Skip to main content
CVE-2026-35535 HIGH POC PATCH CISA Act Now

Local privilege escalation in Sudo through 1.9.17p2 (fixed in commit 3e474c2) arises because a failed setuid, setgid, or setgroups call during the privilege drop that precedes invoking the mailer is treated as non-fatal, allowing the mailer to run with retained elevated privileges. Local users on systems where Sudo is configured to send mail can leverage this to gain root, with total technical impact per CISA SSVC. EPSS is 0.00% and there is no public exploit identified at time of analysis, consistent with SSVC marking exploitation as none.

Privilege Escalation Sudo
NVD GitHub VulDB
CVSS 3.1
7.8
EPSS
0.0%
Threat
5.1
CVE-2026-35029 HIGH POC PATCH GHSA This Week

Remote code execution in BerriAI LiteLLM (pkg:pip/litellm) prior to v1.83.0 allows authenticated users without admin privileges to execute arbitrary Python code, modify proxy configuration, read server files, and hijack privileged accounts via an improperly protected /config/update endpoint. Authentication requirements not confirmed from available data. No public exploit identified at time of analysis, but the attack surface is well-documented in the vendor advisory. CVSS score unavailable; however, the combination of RCE capability and authentication bypass warrants immediate remediation for all LiteLLM deployments.

RCE Authentication Bypass Python
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-27833 HIGH POC PATCH This Week

Unauthenticated information disclosure in Piwigo photo gallery software (versions prior to 16.3.0) allows remote attackers to retrieve complete browsing history of all gallery visitors through exposed pwg.history.search API endpoint. The API method lacks mandatory admin-only access controls (CWE-862), enabling trivial privacy violation with CVSS 7.5 severity. EPSS exploitation probability and KEV status not available; no public exploit identified at time of analysis, though exploitation requires only basic HTTP requests given the zero-authentication requirement (CVSS vector PR:N).

Authentication Bypass Piwigo
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-34986 HIGH POC PATCH GHSA This Week

Denial of service via panic in go-jose library (versions prior to v4.1.4 and v3.0.5) occurs when decrypting malformed JSON Web Encryption (JWE) objects that specify a key wrapping algorithm (e.g., RSA-OAEP-KW, ECDH-ES+A128KW) but contain an empty encrypted_key field. The panic is triggered during slice allocation in cipher.KeyUnwrap() when processing ciphertext under 16 bytes, causing immediate application termination. No public exploit identified at time of analysis, though EPSS score of 0.0004

Denial Of Service
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-33175 HIGH PATCH GHSA This Week

Authentication bypass in JupyterHub OAuthenticator <17.4.0 allows authenticated attackers with unverified email addresses on Auth0 tenants to login with arbitrary usernames, enabling account takeover when email is configured as the username claim. The vulnerability requires low-complexity exploitation over the network with low privileges (CVSS 8.8, AV:N/AC:L/PR:L). No public exploit identified at time of analysis, though the vendor has released a security advisory with technical details. EPSS data not available, but the authentication bypass nature and account takeover potential make this a priority for organizations using JupyterHub with Auth0 OAuth integration.

Authentication Bypass Oauthenticator
NVD GitHub
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-59710 HIGH This Week

Remote code execution in BizTalk360 before version 11.5 allows any authenticated user to upload a malicious DLL and trigger its execution on the server through an unprotected DLL-loading endpoint. The vulnerability stems from missing access controls on a method that loads and executes DLL files, enabling attackers with valid domain credentials to achieve arbitrary code execution without requiring elevated privileges.

RCE File Upload
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-35044 HIGH PATCH GHSA This Week

Remote code execution in BentoML's containerization workflow allows attackers to execute arbitrary Python code on victim machines by distributing malicious bento archives containing SSTI payloads. When victims import a weaponized bento and run 'bentoml containerize', unsanitized Jinja2 template rendering executes attacker-controlled code directly on the host system - bypassing all Docker container isolation. The vulnerability stems from using an unsandboxed jinja2.Environment with the dangerous jinja2.ext.do extension to process user-provided dockerfile_template files. Authentication is not required (CVSS PR:N), though exploitation requires user interaction (UI:R) to import and containerize the malicious bento. No public exploit identified at time of analysis, though the GitHub advisory includes detailed proof-of-concept demonstrating host filesystem compromise.

