9m.
RCE
Path Traversal
PHP
-
CVE-2026-34228
HIGH
CVSS 8.7
Cross-Site Request Forgery (CSRF) in Emlog CMS versions prior to 2.6.8 enables remote attackers to execute arbitrary SQL commands and write arbitrary files to the web root without authentication. The vulnerability exploits an unprotected backend upgrade interface that accepts remote SQL and ZIP URLs via GET parameters, requiring only that an authenticated administrator visit a malicious link. EPSS data not available; no public exploit identified at time of analysis, though exploitation complexity is low given the CSRF nature and network attack vector.
CSRF
-
CVE-2026-33752
HIGH
CVSS 8.6
Server-Side Request Forgery in curl_cffi Python library allows unauthenticated remote attackers to access internal network resources and cloud metadata endpoints via attacker-controlled redirect chains. The library passes user-supplied URLs directly to libcurl without validating destination IP ranges and follows redirects automatically (CURLOPT_FOLLOWLOCATION enabled), enabling access to services like AWS/GCP metadata APIs (169.254.169.254). TLS fingerprint impersonation features (e.g., 'impersonate=chrome') can disguise these requests as legitimate browser traffic, potentially bypassing network controls. EPSS data not available; no active exploitation confirmed (not in CISA KEV); functional proof-of-concept publicly disclosed in GitHub advisory.
SSRF
Python
Google
-
CVE-2026-33184
HIGH
CVSS 7.5
Integer underflow in Nimiq core-rs-albatross <1.3.0 enables unauthenticated remote attackers to trigger deterministic denial-of-service via crafted peer handshake. Attackers send limit=0 during discovery handshake, causing arithmetic underflow (0-1 wraps to usize::MAX) when session transitions to Established state, resulting in capacity overflow panic when allocating peer contact vector. Upstream fix available (PR/commit); released patched version 1.3.0 confirmed. No public exploit identified at time of analysis, but EPSS indicates low exploitation probability and attack is trivially reproducible given simple network message crafting.
Buffer Overflow
Integer Overflow
-
CVE-2026-33175
HIGH
CVSS 8.8
Authentication bypass in JupyterHub OAuthenticator <17.4.0 allows authenticated attackers with unverified email addresses on Auth0 tenants to login with arbitrary usernames, enabling account takeover when email is configured as the username claim. The vulnerability requires low-complexity exploitation over the network with low privileges (CVSS 8.8, AV:N/AC:L/PR:L). No public exploit identified at time of analysis, though the vendor has released a security advisory with technical details. EPSS data not available, but the authentication bypass nature and account takeover potential make this a priority for organizations using JupyterHub with Auth0 OAuth integration.
Authentication Bypass
-
CVE-2026-32646
HIGH
CVSS 8.7
Unauthenticated remote access to administrative endpoints in Gardyn Cloud API exposes device management functions to network attackers. The CVSS:4.0 vector (AV:N/AC:L/PR:N) confirms network-reachable exploitation requiring no authentication or user interaction, with high confidentiality impact. EPSS data unavailable, but authentication bypass vulnerabilities (CWE-306) are frequently targeted when exposed on internet-facing APIs. CISA ICS-CERT advisory indicates IoT/OT context, suggesting potential for unauthorized device control. No confirmed active exploitation (not on CISA KEV) and no public exploit identified at time of analysis.
Authentication Bypass
-
CVE-2026-32173
HIGH
CVSS 8.6
Information disclosure in Azure SRE Agent can be exploited by remote unauthenticated attackers via improper authentication mechanisms. The vulnerability carries an 8.6 CVSS score with network attack vector requiring low complexity and no user interaction, enabling attackers to extract high-confidentiality data with scope change impact. No public exploit identified at time of analysis, though the authentication bypass nature and network accessibility present significant risk to Azure infrastructure components.
Microsoft
Authentication Bypass
-
CVE-2026-28815
HIGH
CVSS 7.5
Out-of-bounds read in Apple swift-crypto X-Wing HPKE decapsulation allows remote attackers to trigger memory disclosure or denial of service by supplying a malformed encapsulated key. The vulnerability affects swift-crypto versions prior to 4.3.1 and any macOS or downstream applications using vulnerable versions of the cryptographic library.
Information Disclosure
Buffer Overflow
-
CVE-2026-28797
HIGH
CVSS 8.7
Server-Side Template Injection in RAGFlow 0.24.0 and earlier allows authenticated users to execute arbitrary OS commands via unsandboxed Jinja2 template rendering in Agent workflow components. The vulnerability affects the Text Processing (StringTransform) and Message components, where user-supplied templates are processed without sandboxing. With a CVSS 8.7 score and low attack complexity (AC:L), authenticated attackers can achieve full system compromise remotely. No public exploit identified at time of analysis, and no vendor-released patch available as of publication date.
Code Injection
Python
-
CVE-2026-28756
HIGH
CVSS 7.3
Stored cross-site scripting (XSS) in ManageEngine Exchange Reporter Plus before version 5802 allows authenticated attackers with low privileges to inject malicious scripts into the Permissions based on Distribution Groups report, potentially leading to session hijacking and account compromise of administrators viewing the report. No active exploitation confirmed (CISA KEV absent), but the network-accessible attack vector and low complexity make this exploitable with publicly documented vendor advisory details.
XSS
Microsoft
-
CVE-2026-28754
HIGH
CVSS 7.3
Stored cross-site scripting (XSS) in ManageEngine Exchange Reporter Plus versions prior to 5802 allows authenticated attackers with low privileges to inject malicious scripts into Distribution Lists reports that execute when viewed by other users, potentially compromising session tokens and account credentials of administrators or other privileged users. The vulnerability requires user interaction (victim must view the malicious report) but enables high-impact attacks against confidentiality and integrity within the application scope. No public exploit code or active exploitation has been identified at time of analysis.
XSS
Microsoft
-
CVE-2026-28703
HIGH
CVSS 7.3
Stored cross-site scripting (XSS) in ManageEngine Exchange Reporter Plus before version 5802 allows authenticated attackers to inject malicious scripts into the 'Mails Exchanged Between Users' report. With CVSS 7.3 (High severity) and low attack complexity (AC:L), this vulnerability requires low-privilege authentication (PR:L) and user interaction (UI:R) to achieve high confidentiality and integrity impact. No public exploit identified at time of analysis, though authentication requirements lower the barrier for insider threats or compromised accounts.
XSS
Microsoft
-
CVE-2026-27885
HIGH
CVSS 7.2
SQL injection in Piwigo's Activity List API endpoint allows authenticated administrators to extract sensitive database contents including user credentials and email addresses. This vulnerability affects Piwigo versions prior to 16.3.0 and requires high-level privileges (administrator access) to exploit. CVSS score of 7.2 reflects the network-accessible attack vector with low complexity, though exploitation requires prior administrative authentication. No public exploit code or active exploitation (CISA KEV) identified at time of analysis. The vendor has released version 16.3.0 addressing this issue.
SQLi
Information Disclosure
-
CVE-2026-27834
HIGH
CVSS 7.2
SQL injection in Piwigo photo gallery application allows authenticated administrators to execute arbitrary SQL commands via the pwg.users.getList Web Service API method. Piwigo versions prior to 16.3.0 are affected due to improper sanitization of the filter parameter, which is directly concatenated into database queries. Vendor-released patch version 16.3.0 addresses this vulnerability. EPSS data not provided; no public exploit identified at time of analysis. Authentication requirements (PR:H) significantly limit attack surface to users with administrative privileges.
SQLi
-
CVE-2026-27833
HIGH
CVSS 7.5
Unauthenticated information disclosure in Piwigo photo gallery software (versions prior to 16.3.0) allows remote attackers to retrieve complete browsing history of all gallery visitors through exposed pwg.history.search API endpoint. The API method lacks mandatory admin-only access controls (CWE-862), enabling trivial privacy violation with CVSS 7.5 severity. EPSS exploitation probability and KEV status not available; no public exploit identified at time of analysis, though exploitation requires only basic HTTP requests given the zero-authentication requirement (CVSS vector PR:N).
Authentication Bypass
-
CVE-2026-27655
HIGH
CVSS 7.3
Stored cross-site scripting in Zohocorp ManageEngine Exchange Reporter Plus (pre-5802) allows authenticated attackers to inject malicious scripts via the Permissions Based on Mailboxes report, potentially compromising administrator sessions and stealing high-privilege credentials. Attack requires low complexity and user interaction from a victim administrator. CVSS 7.3 (High) reflects significant confidentiality and integrity impact. No public exploit identified at time of analysis, with EPSS data unavailable for this recently disclosed vulnerability.
XSS
Microsoft
-
CVE-2026-27634
HIGH
CVSS 8.7
SQL injection in Piwigo photo gallery application versions prior to 16.3.0 allows unauthenticated remote attackers to extract the entire database, including user password hashes, via unsanitized date filter parameters in the ws_std_image_sql_filter() function. The vulnerability stems from direct SQL concatenation of four date parameters without input validation or escaping. Vendor-released patch available in version 16.3.0. EPSS and KEV data not provided, but the combination of unauthenticated access, low attack complexity, and full database disclosure represents critical risk for internet-facing Piwigo installations.
SQLi
-
CVE-2026-25773
HIGH
CVSS 8.1
Second-order SQL injection in Focalboard 8.0 category reordering functionality enables authenticated attackers to exfiltrate sensitive data including password hashes via time-based blind injection. The vulnerability stems from unsanitized category IDs stored in the database and later executed in dynamic SQL statements. Focalboard is no longer maintained as a standalone product, and Mattermost confirmed no patch will be issued. No public exploit identified at time of analysis. CVSS 8.1 (High) reflects network-accessible attack requiring only low-privilege authentication.
SQLi
Information Disclosure
-
CVE-2026-25044
HIGH
CVSS 8.7
Remote code execution in Budibase low-code platform versions prior to 3.33.4 enables authenticated attackers to execute arbitrary system commands through the bash automation step feature. The vulnerability stems from unsanitized user input processed via template interpolation in execSync calls, allowing command injection with low attack complexity. No public exploit identified at time of analysis, though the technical details disclosed in the GitHub Security Advisory provide a clear exploitation path for authenticated users with automation privileges.
Command Injection
-
CVE-2026-22665
HIGH
CVSS 8.6
Identity confusion in prompts.chat (prior to commit 1464475) enables authenticated attackers to impersonate users and hijack profile URLs by creating case-variant usernames (e.g., 'Alice' vs 'alice'). Inconsistent case-handling between write and read operations allows bypass of uniqueness validation, letting attackers inject malicious content on canonical victim profiles. EPSS data not available; no public exploit identified at time of analysis, though attack complexity is low (CVSS:4.0 AC:L) requiring only low-privilege access (PR:L). VulnCheck disclosed this vulnerability with vendor patch released via GitHub commit.
Information Disclosure
Canonical
-
CVE-2026-22664
HIGH
CVSS 7.1
Server-side request forgery (SSRF) in prompts.chat allows authenticated users to force the server to make arbitrary HTTP requests with the application's FAL_API_KEY exposed in Authorization headers. Attackers can exploit unvalidated URL parameters in Fal.ai media status polling to exfiltrate API credentials, probe internal networks, and abuse the victim's Fal.ai account resources. Patch available via GitHub commit 30a8f04. No public exploit identified at time of analysis, though CVSS vector indicates low attack complexity with network-based attack vector requiring only low privileges.
SSRF
-
CVE-2026-22663
HIGH
CVSS 8.7
Authorization bypass vulnerabilities in prompts.chat (pre-commit 7b81836) expose private prompt data to unauthenticated remote attackers. Missing isPrivate validation checks across multiple API endpoints and metadata generation functions allow unauthorized retrieval of version history, change requests, examples, content, and HTML meta tag information for prompts marked private. No public exploit identified at time of analysis, though CVSS 8.7 reflects network-accessible, low-complexity attack requiring no privileges. Vendor-released patch available via GitHub commit 7b81836b21.