Python Docker RCE Ssti
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-10681 HIGH PATCH This Week

Hardcoded storage credentials in Gardyn mobile application and device firmware grant unauthenticated remote attackers access to production cloud storage containers with excessive permissions. The CVSS v4.0 score of 8.8 reflects network-accessible attack vector with no complexity barriers, enabling high confidentiality impact and limited integrity/availability impact. CISA ICS-CERT disclosure indicates industrial/IoT context. No public exploit identified at time of analysis, though hardcoded credential vulnerabilities are trivial to exploit once discovered. EPSS data not available for this recent CVE.

Authentication Bypass Mobile Application Cloud Api
NVD GitHub VulDB
CVSS 4.0
8.8
EPSS
0.0%
CVE-2026-34771 HIGH PATCH GHSA This Week

Use-after-free in Electron framework allows memory corruption when handling fullscreen, pointer-lock, or keyboard-lock permission requests in apps with asynchronous `session.setPermissionRequestHandler()` callbacks. Affects npm package electron versions prior to 41.0.0-beta.8, 40.7.0, 39.8.0, and 38.8.6. Remote attackers can trigger memory corruption or crashes if the requesting frame navigates or window closes while the permission handler is pending. EPSS data not available; no public exploit identified at time of analysis. Vendor-released patches available across all affected major version branches.

Use After Free Memory Corruption Buffer Overflow
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-35470 HIGH PATCH GHSA This Week

SQL injection in OpenSTAManager 2.10.1 and prior allows authenticated users to extract database contents including bcrypt password hashes, customer records, and financial data via unsanitized GET parameters across six vulnerable PHP modules. The righe parameter in confronta_righe.php files is directly concatenated into IN() clauses without parameterization. CVSS 8.8 (High) with network attack vector, low complexity, and low privilege requirement. Vendor-released patch available in version 2.10.2. Exploit reproduction demonstrated via EXTRACTVALUE-based error injection extracting MySQL version, database user, and admin credentials. Confirmed publicly available exploit code exists (GitHub advisory GHSA-mmm5-3g4x-qw39).

SQLi Information Disclosure PHP
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-23462 HIGH PATCH This Week

Use-after-free vulnerability in the Linux kernel's Bluetooth HIDP subsystem allows local attackers to trigger a kernel crash or potentially execute arbitrary code by failing to properly release L2CAP connection references when user callbacks are invoked. The flaw affects all Linux kernel versions in the CPE range and has been resolved through reference counting fixes in the L2CAP connection cleanup path; no public exploit code is currently identified, but the vulnerability requires local access to trigger via Bluetooth device manipulation.

Linux Debian Information Disclosure Memory Corruption Use After Free
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-34769 HIGH PATCH GHSA This Week

Command line injection in Electron via undocumented commandLineSwitches webPreference enables sandbox escape and security control bypass when applications spread untrusted configuration objects into webPreferences. Attackers can inject arbitrary command-line switches to disable renderer process sandboxing or web security protections, achieving local code execution with elevated privileges. CVSS 7.8 (High) with attack complexity HIGH requiring user interaction. No public exploit identified at time of analysis, though technical disclosure is public via GitHub advisory.

RCE
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-23461 HIGH PATCH This Week

Use-after-free in Linux kernel Bluetooth L2CAP layer allows local attackers to cause denial of service or potentially execute code via a race condition in l2cap_unregister_user(). The vulnerability arises because l2cap_register_user() and l2cap_unregister_user() access conn->users without proper locking (conn->lock), while l2cap_conn_del() protects the same structure with conn->lock, creating concurrent access to freed memory. All Linux kernel versions with Bluetooth L2CAP support are affected. Patch available via Linux stable kernel commits.