Authentication Bypass
Information Disclosure
-
CVE-2026-22661
HIGH
CVSS 8.6
Path traversal in prompts.chat skill file extraction allows unauthenticated remote attackers to write arbitrary files and execute code on client systems through malicious ZIP archives. The vulnerability (CVSS 8.6) stems from missing server-side filename validation enabling ../ sequences in archive filenames that overwrite shell initialization files during extraction. VulnCheck identified this issue; vendor-released patch available in commit 0f8d4c3. No public exploit identified at time of analysis, though EPSS data not available for risk quantification.
Path Traversal
RCE
-
CVE-2026-5485
HIGH
CVSS 7.3
Local code execution via command injection in Amazon Athena ODBC driver for Linux (pre-2.0.5.1) allows unauthenticated local attackers to execute arbitrary commands by crafting malicious connection parameters processed during user-initiated database connections. Vendor-released patches available across all platforms (version 2.1.0.0). No active exploitation confirmed (not in CISA KEV); CVSS 7.3 reflects high impact but requires local access and user interaction, limiting remote attack surface.
RCE
Command Injection
-
CVE-2026-4350
HIGH
CVSS 8.1
Arbitrary file deletion in Perfmatters WordPress plugin (≤2.5.9.1) allows authenticated attackers with Subscriber-level access to delete critical files including wp-config.php via path traversal, enabling full site takeover. The vulnerability stems from unsanitized GET parameter processing in PMCS::action_handler() without authentication or nonce checks. CVSS 8.1 reflects network-accessible attack requiring only low-privilege authentication with high integrity and availability impact. No public exploit identified at time of analysis, though the attack vector is straightforward given the lack of input validation.
WordPress
PHP
Path Traversal
-
CVE-2026-4108
HIGH
CVSS 7.3
Stored cross-site scripting (XSS) in Zohocorp ManageEngine Exchange Reporter Plus versions prior to 5802 allows authenticated attackers to inject malicious scripts through the Non-Owner Mailbox Permission report, potentially compromising confidentiality and integrity of user sessions. With CVSS 7.3 (High) and EPSS data unavailable, exploitation requires low attack complexity and authenticated access with user interaction. No public exploit identified at time of analysis, and vendor has released patched version 5802.
XSS
Microsoft
-
CVE-2026-4107
HIGH
CVSS 7.3
Stored cross-site scripting in ManageEngine Exchange Reporter Plus before version 5802 allows authenticated attackers to inject malicious scripts via the Folder Message Count and Size report. With CVSS 7.3 (High severity) and requiring low-privilege authentication with user interaction, successful exploitation enables session hijacking and credential theft within the administrative interface. No public exploit identified at time of analysis, though CVSS vector indicates network-accessible attack surface with low complexity.
XSS
Microsoft
-
CVE-2026-3880
HIGH
CVSS 7.3
Stored cross-site scripting in ManageEngine Exchange Reporter Plus (versions prior to 5802) allows authenticated attackers to inject malicious scripts through the Public Folder Client Permissions report, enabling session hijacking and credential theft with medium exploitation complexity. No active exploitation confirmed (not present in CISA KEV), though the network-accessible attack vector and stored nature of the XSS elevate real-world risk for organizations using this Exchange monitoring solution.
XSS
Microsoft
-
CVE-2026-3879
HIGH
CVSS 7.3
Stored cross-site scripting in ManageEngine Exchange Reporter Plus (versions prior to 5802) allows authenticated attackers with low privileges to inject malicious scripts into Equipment Mailbox Details reports, enabling session hijacking and credential theft against administrative users who view the poisoned reports. No active exploitation confirmed (not in CISA KEV), but the vulnerability affects organizations monitoring Microsoft Exchange environments through ManageEngine's reporting platform.
XSS
Microsoft
-
CVE-2025-68153
HIGH
CVSS 7.1
Privilege escalation in Canonical Juju 2.9.0 through 3.6.18 allows any authenticated user, machine agent, or sub-controller to modify application resources across the entire Juju controller, bypassing intended authorization boundaries. CVSS 7.1 (High) with network-accessible attack vector and low complexity. EPSS data not provided; no public exploit identified at time of analysis. Vendor-released patches available in versions 2.9.56 and 3.6.19.
Authentication Bypass
-
CVE-2025-59711
HIGH
CVSS 8.3
Directory traversal in BizTalk360 before version 11.5 allows authenticated attackers to write files outside the intended upload directory and potentially coerce authentication from the service through mishandling of user input in an upload mechanism. The vulnerability requires valid authentication credentials but enables arbitrary file write capabilities that could lead to remote code execution or service compromise.
Path Traversal
-
CVE-2025-59710
HIGH
CVSS 8.8
Remote code execution in BizTalk360 before version 11.5 allows any authenticated user to upload a malicious DLL and trigger its execution on the server through an unprotected DLL-loading endpoint. The vulnerability stems from missing access controls on a method that loads and executes DLL files, enabling attackers with valid domain credentials to achieve arbitrary code execution without requiring elevated privileges.
RCE
File Upload
-
CVE-2025-10681
HIGH
CVSS 8.8
Hardcoded storage credentials in Gardyn mobile application and device firmware grant unauthenticated remote attackers access to production cloud storage containers with excessive permissions. The CVSS v4.0 score of 8.8 reflects network-accessible attack vector with no complexity barriers, enabling high confidentiality impact and limited integrity/availability impact. CISA ICS-CERT disclosure indicates industrial/IoT context. No public exploit identified at time of analysis, though hardcoded credential vulnerabilities are trivial to exploit once discovered. EPSS data not available for this recent CVE.
Authentication Bypass
-
CVE-2026-35549
MEDIUM
CVSS 6.5
Denial of service in MariaDB Server through large packet crashes when the caching_sha2_password authentication plugin is enabled and accounts use it, due to unbounded stack allocation in sha256_crypt_r. Authenticated remote attackers can crash the server by sending a crafted large authentication packet. MariaDB versions before 11.4.10, 11.5.0 through 11.8.5, and 12.0.0 through 12.2.1 are affected. No public exploit code or confirmed active exploitation reported at time of analysis.
Denial Of Service
-
CVE-2026-35545
MEDIUM
CVSS 5.3
Roundcube Webmail before versions 1.5.15 and 1.6.15 fails to properly sanitize SVG content in email messages, allowing the remote image blocking feature to be bypassed via SVG animate elements with malicious attributeName values. This vulnerability enables unauthenticated attackers to bypass access controls and potentially disclose information through image loading, affecting all Roundcube installations using vulnerable versions.
Information Disclosure
-
CVE-2026-35544
MEDIUM
CVSS 5.3
Roundcube Webmail before versions 1.5.14 and 1.6.14 allows unauthenticated remote attackers to bypass CSS-based security mitigations in HTML email rendering by injecting !important declarations, enabling potential integrity attacks such as phishing or UI redressing. The vulnerability stems from insufficient CSS sanitization when processing HTML email messages, with no authentication required and minimal attack complexity.
Authentication Bypass
-
CVE-2026-35543
MEDIUM
CVSS 5.3
Roundcube Webmail before versions 1.5.14 and 1.6.14 allows unauthenticated remote attackers to bypass the remote image blocking feature via SVG content containing animate attributes in email messages, leading to information disclosure or access control bypass. The vulnerability has a CVSS score of 5.3 (moderate severity) with low attack complexity and no authentication required, though the confidentiality impact is limited.
Information Disclosure
-
CVE-2026-35542
MEDIUM
CVSS 5.3
Roundcube Webmail before versions 1.5.14 and 1.6.14 allows unauthenticated remote attackers to bypass the remote image blocking security feature through a crafted background attribute in a BODY element of an email message, enabling information disclosure via tracking pixels or other image-based reconnaissance. The vulnerability affects all versions prior to 1.5.14 and 1.6.x versions before 1.6.14, with CVSS 5.3 (medium severity) reflecting the low confidentiality impact but lack of authentication requirements.
Information Disclosure
-
CVE-2026-35541
MEDIUM
CVSS 4.2
Type confusion in Roundcube Webmail's password plugin allows authenticated users to change passwords without knowing the old password, affecting versions before 1.5.14 and 1.6.14. The vulnerability stems from incorrect password comparison logic that enables privilege escalation within an authenticated session. While the CVSS score of 4.2 reflects moderate severity and the requirement for prior authentication, the impact is direct account compromise for any authenticated user.
Information Disclosure
Memory Corruption
-
CVE-2026-35540
MEDIUM
CVSS 5.4
Roundcube Webmail 1.6.0 through 1.6.13 allows Server-Side Request Forgery (SSRF) and Information Disclosure through insufficient CSS sanitization in HTML email messages, enabling attackers to craft malicious stylesheets that reference local network hosts. The vulnerability affects all instances processing HTML emails with external stylesheet links, and does not require authentication due to the unauthenticated attack vector (AV:N, PR:N in CVSS). Vendor-released patch: versions 1.6.14, 1.7-rc5, and later.
Information Disclosure
SSRF
-
CVE-2026-35539
MEDIUM
CVSS 6.1
Cross-site scripting (XSS) in Roundcube Webmail before versions 1.5.14 and 1.6.14 allows remote attackers to inject malicious scripts via insufficient HTML sanitization in text/html attachment preview mode. An authenticated user must preview a malicious text/html attachment to trigger the vulnerability, enabling attackers to steal session cookies, redirect users, or perform actions on behalf of the victim. No public exploit code or active exploitation has been confirmed; EPSS score of 6.1 reflects moderate real-world risk given the user interaction requirement.
XSS
-
CVE-2026-35508
MEDIUM
CVSS 5.4
Cross-site scripting (XSS) in Shynet before version 0.14.0 allows unauthenticated remote attackers to inject arbitrary scripts through the urldisplay and iconify template filters, potentially compromising user sessions and data integrity with medium attack complexity and cross-site scope. The vulnerability affects the analytics platform's template rendering layer and has been patched in version 0.14.0 with no confirmed active exploitation reported.
XSS
-
CVE-2026-35507
MEDIUM
CVSS 6.4
Host header injection in Shynet before 0.14.0 allows unauthenticated remote attackers to manipulate password reset functionality through crafted HTTP Host headers, enabling account hijacking and unauthorized access via email-based password reset flows. The vulnerability requires user interaction (clicking a reset link) and carries a CVSS score of 6.4 with confirmed patch availability in version 0.14.0.
Code Injection
-
CVE-2026-35468
MEDIUM
CVSS 5.3
Denial of service in Nimiq Core RS Albatross prior to version 1.3.0 allows remote attackers to crash full nodes by sending specially crafted consensus requests (RequestTransactionsProof or RequestTransactionReceiptsByAddress) when the node is operating without a history index. The vulnerability stems from unsafe unwrap() calls that panic when encountering a valid but unindexed state, affecting nodes during synchronization or when intentionally configured without history indexing.
Information Disclosure
-
CVE-2026-35181
MEDIUM
CVSS 4.3
Cross-site request forgery (CSRF) in AVideo's player skin configuration endpoint allows unauthenticated remote attackers to modify the video player appearance platform-wide when an authenticated administrator visits a malicious webpage. The vulnerability stems from missing CSRF token validation combined with disabled ORM-level domain security checks and SameSite=None cookie configuration; a proof-of-concept demonstrates silent modification of player skin settings without admin consent.
CSRF
PHP
-
CVE-2026-35179
MEDIUM
CVSS 5.3
Unauthenticated proxy access in AVideo's SocialMediaPublisher plugin allows any user to make arbitrary Facebook/Instagram Graph API calls through the `publishInstagram.json.php` endpoint without authentication or authorization checks. By sending crafted requests with stolen or leaked access tokens, attackers can publish, modify, or delete content on the platform's Instagram account and potentially bypass rate limits using the server's IP address. CVSS 5.3 (medium integrity impact); no active exploitation confirmed but proof-of-concept is publicly available.
PHP
Authentication Bypass
-
CVE-2026-35166
MEDIUM
CVSS 5.3
Cross-site scripting (XSS) vulnerability in Hugo's default markdown to HTML renderer fails to properly escape links and image links, allowing injection of malicious scripts through markdown content. Hugo v0.159.2 and earlier are affected. Users who employ custom render hooks for links and images, or who trust all markdown content sources, are not vulnerable. Vendor-released patch: v0.159.2.