Linux Information Disclosure Memory Corruption Use After Free
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-23425 HIGH PATCH This Week

Linux kernel KVM ARM64 fails to properly initialize ID registers for non-protected pKVM guests, causing feature detection checks to incorrectly return zero and preventing proper save/restore of system registers like TCR2_EL1 during world switches, potentially leading to state corruption. The vulnerability affects the hypervisor's ability to detect CPU features in non-protected virtual machines despite the initialization flag being incorrectly set. This is a kernel-level logic error that impacts system register handling in ARM64 virtualization.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2015-10148 HIGH This Week

Hirschmann HiLCOS devices OpenBAT, WLC, BAT300, BAT54 prior to 8.80 and OpenBAT prior to 9.10 are shipped with identical default SSH and SSL keys that cannot be changed, allowing unauthenticated. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Hirschmann Hilcos
NVD
CVSS 4.0
8.8
EPSS
0.0%
CVE-2026-35214 HIGH PATCH GHSA This Week

Path traversal in Budibase plugin upload endpoint allows Global Builders to delete arbitrary directories and write files to any accessible filesystem path. Affecting all versions prior to 3.33.4, attackers with high privileges (Global Builder role) can exploit unsanitized filename handling in POST /api/plugin/upload to execute directory traversal attacks remotely with low complexity. CVSS 8.7 (High) with scope change indicates potential container escape or cross-tenant impact. No public exploit identified at time of analysis, though the attack vector is straightforward given the documented path traversal mechanism.

Node.js Path Traversal File Upload
NVD GitHub
CVSS 3.1
8.7
EPSS
0.1%
CVE-2026-28797 HIGH This Week

Server-Side Template Injection in RAGFlow 0.24.0 and earlier allows authenticated users to execute arbitrary OS commands via unsandboxed Jinja2 template rendering in Agent workflow components. The vulnerability affects the Text Processing (StringTransform) and Message components, where user-supplied templates are processed without sandboxing. With a CVSS 8.7 score and low attack complexity (AC:L), authenticated attackers can achieve full system compromise remotely. No public exploit identified at time of analysis, and no vendor-released patch available as of publication date.

Code Injection Python
NVD GitHub
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-35562 HIGH PATCH This Week

Resource exhaustion in Amazon Athena ODBC driver versions prior to 2.1.0.0 allows unauthenticated remote attackers to trigger denial of service through maliciously crafted input that overwhelms parsing logic. CVSS 7.5 (High) reflects network-accessible attack vector with low complexity and no prerequisites. EPSS data not provided, but no public exploit or CISA KEV listing identified at time of analysis. Amazon has released patches for Windows, Linux, and macOS platforms.

Denial Of Service Amazon Athena Odbc Driver
NVD VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-25044 HIGH PATCH GHSA This Week

Remote code execution in Budibase low-code platform versions prior to 3.33.4 enables authenticated attackers to execute arbitrary system commands through the bash automation step feature. The vulnerability stems from unsanitized user input processed via template interpolation in execSync calls, allowing command injection with low attack complexity. No public exploit identified at time of analysis, though the technical details disclosed in the GitHub Security Advisory provide a clear exploitation path for authenticated users with automation privileges.

Command Injection Budibase
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-32646 HIGH PATCH This Week

Unauthenticated remote access to administrative endpoints in Gardyn Cloud API exposes device management functions to network attackers. The CVSS:4.0 vector (AV:N/AC:L/PR:N) confirms network-reachable exploitation requiring no authentication or user interaction, with high confidentiality impact. EPSS data unavailable, but authentication bypass vulnerabilities (CWE-306) are frequently targeted when exposed on internet-facing APIs. CISA ICS-CERT advisory indicates IoT/OT context, suggesting potential for unauthorized device control. No confirmed active exploitation (not on CISA KEV) and no public exploit identified at time of analysis.

Authentication Bypass Cloud Api
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-27634 HIGH PATCH This Week

SQL injection in Piwigo photo gallery application versions prior to 16.3.0 allows unauthenticated remote attackers to extract the entire database, including user password hashes, via unsanitized date filter parameters in the ws_std_image_sql_filter() function. The vulnerability stems from direct SQL concatenation of four date parameters without input validation or escaping. Vendor-released patch available in version 16.3.0. EPSS and KEV data not provided, but the combination of unauthenticated access, low attack complexity, and full database disclosure represents critical risk for internet-facing Piwigo installations.

SQLi Piwigo
NVD GitHub
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-35218 HIGH PATCH This Week

Stored cross-site scripting (XSS) in Budibase's Builder Command Palette (versions prior to 3.32.5) enables authenticated Builder users to inject malicious HTML payloads via entity names (tables, views, queries, automations), achieving session hijacking and account takeover when other Builder-role users invoke the Command Palette. CVSS 8.7 with changed scope reflects the cross-user attack vector. No public exploit identified at time of analysis, though the attack technique is straightforward for authenticated insiders. EPSS data unavailable; patch available in version 3.32.5.

XSS Budibase
NVD GitHub
CVSS 3.1
8.7
EPSS
0.0%
CVE-2026-34228 HIGH This Week

Cross-Site Request Forgery (CSRF) in Emlog CMS versions prior to 2.6.8 enables remote attackers to execute arbitrary SQL commands and write arbitrary files to the web root without authentication. The vulnerability exploits an unprotected backend upgrade interface that accepts remote SQL and ZIP URLs via GET parameters, requiring only that an authenticated administrator visit a malicious link. EPSS data not available; no public exploit identified at time of analysis, though exploitation complexity is low given the CSRF nature and network attack vector.

CSRF Emlog
NVD GitHub
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-22663 HIGH PATCH This Week

Authorization bypass vulnerabilities in prompts.chat (pre-commit 7b81836) expose private prompt data to unauthenticated remote attackers. Missing isPrivate validation checks across multiple API endpoints and metadata generation functions allow unauthorized retrieval of version history, change requests, examples, content, and HTML meta tag information for prompts marked private. No public exploit identified at time of analysis, though CVSS 8.7 reflects network-accessible, low-complexity attack requiring no privileges. Vendor-released patch available via GitHub commit 7b81836b21.

Authentication Bypass Information Disclosure Prompts Chat
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2020-37216 HIGH This Week

Hirschmann Industrial HiVision versions 08.1.03 prior to 08.1.04 and 08.2.00 contains an untrusted search path vulnerability that allows local attackers to execute arbitrary binaries by placing a. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Hirschmann Industrial Hivision
NVD VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-32173 HIGH PATCH NO ACTION HOSTED Monitor

Information disclosure in Azure SRE Agent can be exploited by remote unauthenticated attackers via improper authentication mechanisms. The vulnerability carries an 8.6 CVSS score with network attack vector requiring low complexity and no user interaction, enabling attackers to extract high-confidentiality data with scope change impact. No public exploit identified at time of analysis, though the authentication bypass nature and network accessibility present significant risk to Azure infrastructure components.

Microsoft Authentication Bypass
NVD VulDB
CVSS 3.1
8.6
EPSS
0.1%
CVE-2026-22661 HIGH PATCH This Week

Path traversal in prompts.chat skill file extraction allows unauthenticated remote attackers to write arbitrary files and execute code on client systems through malicious ZIP archives. The vulnerability (CVSS 8.6) stems from missing server-side filename validation enabling ../ sequences in archive filenames that overwrite shell initialization files during extraction. VulnCheck identified this issue; vendor-released patch available in commit 0f8d4c3. No public exploit identified at time of analysis, though EPSS data not available for risk quantification.

Path Traversal RCE Prompts Chat
NVD GitHub VulDB
CVSS 4.0
8.6
EPSS
0.0%
CVE-2026-22665 HIGH PATCH This Week

Identity confusion in prompts.chat (prior to commit 1464475) enables authenticated attackers to impersonate users and hijack profile URLs by creating case-variant usernames (e.g., 'Alice' vs 'alice'). Inconsistent case-handling between write and read operations allows bypass of uniqueness validation, letting attackers inject malicious content on canonical victim profiles. EPSS data not available; no public exploit identified at time of analysis, though attack complexity is low (CVSS:4.0 AC:L) requiring only low-privilege access (PR:L). VulnCheck disclosed this vulnerability with vendor patch released via GitHub commit.