XSS
-
CVE-2026-35052
MEDIUM
CVSS 5.3
Remote code execution in D-Tale allows unauthenticated attackers to execute arbitrary code on servers hosting D-Tale publicly when using Redis or Shelf storage backends. The vulnerability stems from improper input validation in the storage layer, affecting D-Tale versions prior to 3.22.0. Vendor-released patch version 3.22.0 is available.
Redis
RCE
XSS
-
CVE-2026-34990
MEDIUM
CVSS 5.0
Local privilege escalation in OpenPrinting CUPS 2.4.16 and prior allows unprivileged users to bypass authentication and create arbitrary file overwrites as root by coercing cupsd into issuing reusable Authorization tokens and leveraging printer-sharing policies to persist file:// URIs that bypass FileDevice restrictions. A proof-of-concept demonstrates root command execution via sudoers file modification, and the vulnerability is confirmed by the presence of public exploit code.
Authentication Bypass
-
CVE-2026-34980
MEDIUM
CVSS 6.1
Unauthenticated remote code execution in OpenPrinting CUPS 2.4.16 and earlier allows attackers to send print jobs to shared PostScript queues without authentication, exploit a newline injection vulnerability in page-border parameter handling, and execute arbitrary binaries as the lp user by chaining a follow-up raw print job. CISA KEV status and active exploitation confirmation not provided; no publicly available patches identified at publication.
Authentication Bypass
-
CVE-2026-34979
MEDIUM
CVSS 5.3
Heap-based buffer overflow in OpenPrinting CUPS scheduler versions 2.4.16 and prior allows unauthenticated remote attackers to trigger a denial of service condition by crafting malicious job attributes that overflow buffers during filter option string construction. With a CVSS score of 5.3 and network accessibility, this vulnerability impacts availability on exposed CUPS instances; no public exploit code or vendor patch has been released as of publication.
Heap Overflow
Buffer Overflow
-
CVE-2026-34978
MEDIUM
CVSS 6.5
Path traversal in OpenPrinting CUPS RSS notifier (versions 2.4.16 and prior) allows unauthenticated remote IPP clients to write arbitrary files outside the intended CacheDir/rss directory via a crafted notify-recipient-uri parameter. By exploiting default group-writable permissions on CacheDir, attackers can overwrite critical state files such as job.cache, causing the CUPS scheduler to fail parsing job queues and resulting in loss of previously queued print jobs. No public exploit code or vendor patch is currently available, though the vulnerability is demonstrated with proof-of-concept exploitation.
Path Traversal
-
CVE-2026-34933
MEDIUM
CVSS 5.5
Denial of service in Avahi prior to version 0.9-rc4 allows local unprivileged users to crash avahi-daemon by sending a D-Bus method call with conflicting publish flags. The vulnerability requires local access and low privileges but causes immediate service unavailability. No public exploit code or active exploitation has been confirmed; however, the attack is trivial to execute given the low complexity barrier.
Denial Of Service
-
CVE-2026-34788
MEDIUM
CVSS 6.5
SQL injection in Emlog tag management allows authenticated administrators to execute arbitrary SQL queries through the updateTagName() function in include/model/tag_model.php. Versions 2.6.2 and prior are affected. An attacker with administrative privileges can exploit this via direct SQL manipulation to modify or exfiltrate database contents. No public exploit code or active exploitation has been confirmed; patch status remains unavailable as of publication.
SQLi
PHP
-
CVE-2026-34787
MEDIUM
CVSS 6.5
Local file inclusion in Emlog admin/plugin.php allows authenticated attackers to execute arbitrary PHP code via unsanitized $plugin parameter in GET requests, provided CSRF token validation can be bypassed. Emlog versions 2.6.2 and prior are affected. An authenticated attacker with high privileges can include arbitrary files from the server filesystem, achieving remote code execution without requiring user interaction. No public exploit code or active exploitation has been confirmed at time of analysis.
Lfi
CSRF
PHP
RCE
-
CVE-2026-34779
MEDIUM
CVSS 6.5
Electron's moveToApplicationsFolder() API on macOS improperly sanitizes application bundle paths in AppleScript fallback code, allowing arbitrary AppleScript execution when a user accepts a move-to-Applications prompt on a system with a crafted path. Remote code execution is possible if an attacker can control the installation path or launch context of an Electron application; however, this requires user interaction (accepting the move prompt) and is limited to local attack surface. No public exploit code or active exploitation has been identified. CVSS 6.5 reflects moderate risk due to local-only attack vector and user interaction requirement, though the impact (code execution) is severe.
Apple
Command Injection
-
CVE-2026-34778
MEDIUM
CVSS 5.9
Electron's service worker implementation allows spoofing of internal IPC reply messages, enabling a malicious service worker to inject attacker-controlled data into the main process's promise resolution from webContents.executeJavaScript() and related methods. This affects Electron versions prior to 41.0.0, 40.8.1, 39.8.1, and 38.8.6, and impacts only applications that register service workers and rely on executeJavaScript() return values for security decisions. The vulnerability requires local authenticated access and medium attack complexity, with no public exploit code or active exploitation confirmed at analysis time.
Authentication Bypass
-
CVE-2026-34777
MEDIUM
CVSS 5.4
Electron versions prior to 38.8.6, 39.8.1, 40.8.1, and 41.0.0 pass the top-level page origin instead of the requesting iframe's origin to permission request handlers for fullscreen, pointerLock, keyboardLock, openExternal, and media permissions, allowing attackers to trick applications into granting sensitive permissions to embedded third-party content via social engineering or malicious iframe injection. Unauthenticated remote attackers can exploit this via user interaction (iframe load), with CVSS 5.4 indicating moderate confidentiality and integrity impact; no public exploit code or active exploitation confirmed at time of analysis.
Information Disclosure
-
CVE-2026-34776
MEDIUM
CVSS 5.3
Out-of-bounds heap read in Electron's single-instance lock mechanism on macOS and Linux allows local attackers with same-user privileges to leak sensitive application memory through crafted second-instance messages. Affected Electron versions prior to 41.0.0, 40.8.1, 39.8.1, and 38.8.6 are vulnerable only if applications explicitly call app.requestSingleInstanceLock(); no public exploit code is currently identified, but the CVSS 5.3 score reflects moderate confidentiality impact combined with local attack complexity requirements.
Information Disclosure
Buffer Overflow
Microsoft
Apple
-
CVE-2026-34775
MEDIUM
CVSS 6.8
Electron's nodeIntegrationInWorker webPreference fails to properly isolate Node.js integration in worker contexts across certain process-sharing configurations, allowing workers in frames explicitly configured with nodeIntegrationInWorker: false to unexpectedly gain Node.js capabilities. Only applications that explicitly enable nodeIntegrationInWorker are affected. The vulnerability carries a CVSS score of 6.8 and permits information disclosure and code execution in affected contexts, with no public exploit identified at time of analysis.
Node.js
Information Disclosure
Microsoft
-
CVE-2026-34773
MEDIUM
CVSS 4.7
Electron's setAsDefaultProtocolClient() on Windows fails to validate protocol names before writing to the Windows registry, allowing local authenticated attackers to hijack protocol handlers by writing to arbitrary HKCU\Software\Classes\ subkeys when apps pass untrusted input as the protocol parameter. The vulnerability affects Electron versions prior to 38.8.6, 39.8.1, 40.8.1, and 41.0.0, and requires local access and low privileges; no public exploit has been identified at time of analysis.
RCE
Microsoft
-
CVE-2026-34772
MEDIUM
CVSS 5.8
Use-after-free in Electron framework allows memory corruption when native save-file dialogs remain open during session teardown. Affected Electron versions prior to 38.8.6, 39.8.0, 40.7.0, and 41.0.0-beta.7 enable local attackers with UI interaction to trigger freed memory dereference via downloaded files, potentially causing application crashes or memory corruption. Only applications that programmatically destroy sessions at runtime and permit downloads are vulnerable; no public exploit code or active exploitation has been identified.
Use After Free
Memory Corruption
Buffer Overflow
-
CVE-2026-34767
MEDIUM
CVSS 5.9
HTTP response header injection in Electron allows remote attackers to inject malicious headers via crafted input reflected in response headers when custom protocol handlers or webRequest.onHeadersReceived are used. An attacker can manipulate cookies, content security policy, or cross-origin access controls in affected applications. This affects Electron 41.x before 41.0.3, 40.x before 40.8.3, 39.x before 39.8.3, and 38.x before 38.8.6; no public exploit code is documented at time of analysis.
Code Injection
-
CVE-2026-34756
MEDIUM
CVSS 6.5
Denial of Service in vLLM OpenAI-compatible API server allows unauthenticated remote attackers to crash the service via a single HTTP request containing an extremely large n parameter. The lack of upper bound validation causes the asyncio event loop to freeze while allocating millions of request object copies, leading to rapid Out-Of-Memory crashes. CVSS 6.5 with moderate real-world risk due to authentication requirement in the disclosed CVSS vector (PR:L), though the description indicates unauthenticated exploitability - a significant discrepancy warranting clarification from the vendor.
Denial Of Service
Python
-
CVE-2026-34755
MEDIUM
CVSS 6.5
Denial of service in vLLM's VideoMediaIO.load_base64() method allows authenticated remote attackers to crash the server via memory exhaustion by sending API requests with thousands of comma-separated base64-encoded JPEG frames. The vulnerability bypasses the default 32-frame limit enforced in other video loading code paths, allowing attackers to decode gigabytes of image data into memory (e.g., 5000 frames ≈ 4.6 GB for 640x480 RGB) with a small compressed payload. CVSS 6.5 (network-accessible, low complexity, requires authentication, high availability impact); no public exploit code identified at time of analysis.
Denial Of Service
Python
-
CVE-2026-34753
MEDIUM
CVSS 5.4
Server-side request forgery (SSRF) in vLLM batch runner allows authenticated attackers to make arbitrary HTTP/HTTPS requests from the vLLM server by controlling the file_url field in batch input JSON, enabling targeting of internal services such as cloud metadata endpoints without URL validation or domain restrictions. The vulnerability affects vLLM's audio transcription and translation batch endpoints and is confirmed to have an upstream fix available via GitHub PR #38482 and commit 57861ae48d3493fa48b4d7d830b7ec9f995783e7. CVSS score is 5.4 (moderate); no public exploit code or confirmed active exploitation has been identified at time of analysis.
SSRF
-
CVE-2026-34511
MEDIUM
CVSS 6.0
OpenClaw before version 2026.4.2 reuses the PKCE verifier as the OAuth state parameter in Gemini OAuth flows, exposing cryptographic material through the redirect URL and enabling attackers who capture the URL to obtain both the authorization code and PKCE verifier, defeating PKCE protection and allowing unauthorized token redemption. The vulnerability requires user interaction (redirect capture) but has high confidentiality impact affecting OAuth security mechanisms; it is an information disclosure flaw in the OAuth implementation itself rather than a remote code execution threat.
Information Disclosure
-
CVE-2026-34229
MEDIUM
CVSS 6.1
Stored cross-site scripting (XSS) in Emlog's comment module allows unauthenticated remote attackers to inject malicious scripts via URI scheme validation bypass, affecting all versions prior to 2.6.8. The vulnerability requires user interaction (clicking a malicious link) and can result in session hijacking, credential theft, or malware distribution to website visitors. No public exploit code or active exploitation has been confirmed at time of analysis.
XSS
-
CVE-2026-34217
MEDIUM
CVSS 6.9
SandboxJS versions 0.8.35 and below allow untrusted sandboxed code to leak internal interpreter scope objects through the `new` operator, exposing raw Prop wrappers that reference the host's global variable storage (scope.allVars). An attacker controlling code execution within the sandbox can extract this scope object and modify variables in the sandbox hierarchy, though prototype chain and code evaluation remain protected. Vendor-released patch available; no active KEV status or public exploit code confirmed.
Node.js
Information Disclosure
-
CVE-2026-34211
MEDIUM
CVSS 6.9
Denial of service in @nyariv/sandboxjs through unbounded recursion in the parser allows remote attackers to crash Node.js processes by submitting deeply nested expressions (approximately 2000 nested parentheses or brackets), triggering a RangeError that terminates the application. All public API methods (Sandbox.parse, Sandbox.compile, Sandbox.compileAsync, Sandbox.compileExpression, Sandbox.compileExpressionAsync) are vulnerable with no input validation or depth limiting. A proof-of-concept demonstrating the crash exists; no public active exploitation has been reported at the time of analysis.
Node.js
Denial Of Service
-
CVE-2026-34061
MEDIUM
CVSS 4.9
Elected validator proposers in nimiq/core-rs-albatross before version 1.3.0 can submit election macro blocks with malformed interlink headers that bypass proposal validation but are rejected during block finalization, causing denial of service by halting consensus after Tendermint voting completes. The vulnerability requires high privileges (validator proposer role) and results in network availability impact but no data compromise, affecting the Nimiq Proof-of-Stake network's consensus reliability.
Information Disclosure
Canonical
-
CVE-2026-34052
MEDIUM
CVSS 5.9
Memory exhaustion denial of service in jupyterhub-litauthenticator 1.6.2 and earlier allows unauthenticated remote attackers to crash the LTI 1.1 validator by submitting repeated requests with unique OAuth nonces. The vulnerability exists because nonces are stored in an unbounded class-level dictionary before signature validation occurs, enabling an attacker with knowledge of a valid consumer key to gradually exhaust server memory without authentication. EPSS score of 5.9 (medium-high) reflects the network attack vector and practical exploitability, though the requirement to know a valid consumer key and achieve high authentication complexity moderates real-world risk.
Denial Of Service
-
CVE-2026-33709
MEDIUM
CVSS 5.1
Open redirect vulnerability in JupyterHub prior to version 5.4.4 allows unauthenticated remote attackers to craft malicious links that bypass JupyterHub's redirect validation, redirecting users through the legitimate login page to arbitrary attacker-controlled sites. This enables phishing attacks and credential harvesting by leveraging JupyterHub's trusted domain to establish credibility. The vulnerability requires user interaction (clicking a link) and has been patched in version 5.4.4.
Open Redirect
-
CVE-2026-32662
MEDIUM
CVSS 6.9
Gardyn Cloud API exposes development and test endpoints that mirror production functionality, allowing unauthenticated remote attackers to access sensitive information with low complexity. This information disclosure vulnerability (CVSS 6.9) affects all versions of Gardyn Cloud API and has been documented by CISA ICS in advisory ICSA-26-055-03; no public exploit code or active exploitation has been identified at the time of analysis.
Information Disclosure
-
CVE-2026-28767
MEDIUM
CVSS 6.9
Unauthenticated attackers can access administrative endpoint notifications in Gardyn Cloud API without proper authentication, allowing information disclosure via an authentication bypass vulnerability. The CVSS 6.9 score reflects the network accessibility and lack of required privileges, though impact is limited to confidentiality. No public exploit code or active exploitation has been confirmed at time of analysis.
Authentication Bypass
-
CVE-2026-28736
MEDIUM
CVSS 4.3
Focalboard 8.0 fails to validate file ownership during file serving, allowing authenticated attackers to read arbitrary uploaded files if they know the target fileID. The vulnerability affects all versions of the standalone Focalboard product, which is no longer maintained by Mattermost and will not receive security patches. An attacker with valid credentials can exploit this authorization bypass with no additional user interaction to access sensitive file contents.
Authentication Bypass
-
CVE-2026-27481
MEDIUM
CVSS 6.3
Discourse versions 2026.1.0-2026.1.2, 2026.2.0-2026.2.1, and 2026.3.0-pre allow unauthenticated users to enumerate and view hidden staff-only tags and associated metadata through an authorization bypass flaw. All instances with tagging enabled and staff-only tag groups configured are vulnerable. The issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0 final. No public exploit code or active exploitation has been confirmed at the time of analysis.
Information Disclosure
-
CVE-2026-27456
MEDIUM
CVSS 4.7
Unauthorized read access to root-owned files via TOCTOU race condition in util-linux mount binary (versions prior to 2.41.4) allows local users with existing fstab entries to replace loop device source files with symlinks pointing to sensitive files or block devices, bypassing intended access controls. The vulnerability requires moderate exploitation effort (AC:H) and authenticated user access (PR:L) but grants disclosure of confidential data including filesystem backups and disk volumes. No public exploit code or active CISA KEV status identified at time of analysis.
Authentication Bypass
Redhat
Suse
-
CVE-2026-27447
MEDIUM
CVSS 4.8
CUPS daemon (cupsd) versions 2.4.16 and earlier authenticate users via case-insensitive username comparison, allowing an authenticated high-privileged user to bypass authorization controls by submitting requests under a username that differs only in case from an authorized user, gaining access to restricted printing operations. No public exploit code has been identified, and patches were not available at the time of initial disclosure, though a upstream commit indicates a fix may have been prepared.
Authentication Bypass
Redhat
Suse
-
CVE-2026-26477
MEDIUM
CVSS 4.3
Denial of service in Dokuwiki version 2025-05-14b 'Librarian' release allows remote attackers to crash or disable the application through improper input handling in the media_upload_xhr() function within media.php. The vulnerability requires network access to the media upload endpoint but does not require authentication. No public exploit code, CVSS scoring, or active exploitation has been confirmed at the time of analysis.
Denial Of Service
PHP
-
CVE-2026-26058
MEDIUM
CVSS 6.1
Path traversal in Zulip's ./manage.py import function allows local attackers to read arbitrary files from the server filesystem and copy them into the uploads directory via a crafted export tarball containing specially crafted paths in uploads/records.json. Zulip versions 1.4.0 through 11.5 are affected; the vulnerability requires local access and user interaction (import initiation) but can expose sensitive server data readable by the Zulip application user. No active exploitation has been confirmed; a vendor-released patch is available in version 11.6.
Path Traversal
-
CVE-2026-25742
MEDIUM
CVSS 5.3
Zulip versions 1.4.0 through 11.5 allow unauthenticated retrieval of attachments and topic history from web-public streams even after spectator access is disabled, due to incomplete access control on attachment serving and the /users/me/<stream_id>/topics endpoint. An attacker can bypass intended access restrictions to read file contents and stream metadata after public access is supposed to be revoked. The vulnerability affects all Zulip deployments that previously enabled spectator access and then disabled it. Vendor-released patch: version 11.6.
Authentication Bypass
-
CVE-2026-25118
MEDIUM
CVSS 6.3
Immich prior to version 2.6.0 discloses shared album passwords in cleartext within URL query parameters during authentication to /api/shared-links/me, exposing credentials to browser history, proxy logs, server logs, and HTTP referrer headers. An unauthenticated attacker with access to these logs or referrer data can obtain album passwords and compromise shared album access, affecting all installations using shared albums with password protection before the patch.
Information Disclosure
-
CVE-2026-25043
MEDIUM
CVSS 5.3
Email flooding denial of service in Budibase prior to version 3.23.25 allows unauthenticated remote attackers to overwhelm user inboxes by repeatedly triggering password reset requests without rate limiting, CAPTCHA, or abuse prevention controls. An attacker can send hundreds of password reset emails to a target address in a short time window, causing user harassment, inbox denial of service, and potential reputational damage. This vulnerability has been patched in version 3.23.25.
Denial Of Service
-
CVE-2026-22662
MEDIUM
CVSS 5.3
Blind server-side request forgery in prompts.chat media generator allows authenticated users to manipulate the inputImageUrl parameter in /api/media-generate POST requests to perform arbitrary server-side HTTP fetches, enabling internal network reconnaissance, access to internal services, and potential data exfiltration through the upstream Wiro service without receiving direct response bodies. The vulnerability affects prompts.chat prior to commit 1464475 and requires valid user authentication; patch availability has been confirmed through vendor repository.
SSRF
-
CVE-2026-5484
MEDIUM
CVSS 5.5
BookStack chapter export functionality allows unauthenticated remote attackers to bypass access controls via manipulation of the pages parameter in the chapterToMarkdown function, enabling improper access to restricted content. Affects BookStack versions up to 26.03; patch available in version 26.03.1. Publicly available exploit code exists and CVSS 5.5 reflects low confidentiality impact with no integrity or availability compromise.
PHP
Authentication Bypass
-
CVE-2026-5475
MEDIUM
CVSS 5.1
Memory corruption in NASA cFS up to version 7.0.0 via manipulation of the CFE_SB_TransmitMsg function in the CCSDS Header Size Handler component allows local attackers with low privileges to corrupt memory, potentially leading to denial of service or information disclosure. No public exploit code or active exploitation has been confirmed; the vendor was notified early but has not yet released a patch as of analysis time.
Buffer Overflow
-
CVE-2026-5474
MEDIUM
CVSS 5.3
Heap-based buffer overflow in NASA cFS up to version 7.0.0 exists in the CFE_MSG_GetSize function within the CCSDS Packet Header Handler component (apps/to_lab/fsw/src/to_lab_passthru_encode.c), allowing attackers on the local network to cause memory corruption with limited confidentiality, integrity, and availability impact. The vulnerability requires network adjacency but no authentication or user interaction; no public exploit code has been identified, and the project has not yet released a patch despite early notification through GitHub issue tracking.
Buffer Overflow
-
CVE-2026-5472
MEDIUM
CVSS 5.3
Unrestricted file upload in ProjectsAndPrograms School Management System up to commit 6b6fae5426044f89c08d0dd101c7fa71f9042a59 allows authenticated users to upload arbitrary files via the Profile Picture Handler in /admin_panel/settings.php, enabling remote code execution. The vulnerability affects the File parameter with low attack complexity and has publicly available exploit code; while CVSS 5.3 reflects moderate integrity and confidentiality impact, the low authentication requirement and network accessibility make this a practical privilege escalation and code execution vector for authenticated attackers.
File Upload
PHP
Authentication Bypass
-
CVE-2026-5470
MEDIUM
CVSS 5.3
Server-side request forgery in mixelpixx Google-Research-MCP allows authenticated remote attackers to craft malicious URLs passed to the extractContent function, enabling them to make arbitrary HTTP requests from the affected server. The vulnerability affects the Model Context Protocol Handler component, has a publicly available exploit, and receives a CVSS 5.3 score with moderate exploitation likelihood. The vendor has not responded to disclosure attempts, and the project uses rolling releases, making patch tracking difficult.
Google
SSRF
-
CVE-2026-5469
MEDIUM
CVSS 5.1
Server-side request forgery in Casdoor 2.356.0 webhook URL handler allows authenticated remote attackers with high privileges to trigger SSRF attacks through webhook URL manipulation, enabling potential access to internal network resources. No public exploit code or active exploitation has been identified; CVSS 5.1 reflects limited confidentiality and integrity impact despite remote network accessibility.
SSRF
-
CVE-2026-5468
MEDIUM
CVSS 5.1
Stored cross-site scripting (XSS) in Casdoor 2.356.0 via the dangerouslySetInnerHTML function allows authenticated remote attackers to inject malicious scripts through the formCss, formCssMobile, or formSideHtml parameters. An attacker with authenticated access can craft payloads that execute arbitrary JavaScript in the context of other users' browsers when they view affected forms. Publicly available exploit code exists for this vulnerability, and the vendor has not responded to early disclosure attempts, indicating no coordinated patch timeline.
XSS
-
CVE-2026-5467
MEDIUM
CVSS 5.3
Open redirect vulnerability in Casdoor 2.356.0 OAuth Authorization Request Handler allows remote attackers to manipulate the redirect_uri parameter and redirect users to arbitrary external sites. The vulnerability requires user interaction (UI:R) but has low CVSS severity (4.3); however, publicly available exploit code exists and the vendor has not responded to disclosure attempts, leaving deployed instances unpatched.
Open Redirect
-
CVE-2026-2625
MEDIUM
CVSS 4.0
Denial of service in rust-rpm-sequoia allows local attackers to crash RPM signature verification by submitting specially crafted RPM files that trigger unhandled errors in OpenPGP parsing, preventing legitimate package management operations. CVSS 4.0 (low severity), local attack vector, non-authenticating. No public exploit code or active exploitation confirmed.
Denial Of Service
Redhat
Jwt Attack
-
CVE-2025-68152
MEDIUM
CVSS 6.9
Juju application orchestration engine versions 2.9 to 2.9.55 and 3.6 to 3.6.18 allow a compromised workload machine to read arbitrary log files for any entity across any model without proper authorization checks. This authentication bypass (CWE-863) affects high-privilege scenarios where an attacker already controls a machine within a Juju-managed infrastructure, enabling lateral information disclosure to extract sensitive operational logs. The vulnerability has been patched in Juju 2.9.56 and 3.6.19.
Authentication Bypass
-
CVE-2025-59709
MEDIUM
CVSS 6.8
Biztalk360 through version 11.5 contains a directory traversal vulnerability allowing Super User attackers to read arbitrary files on the system and coerce authentication from the service through mishandled user input in file path parameters. The vulnerability enables local file access and potential credential extraction by authenticated administrators with Super User privileges.
Path Traversal
-
CVE-2025-7024
MEDIUM
CVSS 5.6
AIRBUS TETRA Connectivity Server 7.0 on Windows Server allows privilege escalation to SYSTEM via incorrect default directory permissions (CWE-276), enabling local authenticated attackers to execute arbitrary code by placing a crafted file in a vulnerable directory with user interaction. The vulnerability affects TETRA Connectivity Server version 7.0, with patches available for versions 8.0 and 9.0. No public exploit code or active exploitation in the wild has been identified at time of analysis.
Privilege Escalation
RCE
Microsoft
-
CVE-2026-35538
LOW
CVSS 3.1
Roundcube Webmail before versions 1.5.14 and 1.6.14 allows authenticated remote attackers to conduct IMAP injection attacks or bypass CSRF protections via unsanitized IMAP SEARCH command arguments. The vulnerability requires user interaction (high complexity) and authenticated access, resulting in limited integrity impact without confidentiality or availability compromise. No public exploit code or active exploitation has been confirmed at time of analysis.
CSRF
-
CVE-2026-35537
LOW
CVSS 3.7
Unsafe deserialization in Roundcube Webmail's Redis/Memcache session handler allows unauthenticated remote attackers to write arbitrary files by crafting malicious session data. Affected versions include all 1.6.x before 1.6.14 and all 1.5.x before 1.5.14. While the CVSS score of 3.7 is low and attack complexity is high, the integrity impact (arbitrary file write) poses a real risk to instances using Redis or Memcache for session storage.
Deserialization
Redis
-
CVE-2026-34947
LOW
CVSS 2.7
Discourse versions 2026.1.0 through 2026.1.2, 2026.2.0 through 2026.2.1, and 2026.3.0-beta expose staged user custom fields and usernames on public invite pages without requiring email verification. An unauthenticated remote attacker can enumerate user information and custom field data by accessing public invitation links, potentially gathering sensitive user attributes before account activation. The vulnerability has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0, with no public exploit code or active exploitation confirmed at time of analysis.
Information Disclosure
-
CVE-2026-34768
LOW
CVSS 3.9
Electron's setLoginItemSettings() function on Windows fails to quote executable paths in the Run registry key, allowing local attackers with write access to ancestor directories to execute arbitrary programs at login if the app is installed to a path containing spaces. The vulnerability affects Electron versions prior to 38.8.6, 39.8.1, 40.8.0, and 41.0.0-beta.8, and requires high-privilege access and unfavorable conditions (non-standard install paths) to exploit, making real-world impact limited to non-default Windows configurations.
Microsoft
Authentication Bypass
-
CVE-2026-34766
LOW
CVSS 3.3
Electron's WebUSB device selection handler fails to validate chosen device IDs against renderer-requested filters, allowing authenticated local users with UI interaction to bypass intended device access restrictions and gain access to unfiltered USB devices. The vulnerability affects Electron versions prior to 38.8.6, 39.8.0, 40.7.0, and 41.0.0-beta.8, with CVSS 3.3 (low severity) due to local-only attack vector and UI interaction requirement; the WebUSB security blocklist remains enforced, limiting practical impact to applications with non-standard device selection logic.
Authentication Bypass
-
CVE-2026-34764
LOW
CVSS 2.3
Use-after-free in Electron's offscreen rendering with GPU shared textures allows local attackers with high privileges to cause memory corruption or application crashes by invoking the texture release callback after its backing native state has been freed. The vulnerability affects Electron versions before 42.0.0-alpha.5, 41.1.0, 40.8.5, and 39.8.5, and only impacts applications explicitly enabling shared-texture offscreen rendering via webPreferences.offscreen.useSharedTexture: true.
Use After Free
Memory Corruption
Buffer Overflow
-
CVE-2026-31404
None
NULL pointer dereference in Linux kernel NFSD export cache cleanup allows local denial of service when RCU readers in e_show() and c_show() concurrently access export path and client name objects while cache_clean removes entries and drops the last reference prematurely. The vulnerability stems from path_put() and auth_domain_put() executing before the RCU grace period completes, freeing sub-objects still in use by readers. A fix has been merged upstream that defers these cleanup operations to a dedicated workqueue after the RCU grace period, ensuring safe resource release in process context where sleeping is permitted.
Linux
Linux Kernel
Use After Free
-
CVE-2026-31403
None
Use-after-free in Linux kernel NFSD /proc/fs/nfs/exports proc entry allows information disclosure when a network namespace is destroyed while an exports file descriptor remains open. The vulnerability occurs because exports_proc_open() captures a network namespace reference without holding a refcount, enabling nfsd_net_exit() to free the export cache while the fd is still active, leading to subsequent reads dereferencing freed memory. The fix holds a struct net reference for the lifetime of the open file descriptor, preventing namespace teardown while any exports fd is open.
Linux
Linux Kernel
Denial Of Service
Use After Free
-
CVE-2026-31402
None
Heap overflow in Linux kernel NFSv4.0 LOCK replay cache allows unauthenticated remote attackers to corrupt kernel memory by triggering a denial-of-service or potential code execution. The vulnerability exists in nfsd4_encode_operation() which copies encoded LOCK responses up to 1024 bytes into a fixed 112-byte inline buffer without bounds checking, resulting in up to 944 bytes of slab-out-of-bounds writes. Exploitation requires two cooperating NFSv4.0 clients but no special privileges; upstream fixes are available across multiple stable kernel branches.
Linux
Linux Kernel
Heap Overflow
Denial Of Service
-
CVE-2026-31401
None
Buffer overflow in Linux kernel HID-BPF subsystem allows arbitrary return values from dispatch_hid_bpf_raw_requests() to overflow the hid_hw_request buffer without validation. The vulnerability affects all Linux kernel versions with HID-BPF support; attackers with the ability to load or influence BPF programs targeting HID devices can trigger memory corruption. No CVSS score, EPSS data, or confirmed active exploitation has been assigned at time of analysis.
Linux
Linux Kernel
Buffer Overflow
-
CVE-2026-31400
None
Linux kernel sunrpc subsystem fails to properly release cache_request objects when file descriptors are closed mid-read, resulting in memory leaks and potential information disclosure through stale cache entries. The vulnerability affects all Linux kernel versions with the affected sunrpc cache implementation, and requires no special privileges or network access to trigger since it occurs during normal file descriptor closure in the kernel's user-space cache management interface.
Linux
Linux Kernel
Memory Corruption
-
CVE-2026-31399
None
Use-after-free in Linux kernel nvdimm/bus asynchronous device registration allows local denial of service when device_add() fails during nd_async_device_register(). The vulnerability occurs because a device reference is dropped before the parent pointer is safely accessed, causing a kernel crash or memory corruption. No authenticated access required; only local access with ability to trigger device registration failures.
Linux
Linux Kernel
Use After Free
-
CVE-2026-31398
None
Linux kernel mm/rmap subsystem fails to correctly preserve page table entry attributes (writable and soft-dirty bits) when batching unmap operations on lazyfree folios, causing kernel panic via page table check violation when a large folio with mixed writable/non-writable PTEs is unmapped across multiple processes. The vulnerability affects all Linux kernel versions with the vulnerable folio_unmap_pte_batch() code path and can be triggered by local attackers through a specific sequence of memory management syscalls (MADV_DONTFORK, fork(), MADV_DOFORK, MADV_FREE, and memory reclaim), resulting in denial of service via kernel crash.
Linux
Linux Kernel
Memory Corruption
-
CVE-2026-31397
None
Linux kernel memory management allows installation of PMD entries pointing to non-existent physical memory or causes NULL pointer dereferences in move_pages_huge_pmd() when handling huge zero page migrations via UFFDIO_MOVE. The vulnerability occurs because the function incorrectly handles NULL folio pointers for huge zero pages, either producing bogus page frame numbers on SPARSEMEM_VMEMMAP systems or dereferencing NULL on other memory models. Additionally, destination PMD entries lose special mapping metadata (pmd_special flag), causing subsequent page reference counting corruption. No CVSS score is available; no active exploitation reported.
Linux
Linux Kernel
Use After Free
-
CVE-2026-31396
None
Use-after-free vulnerability in Linux kernel's Cadence MAC (macb) driver allows local attackers to read freed memory via ethtool get_ts_info calls on PTP-capable network interfaces. The PTP clock is registered when the interface opens and destroyed when it closes, but the ethtool handler can still access it after deallocation, causing a kernel memory access violation. No active exploitation confirmed; patch available in stable kernel releases.
Linux
Linux Kernel
Use After Free
-
CVE-2026-31395
None
Out-of-bounds memory access in the Linux kernel bnxt_en driver allows a malicious or compromised Broadcom NetXtreme network interface card to corrupt kernel heap memory or crash the system by supplying an unvalidated 16-bit type field in a debug buffer producer async event, affecting all Linux kernel versions using the vulnerable bnxt driver code path.
Linux
Linux Kernel
Broadcom
Buffer Overflow
Denial Of Service
-
CVE-2026-31394
None
Null pointer dereference in Linux kernel mac80211 IEEE 802.11 wireless subsystem crashes AP_VLAN stations during channel bandwidth change operations. The ieee80211_chan_bw_change() function incorrectly accesses link data on VLAN interfaces (such as 4-address WDS clients) where the link structure is uninitialized, leading to kernel panic when dereferencing a NULL channel pointer. Any system with AP_VLAN wireless configurations and active channel state announcement (CSA) operations is vulnerable to local denial of service.
Linux
Linux Kernel
Denial Of Service
-
CVE-2026-31393
None
Out-of-bounds read in Linux kernel Bluetooth L2CAP layer allows remote attackers to read adjacent kernel memory via truncated L2CAP_INFO_RSP packets with insufficient payload length. The l2cap_information_rsp() function validates only the fixed 4-byte header but then unconditionally accesses variable-length payload fields (feat_mask at offset +4 and fixed_chan at offset +1) without verifying the payload is present, triggering kernel memory disclosure on specially crafted Bluetooth frames.
Linux
Linux Kernel
Bluetooth
Information Disclosure
Denial Of Service
-
CVE-2026-31392
None
Linux kernel SMB client incorrectly reuses Kerberos authentication sessions across multiple mounts with different username options, allowing an attacker or misconfigured system to access shares using unintended credentials. The vulnerability affects CIFS/SMB mounting with Kerberos (sec=krb5) when the username mount option is specified; the kernel fails to validate that the username parameter matches the authenticated session, causing subsequent mounts to inherit the first mount's credentials rather than failing with ENOKEY when the requested principal is absent from the keytab. This is a session management flaw that enables credential confusion and potential unauthorized share access.
Linux
Linux Kernel
Authentication Bypass
-
CVE-2026-31391
None
Memory leak in Linux kernel atmel-sha204a cryptographic driver allows local denial of service via resource exhaustion. The vulnerability occurs when memory allocation fails during tfm_count counter management; the counter is not properly decremented, causing subsequent read operations to block indefinitely. This affects all Linux kernel versions with the vulnerable atmel-sha204a implementation until patched.
Linux
Linux Kernel
Denial Of Service
-
CVE-2026-31390
None
Linux kernel xe (Intel GPU) driver leaks dynamically allocated virtual memory area (VMA) structures when argument validation fails in the xe_vm_madvise_ioctl handler, allowing local attackers to exhaust kernel memory and trigger denial of service. The vulnerability has been patched upstream in stable kernel branches with proper cleanup path addition.
Linux
Linux Kernel
Memory Corruption
-
CVE-2026-31389
None
Use-after-free vulnerability in Linux kernel SPI controller registration allows local attackers to trigger unclocked register accesses and potential information disclosure when per-CPU statistics allocation fails during controller initialization. The vulnerability affects all Linux kernel versions and is fixed via proper driver core deregistration on allocation failure; no CVSS score or active exploitation data available at time of analysis.
Linux
Linux Kernel
Use After Free
-
CVE-2026-23475
None
NULL-pointer dereference in Linux kernel SPI subsystem allows local denial of service via sysfs attribute access. The SPI controller's per-CPU statistics structure is not allocated until after the controller registers with the driver core, creating a race window where sysfs attribute reads can trigger a kernel panic. This affects all Linux kernel versions with the vulnerable SPI statistics implementation; exploitation requires local system access to read sysfs files.
Linux
Linux Kernel
Null Pointer Dereference
-
CVE-2026-23474
None
Buffer overflow in Linux kernel's RedBoot partition table parser allows kernel panic during boot when CONFIG_FORTIFY_SOURCE is enabled with recent compilers. The MTD (Memory Technology Devices) subsystem reads beyond allocated buffer boundaries in partition name validation, triggering fortify-source detection and kernel crash (oops). This affects systems using RedBoot bootloader partitioning on embedded devices; exploitation is involuntary (denial of service via boot failure) rather than attacker-driven, with no public exploit code identified.
Linux
Linux Kernel
Buffer Overflow
-
CVE-2026-23473
None
Linux kernel io_uring/poll multishot recv can hang indefinitely when a socket shutdown occurs concurrently with data reception, due to a race condition where accumulated poll wakeups are drained without consuming the persistent HUP event. The vulnerability affects all Linux kernel versions with io_uring poll support and requires a fix to explicitly check for HUP conditions and re-loop when multiple poll activations are pending.
Linux
Linux Kernel
Denial Of Service
-
CVE-2026-23472
None
Infinite loop in Linux kernel serial core driver handle_tx() affects systems using uninitialized PORT_UNKNOWN serial ports, where uart_write_room() and uart_write() behave inconsistently regarding null transmit buffers, causing denial of service through system hangs. The vulnerability impacts caif_serial and other drivers that rely on tty_write_room() to determine write capacity. Patch available in upstream kernel commits; no CVSS score assigned due to kernel-specific nature and relatively limited exposure scope.
Linux
Linux Kernel
Denial Of Service
-
CVE-2026-23471
None
Use-after-free in Linux kernel DRM subsystem when framebuffers and property blobs are dereferenced after drm_dev_unplug during device driver unload, causing kernel oops and general protection faults in drm_framebuffer_cleanup. Affects all Linux kernel versions with DRM enabled; upstream fix available via kernel commits referenced in stable tree.
Linux
Linux Kernel
Use After Free
-
CVE-2026-23470
None
Linux kernel drm/imagination driver deadlock in soft reset sequence allows local denial of service when the soft reset handler calls disable_irq() from within a threaded IRQ handler context, creating a self-deadlock condition. The fix replaces disable_irq() with disable_irq_nosync() to prevent the handler from waiting on itself. Affected systems running vulnerable kernel versions with imagination GPU drivers can experience system hangs during GPU reset operations; no public exploit code identified at time of analysis.
Linux
Linux Kernel
Denial Of Service
-
CVE-2026-23469
None
Linux kernel drm/imagination driver crashes when the GPU runtime PM suspend callback executes concurrently with an IRQ handler attempting to access GPU registers, causing kernel panics with SError interrupts on ARM64 platforms. The vulnerability affects the imagination GPU driver across Linux kernel versions and is triggered when power management suspend operations race with interrupt handling without proper synchronization. The fix adds synchronize_irq() calls to ensure IRQ handlers complete before GPU suspension and removes problematic runtime PM resume calls from the IRQ handler that could cause deadlocks.
Linux
Linux Kernel
Denial Of Service
-
CVE-2026-23468
None
Denial of service in Linux kernel amdgpu driver allows local attackers to exhaust system memory by passing an arbitrarily large BO (buffer object) list entry count via userspace, bypassing existing overflow checks but causing excessive allocation and processing delays; fixed by enforcing a 128k entry limit per BO list.
Linux
Linux Kernel
Denial Of Service
-
CVE-2026-23467
None
NULL pointer dereference in Linux kernel DRM i915 GPU driver allows local denial of service during system probe when DMC firmware initialization has not yet completed but hardware has DC6 power state enabled. The vulnerability occurs in intel_dmc_update_dc6_allowed_count() when called from gen9_set_dc_state() during intel_power_domains_init_hw(), which executes before DMC initialization, causing kernel oops if DC6 is unexpectedly enabled by BIOS firmware. No public exploit code identified; this is a kernel crash vulnerability requiring local system access triggered by atypical BIOS behavior.
Linux
Linux Kernel
Null Pointer Dereference
-
CVE-2026-23466
None
Linux kernel DRM/xe driver fails to protect GPU memory (GGTT) MMIO access during failed driver load or asynchronous buffer object teardown, potentially enabling information disclosure or memory corruption. The vulnerability affects systems with Intel Xe graphics where the driver's hotplug-based protection mechanism does not activate if initialization fails, leaving GGTT memory accessible after the driver should have been disabled. CVSS and KEV status not available; patches have been released in upstream Linux stable branches.
Linux
Linux Kernel
Memory Corruption
-
CVE-2026-23465
None
Linux kernel btrfs filesystem fails to log new directory dentries when the parent directory of a conflicting inode is logged, causing new files and subdirectories to become inaccessible after power failure or system crash. The vulnerability affects all Linux kernel versions with btrfs; an attacker or system malfunction can trigger data loss through specific filesystem operation sequences involving deleted and recreated inodes with naming conflicts.
Linux
Linux Kernel
Information Disclosure
-
CVE-2026-23464
None
Memory leak in Linux kernel Microchip MPFS system controller driver (mpfs_sys_controller_probe) allows local attackers to exhaust kernel memory by repeatedly triggering the MTD device lookup failure path, eventually causing denial of service through memory exhaustion.
Linux
Linux Kernel
Denial Of Service
-
CVE-2026-23463
None
Race condition in Linux kernel QMan driver allows concurrent queue frame descriptor allocation and deallocation to corrupt internal state, causing WARN_ON triggers and potential information disclosure via stale fq_table entries. The vulnerability affects systems using Freescale/NXP QBMan queue management with dynamic FQID allocation enabled (QMAN_FQ_FLAG_DYNAMIC_FQID). No public exploit code or active exploitation confirmed; upstream fix merged via memory barrier enforcement to serialize table cleanup before FQID pool deallocation.
Linux
Linux Kernel
Race Condition
-
CVE-2026-23462
None
Use-after-free vulnerability in the Linux kernel's Bluetooth HIDP subsystem allows local attackers to trigger a kernel crash or potentially execute arbitrary code by failing to properly release L2CAP connection references when user callbacks are invoked. The flaw affects all Linux kernel versions in the CPE range and has been resolved through reference counting fixes in the L2CAP connection cleanup path; no public exploit code is currently identified, but the vulnerability requires local access to trigger via Bluetooth device manipulation.
Linux
Linux Kernel
Bluetooth
Use After Free
-
CVE-2026-23461
None
Use-after-free in Linux kernel Bluetooth L2CAP layer allows local attackers to cause denial of service or potentially execute code via a race condition in l2cap_unregister_user(). The vulnerability arises because l2cap_register_user() and l2cap_unregister_user() access conn->users without proper locking (conn->lock), while l2cap_conn_del() protects the same structure with conn->lock, creating concurrent access to freed memory. All Linux kernel versions with Bluetooth L2CAP support are affected. Patch available via Linux stable kernel commits.
Linux
Linux Kernel
Use After Free
-
CVE-2026-23460
None
NULL pointer dereference in Linux kernel ROSE socket implementation allows local denial of service when rose_connect() is called twice during an active connection attempt. The vulnerability occurs because rose_connect() fails to validate TCP_SYN_SENT state, permitting rose->neighbour to be overwritten with NULL, which later causes a kernel crash when rose_transmit_link() dereferences the NULL pointer during socket closure. No active exploitation reported; fix available in upstream kernel commits.
Linux
Linux Kernel
Null Pointer Dereference
-
CVE-2026-23459
None
Memory corruption and potential kernel freezes occur in the Linux kernel's IP tunnel implementation when VXLAN or GENEVE tunnels transmit packets, due to incorrect offset calculations in per-CPU statistics tracking on 32-bit systems. The vulnerability arises from iptunnel_xmit_stats() assuming all tunnels use NETDEV_PCPU_STAT_TSTATS, but VXLAN and GENEVE actually use NETDEV_PCPU_STAT_DSTATS with a different memory layout, causing syncp sequence counter overwrites that corrupt statistics or deadlock the kernel. Patch commits are available in the Linux kernel stable tree and address this by adapting the statistics handler and repositioning the pcpu_stat_type field to improve cache efficiency.
Linux
Linux Kernel
Memory Corruption
Denial Of Service
-
CVE-2026-23458
None
Use-after-free in Linux kernel netfilter ctnetlink module allows local attackers to read freed kernel memory by triggering multiple-round netlink dump operations on conntrack expectations, exploiting improper reference counting in ctnetlink_dump_exp_ct() that drops conntrack references before the dump callback completes. The vulnerability requires local network namespace access and CAP_NET_ADMIN capability but enables information disclosure of kernel heap contents via KASAN-detected slab-use-after-free on ct->ext dereference.
Linux
Linux Kernel
Use After Free
-
CVE-2026-23457
None
Integer truncation in Linux kernel netfilter SIP helper allows remote attackers to bypass Content-Length validation and cause information disclosure via malformed SIP messages. The sip_help_tcp() function stores SIP Content-Length header values (returned as unsigned long) into an unsigned int variable, causing values exceeding UINT_MAX (4,294,967,295) to truncate silently on 64-bit systems. This miscalculation causes the parser to misidentify message boundaries, treating trailing TCP segment data as additional SIP messages and passing them to the SDP parser, potentially leaking kernel memory or enabling further exploitation. Upstream patches are available across multiple stable kernel branches.
Linux
Linux Kernel
Integer Overflow
-
CVE-2026-23456
None
Out-of-bounds read in Linux kernel netfilter H.323/RAS packet decoding allows local or remote attackers to read 1-4 bytes beyond allocated buffer boundaries via malformed packets. The vulnerability exists in decode_int() within nf_conntrack_h323, where insufficient boundary validation before reading variable-length integer fields permits information disclosure or potential denial of service. No CVSS score or KEV status published; patch available across multiple stable kernel branches via upstream commits.
Linux
Linux Kernel
Information Disclosure
-
CVE-2026-23455
None
Out-of-bounds read in Linux kernel netfilter nf_conntrack_h323 DecodeQ931() function allows remote attackers to trigger a kernel memory disclosure or denial of service by sending a specially crafted H.323 packet with zero-length UserUserIE field, causing integer underflow when a 16-bit length value is decremented without validation. No public exploit code identified at time of analysis, and CVSS severity not quantified in available data.
Linux
Linux Kernel
Information Disclosure
-
CVE-2026-23454
None
Use-after-free in Linux kernel MANA hardware channel teardown (net/mana driver) allows concurrent interrupt handlers to dereference freed memory in mana_hwc_destroy_channel(), potentially causing NULL pointer dereference or memory corruption. The vulnerability stems from improper teardown ordering where hwc->caller_ctx is freed before CQ/EQ IRQ handlers are fully synchronized, affecting all Linux kernel versions with the MANA driver. Fixes are available across stable kernel branches via upstream commit reordering.
Linux
Linux Kernel
Use After Free
-
CVE-2026-23453
None
Memory leak in Linux kernel's TI ICSSG PRU Ethernet driver XDP_DROP path causes page pool exhaustion and out-of-memory conditions on systems using XDP packet dropping in non-zero-copy mode. The vulnerability affects all Linux kernel versions with the vulnerable icssg-prueth driver code; page recycling was incorrectly removed from the XDP_DROP handler to support AF_XDP zero-copy mode, but this created a resource leak in standard mode. No active exploitation identified; this is a kernel stability and denial-of-service issue affecting embedded and edge systems using TI PRU Ethernet hardware.