Information Disclosure Canonical Prompts Chat
NVD GitHub VulDB
CVSS 4.0
8.6
EPSS
0.0%
CVE-2026-23457 HIGH PATCH This Week

Integer truncation in Linux kernel netfilter SIP helper allows remote attackers to bypass Content-Length validation and cause information disclosure via malformed SIP messages. The sip_help_tcp() function stores SIP Content-Length header values (returned as unsigned long) into an unsigned int variable, causing values exceeding UINT_MAX (4,294,967,295) to truncate silently on 64-bit systems. This miscalculation causes the parser to misidentify message boundaries, treating trailing TCP segment dat

Linux Information Disclosure
NVD VulDB
CVSS 3.1
8.6
EPSS
0.0%
CVE-2026-33752 HIGH PATCH GHSA This Week

Server-Side Request Forgery in curl_cffi Python library allows unauthenticated remote attackers to access internal network resources and cloud metadata endpoints via attacker-controlled redirect chains. The library passes user-supplied URLs directly to libcurl without validating destination IP ranges and follows redirects automatically (CURLOPT_FOLLOWLOCATION enabled), enabling access to services like AWS/GCP metadata APIs (169.254.169.254). TLS fingerprint impersonation features (e.g., 'impersonate=chrome') can disguise these requests as legitimate browser traffic, potentially bypassing network controls. EPSS data not available; no active exploitation confirmed (not in CISA KEV); functional proof-of-concept publicly disclosed in GitHub advisory.

SSRF Python Google Chrome
NVD GitHub
CVSS 3.1
8.6
EPSS
0.0%
CVE-2016-15058 HIGH This Week

Hirschmann HiLCOS Classic Platform switches Classic L2E, L2P, L3E, L3P versions prior to 09.0.06 and Classic L2B prior to 05.3.07 contain a credential exposure vulnerability where user passwords are. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Hirschmann Hilcos Classic Platform
NVD
CVSS 4.0
8.6
EPSS
0.0%
CVE-2025-59711 HIGH This Week

Directory traversal in BizTalk360 before version 11.5 allows authenticated attackers to write files outside the intended upload directory and potentially coerce authentication from the service through mishandling of user input in an upload mechanism. The vulnerability requires valid authentication credentials but enables arbitrary file write capabilities that could lead to remote code execution or service compromise.

Path Traversal
NVD
CVSS 3.1
8.3
EPSS
0.9%
CVE-2026-23456 HIGH PATCH This Week

Out-of-bounds read in Linux kernel netfilter H.323/RAS packet decoding allows local or remote attackers to read 1-4 bytes beyond allocated buffer boundaries via malformed packets. The vulnerability exists in decode_int() within nf_conntrack_h323, where insufficient boundary validation before reading variable-length integer fields permits information disclosure or potential denial of service. No CVSS score or KEV status published; patch available across multiple stable kernel branches via upstream commits.

Linux Buffer Overflow Information Disclosure
NVD VulDB
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-23459 HIGH PATCH This Week

Memory corruption and potential kernel freezes occur in the Linux kernel's IP tunnel implementation when VXLAN or GENEVE tunnels transmit packets, due to incorrect offset calculations in per-CPU statistics tracking on 32-bit systems. The vulnerability arises from iptunnel_xmit_stats() assuming all tunnels use NETDEV_PCPU_STAT_TSTATS, but VXLAN and GENEVE actually use NETDEV_PCPU_STAT_DSTATS with a different memory layout, causing syncp sequence counter overwrites that corrupt statistics or deadlock the kernel. Patch commits are available in the Linux kernel stable tree and address this by adapting the statistics handler and repositioning the pcpu_stat_type field to improve cache efficiency.

Linux Information Disclosure
NVD
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-4350 HIGH This Week

Arbitrary file deletion in Perfmatters WordPress plugin (≤2.5.9.1) allows authenticated attackers with Subscriber-level access to delete critical files including wp-config.php via path traversal, enabling full site takeover. The vulnerability stems from unsanitized GET parameter processing in PMCS::action_handler() without authentication or nonce checks. CVSS 8.1 reflects network-accessible attack requiring only low-privilege authentication with high integrity and availability impact. No public exploit identified at time of analysis, though the attack vector is straightforward given the lack of input validation.

WordPress PHP Path Traversal
NVD VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-34774 HIGH PATCH GHSA This Week

Use-after-free memory corruption in Electron framework (versions <39.8.1, <40.7.0, <41.0.0) allows unauthenticated remote attackers to potentially execute arbitrary code when offscreen rendering is enabled and child windows are permitted. The vulnerability triggers when a parent offscreen WebContents is destroyed while child windows remain active, causing subsequent paint operations to dereference freed memory. EPSS data not available; no public exploit identified at time of analysis. Fixed versions released by vendor.

Use After Free Memory Corruption Buffer Overflow Microsoft
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-31393 HIGH PATCH This Week

Out-of-bounds read in Linux kernel Bluetooth L2CAP layer allows remote attackers to read adjacent kernel memory via truncated L2CAP_INFO_RSP packets with insufficient payload length. The l2cap_information_rsp() function validates only the fixed 4-byte header but then unconditionally accesses variable-length payload fields (feat_mask at offset +4 and fixed_chan at offset +1) without verifying the payload is present, triggering kernel memory disclosure on specially crafted Bluetooth frames.

Linux Buffer Overflow Information Disclosure
NVD VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-31392 HIGH PATCH This Week

Linux kernel SMB client incorrectly reuses Kerberos authentication sessions across multiple mounts with different username options, allowing an attacker or misconfigured system to access shares using unintended credentials. The vulnerability affects CIFS/SMB mounting with Kerberos (sec=krb5) when the username mount option is specified; the kernel fails to validate that the username parameter matches the authenticated session, causing subsequent mounts to inherit the first mount's credentials rather than failing with ENOKEY when the requested principal is absent from the keytab. This is a session management flaw that enables credential confusion and potential unauthorized share access.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-25773 HIGH GHSA Monitor

Second-order SQL injection in Focalboard 8.0 and earlier allows authenticated attackers to exfiltrate password hashes and other sensitive data via time-based blind injection through the category reorder API. Malicious SQL payloads injected into category ID fields persist in the database and execute unsanitized during subsequent reorder operations. Focalboard standalone is unsupported and will not receive a security patch. EPSS score of 0.01% indicates very low observed exploitation probability, consistent with the narrow attack surface requiring authenticated access to an end-of-life product.

SQLi Information Disclosure Focalboard
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-35043 HIGH PATCH GHSA This Week

Command injection in BentoML's cloud deployment path allows remote code execution on BentoCloud build infrastructure via malicious bentofile.yaml configurations. While commit ce53491 fixed command injection in local Dockerfile generation by adding shlex.quote protection, the cloud deployment code path (deployment.py:1648) remained vulnerable, directly interpolating system_packages into shell commands without sanitization. Attackers can inject shell metacharacters through bentofile.yaml to execut

RCE Command Injection Docker Ubuntu Kubernetes
NVD GitHub VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-31403 HIGH PATCH This Week

Use-after-free in Linux kernel NFSD /proc/fs/nfs/exports proc entry allows information disclosure when a network namespace is destroyed while an exports file descriptor remains open. The vulnerability occurs because exports_proc_open() captures a network namespace reference without holding a refcount, enabling nfsd_net_exit() to free the export cache while the fd is still active, leading to subsequent reads dereferencing freed memory. The fix holds a struct net reference for the lifetime of the

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-31399 HIGH PATCH This Week

Use-after-free in the Linux kernel's nvdimm/bus subsystem allows local privileged users to potentially trigger memory corruption when device_add() fails during nd_async_device_register() asynchronous initialization. The flaw stems from the parent device reference being dropped before the parent pointer is accessed on allocation failure paths. No public exploit identified at time of analysis, and EPSS exploitation probability is very low at 0.02%.