Linux
Linux Kernel
Memory Corruption
-
CVE-2026-23452
None
Linux kernel runtime PM subsystem contains a use-after-free race condition in pm_runtime_work() where the dev->parent pointer may be dereferenced after the parent device has been freed during device removal. This results in a KASAN-detectable memory safety violation that can trigger kernel panics or arbitrary memory access. The vulnerability affects all Linux kernel versions and is resolved by adding a flush_work() call to pm_runtime_remove() to serialize device removal with pending runtime PM work.
Linux
Linux Kernel
Race Condition
Use After Free
-
CVE-2026-23451
None
Infinite loop in Linux kernel bonding device header parsing allows local denial of service when two bonding devices are stacked. The bond_header_parse() function can recurse indefinitely because skb->dev always points to the top of the device hierarchy. The fix adds a bounded recursion parameter to the header_ops parse() method to ensure the leaf parse method is called and prevent endless loops. This vulnerability affects all Linux kernel versions with the vulnerable bonding code and requires local access to trigger.
Linux
Linux Kernel
Denial Of Service
-
CVE-2026-23450
None
NULL dereference and use-after-free in the Linux kernel's SMC (Shared Memory Communications) socket implementation occur when smc_tcp_syn_recv_sock() races with socket close operations, allowing a local attacker to trigger a kernel panic via concurrent manipulation of TCP SYN handling and SMC listen socket closure. The vulnerability affects the Linux kernel across multiple versions via the net/smc subsystem and is addressed through RCU-protected access and refcount validation rather than lock-based serialization.
Linux
Linux Kernel
Use After Free
Null Pointer Dereference
-
CVE-2026-23449
None
Double-free memory corruption in the Linux kernel's TEQL (Trivial Link Equalizer) qdisc implementation allows local attackers to cause kernel crashes via denial of service. The vulnerability occurs when qdisc_reset is called without proper synchronization on lockless Qdisc root configurations, creating a race condition that results in use-after-free and double-free conditions in packet buffer management. This affects all Linux kernel versions with the vulnerable TEQL code path and requires local access to trigger via specially crafted packet scheduling operations.
Linux
Linux Kernel
Denial Of Service
Memory Corruption
-
CVE-2026-23448
None
Out-of-bounds memory read in Linux kernel USB CDC NCM driver allows local attackers to read kernel memory via malformed USB network devices. The cdc_ncm_rx_verify_ndp16() function fails to account for NDP header offset when validating DPE (Data Packet Element) array bounds, permitting buffer over-read when the NDP is positioned near the end of the network transfer block. No CVSS score, EPSS data, or active exploitation status currently available; patch available in stable kernel releases.
Linux
Linux Kernel
Buffer Overflow
-
CVE-2026-23447
None
Buffer overflow in Linux kernel cdc_ncm driver allows out-of-bounds memory reads when processing malformed USB CDC NCM (Network Control Model) packets with NDP32 (Normal Data Packet) headers positioned near the end of the network transfer buffer. The vulnerability exists in cdc_ncm_rx_verify_ndp32() where bounds checking fails to account for the ndpoffset value when validating the DPE (Data Packet Element) array size, potentially enabling local denial-of-service or information disclosure on systems with affected USB CDC NCM network devices. No active exploitation or public proof-of-concept identified at time of analysis.
Linux
Linux Kernel
Buffer Overflow
-
CVE-2026-23446
None
Linux kernel aqc111 USB driver deadlock in power management allows local denial of service via task hang during runtime suspend. The vulnerability occurs when aqc111_suspend() calls power-managed write operations during device suspension, triggering nested runtime PM calls that deadlock waiting for a state change that never occurs. This blocks the rtnl_lock and freezes the entire networking stack. Affected systems running vulnerable kernel versions with USB AQC111 network adapters are susceptible to local DoS that requires no authentication or user interaction beyond normal device suspension. No public exploit code identified; fix requires kernel upgrade or manual patch application.
Linux
Linux Kernel
Denial Of Service
-
CVE-2026-23445
None
Kernel page fault in Intel IGC network driver XDP TX timestamp handling allows local denial of service when an XDP application requesting TX timestamping shuts down while the interface link remains active. The vulnerability stems from stale xsk_meta pointers left in memory after TX ring shutdown, causing the IRQ handler to dereference invalid kernel addresses and trigger a kernel panic. This affects Linux kernel versions in the igc driver and requires no special privileges or network access, only the ability to run XDP programs on an affected system.
Linux
Linux Kernel
Buffer Overflow
-
CVE-2026-23444
None
Memory leak in Linux kernel mac80211 subsystem's ieee80211_tx_prepare_skb() function fails to free socket buffers (skb) in one of three error paths, allowing local denial of service through memory exhaustion. The vulnerability affects all Linux kernel versions with the vulnerable code path in wireless MAC 802.11 handling; no active exploitation has been reported, but the fix addresses a resource leak that could be triggered by applications exercising error conditions in Wi-Fi frame preparation.
Linux
Linux Kernel
Memory Corruption
-
CVE-2026-23443
None
Use-after-free vulnerability in Linux kernel ACPI processor errata handling allows local attackers to cause denial of service or potentially execute code via device pointer dereference after reference dropping in acpi_processor_errata_piix4(). The vulnerability affects multiple Linux kernel versions and was introduced in a previous fix attempt (commit f132e089fe89); it has been resolved across stable kernel branches with no active public exploitation identified.
Linux
Linux Kernel
Use After Free
-
CVE-2026-23442
None
NULL pointer dereference in Linux kernel IPv6 SRv6 path processing allows local denial of service when __in6_dev_get() returns NULL due to missing IPv6 configuration or device unregistration. The vulnerability affects seg6_hmac_validate_skb() and ipv6_srh_rcv() functions which lacked NULL checks on the returned idev pointer, enabling a local attacker to crash the kernel by triggering these code paths on misconfigured or unregistering network devices.
Linux
Linux Kernel
Null Pointer Dereference
-
CVE-2026-23441
None
Race condition in Linux kernel net/mlx5e IPSec offload driver allows concurrent access to a shared DMA-mapped ASO context, potentially causing information disclosure or incorrect IPSec processing results. The vulnerability affects systems using Mellanox MLX5 network adapters with IPSec offload functionality. An attacker with local access to initiate multiple IPSec operations in rapid succession can trigger the race condition, corrupting the shared context and causing subsequent operations to read invalid data, compromising confidentiality and integrity of IPSec-protected traffic.
Linux
Linux Kernel
Race Condition
-
CVE-2026-23440
None
Linux kernel net/mlx5e driver suffers a race condition during IPSec ESN (Extended Sequence Number) update handling that causes incorrect ESN high-order bit increments, leading to anti-replay failures and IPSec traffic halts. The vulnerability affects systems using Mellanox ConnectX adapters with IPSec full offload mode enabled. Attackers with local network access or the ability to trigger IPSec traffic patterns could exploit this to disrupt encrypted communications, though no public exploit code or active exploitation has been reported.
Linux
Linux Kernel
Race Condition
-
CVE-2026-23439
None
Linux kernel NULL pointer dereference in UDP tunnel socket creation when IPv6 is disabled causes denial of service. When CONFIG_IPV6=n, the udp_sock_create6() function incorrectly returns success (0) without creating a socket, leading callers such as fou_create() to dereference an uninitialized pointer. The vulnerability is triggered via netlink socket operations and requires privileged user access; no public exploit code or active exploitation has been identified at time of analysis.
Linux
Linux Kernel
Null Pointer Dereference
Denial Of Service
-
CVE-2026-23438
None
Denial of service in Linux kernel mvpp2 network driver occurs when MTU changes or other operations trigger buffer pool switching on Marvell hardware lacking CM3 SRAM support, causing NULL pointer dereference in flow control register access. Affects systems running vulnerable kernel versions on Marvell Armada platforms where the CM3 SRAM device tree entry is absent; no authentication required. Upstream fix available via stable kernel commits.
Linux
Linux Kernel
Null Pointer Dereference
Denial Of Service
-
CVE-2026-23437
None
Linux kernel net shaper module fails to validate netdev liveness during hierarchy read operations, allowing information disclosure through use-after-free conditions when a network device is unregistered while RCU-protected read operations are in progress. The vulnerability affects the netlink operation callbacks in the shaper subsystem, where references acquired during pre-callbacks are not validated before later lock/RCU acquisitions, creating a race condition that can expose kernel memory or cause denial of service. No public exploit code has been identified at time of analysis, and the issue requires local access to trigger netlink operations.
Linux
Linux Kernel
Race Condition
-
CVE-2026-23436
None
Linux kernel net shaper subsystem susceptible to race condition during hierarchy creation allows unauthenticated local attackers to leak kernel memory or trigger use-after-free conditions. The vulnerability arises when a netdev is unregistered between reference acquisition during Netlink operation preparation and subsequent lock acquisition, permitting hierarchy allocation after flush operations have completed. Fixed via upstream commits that consolidate locking to pre-callback phase, preventing concurrent write races with flush operations.
Linux
Linux Kernel
Race Condition
-
CVE-2026-23435
None
Linux kernel NULL pointer dereference in the x86 PMU NMI handler on AMD EPYC systems causes denial of service when perf event unthrottling races with PMU rescheduling. The vulnerability stems from commit 7e772a93eb61 moving event pointer initialization later in x86_pmu_enable(), allowing the unthrottle path to set active_mask bits without populating the corresponding events[] array entries, leading to NULL pointer dereference when subsequent PMC overflow interrupts fire. No public exploit code identified at time of analysis; patch fixes are available in upstream Linux kernel stable branches.
Linux
Linux Kernel
Null Pointer Dereference
-
CVE-2026-23434
None
NAND flash device lock/unlock operations in the Linux kernel MTD subsystem can race with concurrent erase/write operations, causing cmd_pending conflicts on certain NAND controllers that use PIO-based SET_FEATURES. This race condition is resolved by serializing lock/unlock calls with the NAND device lock, preventing data corruption or system instability on affected controller implementations. The vulnerability affects all Linux kernel versions prior to the fix and is present in systems using raw NAND devices with specific controller hardware implementations.
Linux
Linux Kernel
Race Condition
-
CVE-2026-23433
None
Null pointer dereference in Linux kernel arm_mpam memory bandwidth monitoring causes kernel oops when an MSC supporting bandwidth monitoring transitions offline and back online. The mpam_restore_mbwu_state() function fails to initialize a value buffer before passing it to __ris_msmon_read() via IPI, triggering a crash in the bandwidth counter restoration routine. This affects ARM systems with MPAM (Memory Partitioning and Monitoring) support and results in denial of service through system instability when memory controllers are toggled.
Linux
Linux Kernel
Null Pointer Dereference
Denial Of Service
-
CVE-2026-23432
None
A use-after-free vulnerability in the Linux kernel's mshv (Microsoft Hyper-V) driver allows local attackers to trigger a kernel panic by unmapping user memory after a failed mshv_map_user_memory() call. The error path incorrectly calls vfree() without unregistering the associated MMU notifier, leaving a dangling reference that fires when userspace performs subsequent memory operations. This is a memory safety issue affecting the Hyper-V virtualization subsystem in the Linux kernel.
Linux
Linux Kernel
Use After Free
Memory Corruption
Denial Of Service
-
CVE-2026-23431
None
Memory leak in the Linux kernel's Amlogic SPI controller driver (aml_spisg_probe) fails to release SPI controller resources in multiple error paths during probe, allowing local attackers to exhaust kernel memory through repeated driver load/unload cycles or failed probe attempts. The vulnerability has been resolved in the upstream kernel by converting to device-managed SPI allocation functions.
Linux
Linux Kernel
Memory Corruption
-
CVE-2026-23430
None
Memory leak in Linux kernel drm/vmwgfx driver caused by overwriting KMS surface dirty tracker without proper cleanup. The vulnerability affects the VMware graphics driver subsystem in the kernel, allowing local attackers to trigger memory exhaustion through repeated surface operations. No CVSS score, EPSS data, or KEV status available; fix commits exist in upstream stable kernel branches.
Linux
Linux Kernel
VMware
Memory Corruption
-
CVE-2026-23429
None
Linux kernel crashes in iommu_sva_unbind_device() when accessing a freed mm structure after iommu_domain_free() deallocates domain->mm->iommu_mm, causing denial of service on systems using IOMMU Shared Virtual Addressing (SVA). The fix reorders code to access the structure before the domain is freed. No CVSS score, EPSS, or KEV status available; no public exploit code identified.
Linux
Linux Kernel
Denial Of Service
-
CVE-2026-23428
None
Use-after-free in Linux kernel ksmbd SMB server allows local or remote attackers to read freed memory and potentially achieve denial of service or code execution via compound SMB2 requests that reuse a tree connection after it has been disconnected and its associated share_conf structure freed. The vulnerability exists because smb2_get_ksmbd_tcon() bypasses state validation checks when reusing connections in compound requests, enabling subsequent commands to dereference already-freed share_conf pointers. No CVE severity metrics are available, but KASAN confirms memory corruption is triggered in smb2_write operations during tree disconnect sequences.
Linux
Linux Kernel
Use After Free
-
CVE-2026-23427
None
Use-after-free in Linux kernel's ksmbd SMB server allows remote attackers to crash the kernel or potentially execute code via malicious SMB2 DURABLE_REQ_V2 replay operations. The vulnerability occurs when parse_durable_handle_context() unconditionally reassigns file handle connection pointers during replay operations, causing stale pointer dereferences when the reassigned connection is subsequently freed. A KASAN report confirms the use-after-free in spin_lock operations during file descriptor closure, triggered during SMB2 connection handling in the ksmbd-io workqueue. No public exploit code or active exploitation has been confirmed at time of analysis.
Linux
Linux Kernel
Use After Free
-
CVE-2026-23426
None
Linux kernel drm/logicvc driver fails to release a device node reference in logicvc_drm_config_parse(), causing a reference leak that can exhaust kernel memory resources over time. The vulnerability affects all Linux kernel versions with the logicvc DRM driver enabled; it requires local access to trigger repeated calls to the vulnerable code path. This is a low-severity resource exhaustion issue resolved via kernel patch implementing automatic cleanup attributes.
Linux
Linux Kernel
Memory Corruption
-
CVE-2026-23425
None
Linux kernel KVM ARM64 fails to properly initialize ID registers for non-protected pKVM guests, causing feature detection checks to incorrectly return zero and preventing proper save/restore of system registers like TCR2_EL1 during world switches, potentially leading to state corruption. The vulnerability affects the hypervisor's ability to detect CPU features in non-protected virtual machines despite the initialization flag being incorrectly set. This is a kernel-level logic error that impacts system register handling in ARM64 virtualization.
Linux
Linux Kernel
Kvm
Privilege Escalation
-
CVE-2026-23424
None
Linux kernel accel/amdxdna driver fails to validate command buffer payload count, allowing out-of-bounds reads in AMD XDNA accelerator command processing. The vulnerability affects the accel/amdxdna subsystem across unspecified Linux kernel versions and permits information disclosure through unvalidated payload size interpretation. No active exploitation, public proof-of-concept, or CVSS data currently available.
Linux
Linux Kernel
Buffer Overflow
-
CVE-2026-23423
None
Linux kernel btrfs subsystem fails to free allocated pages in btrfs_uring_read_extent() when error conditions occur before asynchronous I/O completion, leading to memory leaks. The vulnerability affects all Linux kernel versions with the vulnerable btrfs implementation; while tagged as Information Disclosure, the primary impact is denial of service through memory exhaustion rather than data exposure. No public exploit code or active exploitation has been identified; this is a defensive fix addressing a code path that may never execute under normal conditions but represents a resource management defect.
Linux
Linux Kernel
Memory Corruption
-
CVE-2026-23422
None
Interrupt storm in Linux kernel dpaa2-switch driver occurs when a bounds check rejects an out-of-bounds if_id in the IRQ handler but fails to clear the interrupt status, causing repeated spurious interrupts. This denial-of-service condition affects the NXP DPAA2 Ethernet switch driver on systems running vulnerable Linux kernel versions. An attacker with the ability to trigger malformed frames or hardware state transitions could exhaust CPU resources through interrupt flooding.
Linux
Linux Kernel
Denial Of Service
-
CVE-2026-23421
None
Memory leak in Linux kernel DRM/XE configfs device release allows information disclosure through unfreed ctx_restore_mid_bb allocation. The xe_config_device_release() function fails to deallocate ctx_restore_mid_bb[0].cs memory that was previously allocated by wa_bb_store(), leaving sensitive kernel memory accessible when the configfs device is removed. Affected Linux kernel versions containing the vulnerable DRM/XE driver require patching to prevent potential information leakage.
Linux
Linux Kernel
Memory Corruption
-
CVE-2026-23420
None
Mutex lock-unlock mismatch in the Linux kernel's wlcore Wi-Fi driver allows potential information disclosure or system instability through improper synchronization. The vulnerability occurs when wl->mutex is unlocked without being locked first, detected by the Clang thread-safety analyzer. This affects all Linux kernel versions with the wlcore Wi-Fi driver. No active exploitation has been identified, but the bug creates a race condition that could be leveraged to access shared kernel state.
Linux
Linux Kernel
Race Condition
-
CVE-2026-23419
None
Linux kernel RDS TCP subsystem resolves circular locking dependency in rds_tcp_tune() function where socket lock contention with fs_reclaim memory allocation creates deadlock potential. The vulnerability affects all Linux kernel versions with the vulnerable code path in net/rds/tcp.c; the fix relocates sk_net_refcnt_upgrade() outside the socket lock critical section to eliminate the circular lock dependency without compromising synchronization semantics.
Linux
Linux Kernel
Denial Of Service
-
CVE-2026-23418
None
Memory leak in Linux kernel DRM/XE register save-restore (reg_sr) module fails to free allocated memory when xa_store() operation fails, potentially allowing local information disclosure or denial of service through repeated trigger of the error path. The vulnerability affects all Linux kernel versions containing the affected drm/xe/reg_sr code prior to the fix commits referenced. No CVSS score or exploit data provided; patch commits are available in upstream Linux repository.
Linux
Linux Kernel
Memory Corruption
-
CVE-2026-5476
LOW
CVSS 2.1
Integer overflow in NASA cFS CFE_TBL_ValidateCodecLoadSize function (cfe_tbl_passthru_codec.c) on 32-bit systems allows authenticated local attackers with low privileges to cause limited integrity and availability impact, though exploitation requires high attack complexity and no public exploit code has been identified; a fix is planned for an upcoming release milestone.
Integer Overflow
Buffer Overflow
-
CVE-2026-5473
LOW
CVSS 2.0
Unsafe deserialization in NASA cFS Pickle Module (versions up to 7.0.0) allows authenticated local attackers with low privileges to trigger remote code execution or information disclosure through the pickle.load() function. The vulnerability requires high attack complexity and local access, limiting its practical exploitation scope. Public exploit code is available, but the issue remains unpatched as of the last vendor update.
Deserialization
-
CVE-2026-5471
LOW
CVSS 1.9
Hard-coded cryptographic key exposure in Investory Toy Planet Trouble App up to version 1.5.5 on Android allows local attackers with limited privileges to access the Firebase API key embedded in the assets/google-services-desktop.json file, potentially enabling unauthorized authentication and data access. The vulnerability has a CVSS score of 1.9 with low confidentiality impact, requires local access and low privileges, and publicly available exploit code exists.
Google
Information Disclosure
-
CVE-2026-5462
LOW
CVSS 1.9
Wahoo Fitness SYSTM App on Android up to version 7.2.1 exposes a hard-coded cryptographic key (SEGMENT_WRITE_KEY) in the BuildConfig.java component, allowing local authenticated attackers to manipulate app arguments and potentially inject malicious data or alter user profiles. The vulnerability carries a CVSS score of 1.9 with low confidentiality impact, requires local access and authenticated privileges, and has publicly available exploit code; however, the vendor has not responded to early disclosure notifications.
Google
Java
Information Disclosure
-
CVE-2026-5458
LOW
CVSS 1.9
Noelse Individuals & Pro App for Android versions up to 2.1.7 uses a hard-coded cryptographic key (SEGMENT_WRITE_KEY) in the BuildConfig.java component, allowing local authenticated attackers to perform information disclosure and potential data injection attacks. The vulnerability requires local access and authenticated user privileges on the device, with publicly available exploit code demonstrating the attack. Despite early vendor notification, no patch or response has been provided.
Google
Java
Information Disclosure
-
CVE-2026-5457
LOW
CVSS 1.9
PropertyGuru AgentNet Singapore App versions up to 23.7.10 on Android expose hard-coded cryptographic keys (SEGMENT_ANDROID_WRITE_KEY and SEGMENT_TOS_WRITE_KEY) in the BuildConfig component, allowing local authenticated attackers to conduct information disclosure and data injection attacks. The vulnerability carries a CVSS score of 1.9 with low confidentiality impact, requires local access and authenticated privileges, and publicly available exploit code exists; however, the vendor has not responded to early disclosure efforts.
Google
Java
Information Disclosure
-
CVE-2026-5456
LOW
CVSS 1.9
Align Technology My Invisalign App 3.12.4 on Android exposes a hard-coded cryptographic key in the BuildConfig.java component that can be extracted via manipulation of the CDAACCESS_TOKEN argument, allowing local attackers with limited user privileges to obtain sensitive credentials. The vulnerability carries a low CVSS score (1.9) due to local-only attack vector and minimal confidentiality impact, but publicly available exploit code exists and the vendor has not responded to disclosure attempts.
Google
Java
Information Disclosure
-
CVE-2026-5455
LOW
CVSS 1.9
Dialogue App versions 4.3.0 through 4.3.2 on Android use a hard-coded cryptographic key in the SEGMENT_WRITE_KEY parameter within res/raw/config.json, allowing local authenticated attackers to perform unauthorized data injection and user profile manipulation on the device. The vulnerability has a CVSS score of 1.9 (minimal severity) but publicly available exploit code exists; however, the low CVSS score reflects the local-only attack vector and limited impact scope. The vendor has not responded to early disclosure notifications.
Google
Information Disclosure
-
CVE-2026-5454
LOW
CVSS 1.9
GRID Organiser App versions 1.0.0 through 1.0.5 on Android expose a hard-coded cryptographic key used for the SegmentWriteKey parameter in the res/raw/app.json component file, enabling local attackers with user-level privileges to manipulate argument values and potentially perform data injection and user profile manipulation. The vulnerability has a CVSS v4.0 score of 1.9 with low confidentiality impact, requires local access and low privileges, and publicly available exploit code exists, though active exploitation has not been confirmed by CISA.
Google
Information Disclosure
-
CVE-2026-5453
LOW
CVSS 1.9
Hard-coded cryptographic key in Rico's Só Vantagem Pra Investir Android app (version 4.58.32.12421 and earlier) allows local authenticated attackers to manipulate the SEGMENT_WRITE_KEY argument in br/com/rico/mobile/di/SegmentSettingsModule.java, enabling unauthorized data injection and user profile manipulation with low confidentiality impact. The vulnerability requires local access and authenticated privileges; publicly available exploit code exists, but the vendor has not responded to disclosure.
Google
Java
Information Disclosure
-
CVE-2026-5452
LOW
CVSS 1.9
UCC CampusConnect App for Android versions up to 14.3.5 expose hard-coded cryptographic keys in the BuildConfig.java file, allowing local attackers with limited privileges to access sensitive cryptographic material and potentially decrypt or forge authentication tokens. The vulnerability has a low CVSS score of 1.9 due to local-only attack vector and limited confidentiality impact, but publicly available exploit code exists, making it actionable for any user with app access on a shared device.
Information Disclosure
Java
Google
-
CVE-2026-3184
LOW
CVSS 3.7
Improper hostname canonicalization in util-linux login(1) utility with the -h option allows remote attackers to bypass host-based PAM access control rules by supplying specially crafted hostnames that are modified before being passed to PAM_RHOST, potentially leading to unauthorized access. The vulnerability affects Red Hat Enterprise Linux 7 through 10 and related products; exploitation requires high attack complexity but no authentication or user interaction. No public exploit code has been identified, and this is not currently confirmed as actively exploited.
Authentication Bypass