Linux Use After Free Memory Corruption Denial Of Service Red Hat +1
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-31396 HIGH PATCH This Week

Use-after-free vulnerability in Linux kernel's Cadence MAC (macb) driver allows local attackers to read freed memory via ethtool get_ts_info calls on PTP-capable network interfaces. The PTP clock is registered when the interface opens and destroyed when it closes, but the ethtool handler can still access it after deallocation, causing a kernel memory access violation. No active exploitation confirmed; patch available in stable kernel releases.

Linux Information Disclosure Memory Corruption Use After Free
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-31389 HIGH PATCH This Week

Use-after-free vulnerability in Linux kernel SPI controller registration allows local attackers to trigger unclocked register accesses and potential information disclosure when per-CPU statistics allocation fails during controller initialization. The vulnerability affects all Linux kernel versions and is fixed via proper driver core deregistration on allocation failure; no CVSS score or active exploitation data available at time of analysis.

Linux Information Disclosure Memory Corruption Use After Free
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-23458 HIGH PATCH This Week

Use-after-free in Linux kernel netfilter ctnetlink module allows local attackers to read freed kernel memory by triggering multiple-round netlink dump operations on conntrack expectations, exploiting improper reference counting in ctnetlink_dump_exp_ct() that drops conntrack references before the dump callback completes. The vulnerability requires local network namespace access and CAP_NET_ADMIN capability but enables information disclosure of kernel heap contents via KASAN-detected slab-use-after-free on ct->ext dereference.

Linux Information Disclosure Use After Free Memory Corruption
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-23449 HIGH PATCH This Week

Double-free memory corruption in the Linux kernel's TEQL (Trivial Link Equalizer) qdisc implementation allows local attackers to cause kernel crashes via denial of service. The vulnerability occurs when qdisc_reset is called without proper synchronization on lockless Qdisc root configurations, creating a race condition that results in use-after-free and double-free conditions in packet buffer management. This affects all Linux kernel versions with the vulnerable TEQL code path and requires local access to trigger via specially crafted packet scheduling operations.

Linux Denial Of Service
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-23422 HIGH PATCH This Week

Interrupt storm in Linux kernel dpaa2-switch driver occurs when a bounds check rejects an out-of-bounds if_id in the IRQ handler but fails to clear the interrupt status, causing repeated spurious interrupts. This denial-of-service condition affects the NXP DPAA2 Ethernet switch driver on systems running vulnerable Linux kernel versions. An attacker with the ability to trigger malformed frames or hardware state transitions could exhaust CPU resources through interrupt flooding.

Linux Google Buffer Overflow Memory Corruption
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-31401 HIGH PATCH This Week

Buffer overflow in Linux kernel HID-BPF subsystem allows arbitrary return values from dispatch_hid_bpf_raw_requests() to overflow the hid_hw_request buffer without validation. The vulnerability affects all Linux kernel versions with HID-BPF support; attackers with the ability to load or influence BPF programs targeting HID devices can trigger memory corruption. No CVSS score, EPSS data, or confirmed active exploitation has been assigned at time of analysis.

Linux Buffer Overflow Memory Corruption
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-23466 HIGH PATCH This Week

Linux kernel DRM/xe driver fails to protect GPU memory (GGTT) MMIO access during failed driver load or asynchronous buffer object teardown, potentially enabling information disclosure or memory corruption. The vulnerability affects systems with Intel Xe graphics where the driver's hotplug-based protection mechanism does not activate if initialization fails, leaving GGTT memory accessible after the driver should have been disabled. CVSS and KEV status not available; patches have been released in upstream Linux stable branches.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-23448 HIGH PATCH This Week

Out-of-bounds read in the Linux kernel's cdc_ncm USB networking driver allows a local attacker with a malicious or compromised USB CDC NCM device to read kernel memory beyond the skb buffer. The flaw lives in cdc_ncm_rx_verify_ndp16(), where the NDP16 nframes bounds check omits the ndpoffset value, letting DPE array iteration in cdc_ncm_rx_fixup() walk past the legitimate buffer when wNdpIndex points near the end of the NTB. No public exploit identified at time of analysis and EPSS exploitation probability is 0.02% (5th percentile), but a patch is available from upstream Linux maintainers.

Linux Buffer Overflow Red Hat Suse
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
Page 1 of 2 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy