Skip to main content
CVE-2026-34903 MEDIUM This Month

Missing authorization in OceanWP Ocean Extra plugin versions through 2.5.3 allows authenticated users to bypass access control restrictions and perform unauthorized modifications or denial-of-service actions. An attacker with valid user credentials can exploit incorrectly configured access control checks to escalate privileges beyond their intended permission level. No public exploit code has been identified at time of analysis, but the vulnerability has been documented by Patchstack security researchers.

Authentication Bypass Ocean Extra
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-4065 MEDIUM This Month

Smart Slider 3 plugin for WordPress through version 3.5.1.33 allows authenticated attackers with Contributor-level access to enumerate slider metadata and create, modify, or delete image storage records due to missing capability checks in multiple AJAX controller actions. The vulnerability exploits exposed nonce tokens on post editor pages combined with incomplete permission validation, enabling privilege escalation from Contributor to administrative-equivalent capabilities for slider management without requiring unfiltered_html permissions. No public exploit code or active exploitation has been identified at time of analysis.

WordPress Authentication Bypass
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-39380 MEDIUM PATCH This Month

Stored cross-site scripting in Open Source Point of Sale allows authenticated users to inject malicious JavaScript through the Stock Locations configuration feature, which executes when rendered in the Employees interface. Versions prior to 3.4.3 are affected. The vulnerability requires user interaction (UI:R) and authenticated access (PR:L), limiting but not eliminating real-world risk in multi-user POS environments where administrative interfaces may be accessible to untrusted staff.

XSS PHP
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-39367 MEDIUM GHSA This Month

Stored cross-site scripting (XSS) in WWBN AVideo 26.0 and prior allows authenticated users with upload permissions to inject malicious JavaScript into EPG (Electronic Program Guide) XML files, which executes in the browsers of unauthenticated visitors to the public EPG page without sanitization. Attackers can exploit this to hijack sessions and takeover accounts of any user viewing the compromised EPG. No public exploit code or active exploitation has been confirmed at the time of analysis.

XSS Avideo
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-32712 MEDIUM PATCH This Month

Stored XSS in Open Source Point of Sale versions prior to 3.4.3 allows authenticated users with customer management permissions to inject malicious JavaScript into customer name fields, which executes when any user views the Daily Sales page. The vulnerability stems from the bootstrap-table column configuration explicitly disabling HTML escaping (escape: false) for the customer_name column, enabling arbitrary script execution with cross-site impact. Vendor-released patch: 3.4.3.

XSS PHP
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-14857 MEDIUM This Month

Stack memory write protection bypass in Semtech LoRa LR11xx transceiver firmware allows physical attackers with SPI interface access to overwrite the program call stack and achieve limited arbitrary code execution during an active session. The vulnerability affects LR1110, LR1120, and LR1121 devices running early firmware versions; however, impact is constrained to the current attack session because secure boot prevents persistent firmware modification, cryptographic keys remain isolated, and all changes revert upon device reboot or loss of physical access. CVSS 5.4 (moderate) reflects the physical attack requirement despite high confidentiality and integrity impact.

RCE Lr1110 Lr1120 Lr1121
NVD
CVSS 4.0
5.4
EPSS
0.0%
CVE-2026-35487 MEDIUM PATCH This Month

Unauthenticated path traversal in text-generation-webui prior to version 4.3 allows remote attackers to read arbitrary .txt files from the server filesystem via the load_prompt() function, with file contents returned directly in API responses. The vulnerability requires no authentication, user interaction, or special conditions, resulting in confidentiality impact with a CVSS score of 5.3. A vendor-released patch is available in version 4.3.

Path Traversal Text Generation Webui
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-35484 MEDIUM PATCH This Month

Unauthenticated path traversal in text-generation-webui prior to version 4.3 allows remote attackers to read arbitrary YAML files from the server filesystem via the load_preset() function, exposing sensitive credentials such as passwords, API keys, and connection strings in API responses. The vulnerability requires only network access with no authentication, user interaction, or special configuration, making it a practical attack vector despite the moderate CVSS score of 5.3.

Path Traversal Text Generation Webui
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-35483 MEDIUM PATCH This Month

Unauthenticated path traversal in text-generation-webui prior to version 4.3 enables remote attackers to read arbitrary files with .jinja, .jinja2, .yaml, or .yml extensions from the server filesystem. The vulnerability resides in the load_template() function and allows disclosure of configuration files, templates, and other sensitive data without authentication. EPSS score of 5.3 reflects low to moderate real-world exploitation risk despite network accessibility, as successful exploitation requires knowledge of file paths and extension constraints.

Path Traversal Text Generation Webui
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39400 MEDIUM PATCH This Month

Stored cross-site scripting (XSS) in Cronicle prior to 0.9.111 allows authenticated users with create_events and run_events privileges to inject arbitrary JavaScript through job output fields (html.content, html.title, table.header, table.rows, table.caption). The injected payload is stored server-side without sanitization and executed client-side via innerHTML when other users view the Job Details page, enabling session hijacking, credential theft, or malicious actions performed in the context of the viewing user's session. No public exploit code or active exploitation has been reported at the time of analysis.

XSS Cronicle
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-35608 MEDIUM PATCH This Month

Stored cross-site scripting (XSS) in QuickDrop prior to version 1.5.3 allows unauthenticated remote attackers to execute arbitrary JavaScript in the context of the application domain by uploading a malicious SVG file via the file upload endpoint and triggering execution when any user views the file preview. The vulnerability requires user interaction (viewing the preview) but no authentication, making it moderately exploitable in multi-user deployment scenarios where file sharing is expected functionality.

XSS Quickdrop
NVD GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-5762 MEDIUM This Month

Denial-of-service via unthrottled resource allocation in the Wikimedia MediaWiki ReportIncident Extension allows authenticated remote attackers to trigger HTTP DoS by exhausting server resources without rate limiting. Affected versions include ReportIncident 1.43.7, 1.44.4, and 1.45.2. No public exploit code or active exploitation has been confirmed at time of analysis.

Denial Of Service
NVD
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-39401 MEDIUM PATCH This Month

Cronicle prior to 0.9.111 allows low-privilege authenticated users to modify arbitrary event properties via an authorization bypass in the job child process update mechanism. An attacker with permission to create and run events can inject an update_event key in JSON output that the server applies directly to any event's configuration without authorization checks, enabling modification of webhook URLs, notification emails, and other sensitive event parameters. This vulnerability requires prior authentication and event creation capabilities but represents a significant privilege escalation risk in multi-user Cronicle deployments.

Authentication Bypass Cronicle
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-39360 MEDIUM GHSA This Month

RustFS alpha versions prior to alpha.90 allow authenticated users with limited permissions to bypass authorization checks in the multipart copy operation (UploadPartCopy), enabling exfiltration of objects from buckets they cannot directly read. This breaks tenant isolation in multi-tenant deployments by allowing a low-privileged user to copy victim objects into their own multipart upload and complete the transfer without proper authorization validation.

Authentication Bypass Rustfs
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-39348 MEDIUM PATCH This Month

OrangeHRM 5.0 through 5.8 allows authenticated low-privilege users to bypass authorization controls and directly access job specification and vacancy attachment files by manipulating attachment identifiers, exposing sensitive HR documents. The vulnerability affects the attachment download handlers which fail to validate user permissions before serving files. This issue is fixed in version 5.8.1.

Authentication Bypass Orangehrm
NVD GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-39346 MEDIUM PATCH This Month

OrangeHRM Open Source versions 5.0 through 5.8 allow authenticated users to bypass module access controls by submitting URL-encoded request paths, enabling unauthorized access to administrator-disabled functionality. The vulnerability requires valid user credentials but presents a moderate confidentiality and integrity risk. A vendor-released patch is available in version 5.8.1.

Authentication Bypass Orangehrm
NVD GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-35606 MEDIUM PATCH GHSA This Month

File Browser versions prior to 2.63.1 allow authenticated users with download permission disabled to bypass access controls and read arbitrary text file content through the resourceGetHandler endpoint in http/resource.go, which fails to validate the Perm.Download permission flag unlike three other content-serving endpoints that correctly enforce this check. This authentication bypass affects any File Browser deployment where users are granted access but restricted from downloading files, and is fixed in version 2.63.1.

Authentication Bypass Filebrowser
NVD GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-35583 MEDIUM PATCH GHSA This Month

Emissary versions prior to 8.39.0 allow unauthenticated remote attackers to read arbitrary configuration files through path traversal via the /api/configuration/{name} endpoint. The vulnerability stems from incomplete blacklist validation of configuration names that can be bypassed using URL-encoded variants, double-encoding, or Unicode normalization attacks. No public exploit code or active exploitation has been confirmed.

Path Traversal Emissary
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-35578 MEDIUM PATCH This Month

Open redirect vulnerability in ChurchCRM prior to version 7.0.0 allows authenticated users to be redirected to arbitrary URLs via crafted links containing unvalidated redirect parameters, particularly through the 'linkBack' parameter used across multiple application pages including DonatedItemEditor.php. An attacker can create a malicious link that redirects authenticated users to external sites when they interact with UI elements, enabling phishing attacks and credential theft. The vulnerability requires an authenticated user and user interaction (clicking a button), reducing immediate risk but posing moderate concern in social engineering scenarios.

PHP Open Redirect
NVD GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-39381 MEDIUM PATCH GHSA This Month

Parse Server versions prior to 9.8.0-alpha.7 and 8.6.75 expose protected session fields to authenticated users via the GET /sessions/me endpoint, bypassing the protectedFields server configuration that should restrict access to sensitive data. An authenticated attacker can retrieve their own session's protected fields in a single request, whereas the equivalent GET /sessions and GET /sessions/:objectId endpoints correctly enforce field-level access controls. This information disclosure vulnerability affects any Parse Server deployment where administrators have configured protected fields on the _Session class and expects those fields to remain confidential from users.

Node.js Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-39373 MEDIUM PATCH GHSA This Month

Memory exhaustion in JWCrypto before 1.5.7 allows unauthenticated remote attackers to cause denial of service on memory-constrained systems by sending crafted JWE tokens with ZIP compression that decompress to approximately 100MB despite remaining under the 250KB input size limit. The vulnerability exploits incomplete validation in the upstream CVE-2024-28102 patch, which restricted input token size but failed to enforce decompressed output limits.

Information Disclosure Python Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-14944 MEDIUM This Month

Unauthenticated attackers can trigger backup upload queue processing in Backup Migration plugin for WordPress (all versions up to 2.0.0) via the 'initializeOfflineAjax' AJAX endpoint, which lacks capability checks and relies on publicly exposed hardcoded tokens for validation. This allows remote attackers to cause unexpected backup transfers to cloud storage and resource exhaustion without authentication or user interaction. CVSS 5.3 (medium), no confirmed active exploitation reported.

WordPress Authentication Bypass Denial Of Service
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-5380 MEDIUM PATCH This Month

runZero Platform versions prior to 4.0.260204.2 expose cleartext secrets for a subset of credential types and fields to authorized users due to insufficient credential protection, allowing users with legitimate platform access to view sensitive authentication data they should not be able to access. The vulnerability requires user interaction and has a CVSS score of 5.3 (Medium) with high confidentiality impact but no active exploitation or public exploit code identified at time of analysis.

Authentication Bypass Platform
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-35592 MEDIUM PATCH GHSA This Month

Path traversal in pyLoad's tar extraction allows writing files outside the intended directory via specially crafted archives. The vulnerability stems from incomplete remediation of a prior path traversal fix (CVE-2026-32808), where the _safe_extractall() function continues to use the insecure os.path.commonprefix() instead of the correct os.path.commonpath(). Unauthenticated remote attackers can exploit this via a malicious tar file when a user extracts it, achieving arbitrary file write on the system. The vulnerability affects pyLoad versions prior to 0.5.0b3.dev97 and is fixed in that release.

Python Path Traversal
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-33866 MEDIUM PATCH GHSA This Month

MLflow through version 3.10.1 allows authenticated users to bypass authorization controls and download model artifacts from experiments they lack permission to access via an unprotected AJAX endpoint. The vulnerability requires valid MLflow authentication but no special privileges, enabling lateral access to restricted experiment data. Patch availability confirmed via upstream pull request; CISA SSVC assessment indicates partial technical impact with automatable exploitation path but no confirmed active exploitation.

Authentication Bypass Red Hat
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-34899 MEDIUM This Month

Missing authorization in Eniture Technology LTL Freight Quotes - Worldwide Express Edition plugin (versions through 5.2.1) allows unauthenticated remote attackers to modify data through incorrectly configured access control, affecting WordPress installations. The vulnerability has a CVSS score of 5.3 with no public exploit code confirmed, and affects WordPress plugin deployments where access control security levels are improperly enforced.

Authentication Bypass Ltl Freight Quotes Worldwide Express Edition
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-3177 MEDIUM This Month

Unauthenticated attackers can forge Stripe webhook events in the Charitable donation plugin for WordPress up to version 1.8.9.7, allowing them to mark pending donations as completed without processing actual payments. The plugin fails to cryptographically verify incoming webhook payloads, enabling attackers to manipulate donation records and bypass payment validation. This impacts all WordPress sites using affected versions and could result in financial loss for fundraising organizations.

WordPress Information Disclosure
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-4420 MEDIUM This Month

Stored XSS in Bludit page creation functionality allows authenticated users with author privileges or higher to inject malicious JavaScript via the tags field, executing arbitrary code in victims' browsers when they access the affected page. Bludit versions 3.17.2 and 3.18.0 are confirmed vulnerable; the vendor did not respond with remediation details or clarify the full version range affected. This vulnerability poses moderate immediate risk (CVSS 5.1) but carries elevated concern because injected scripts could escalate privileges to administrator level if the victim has sufficient permissions, and the malicious resource is accessible without authentication.

XSS Bludit
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.1%
CVE-2026-33865 MEDIUM PATCH This Month

Stored cross-site scripting (XSS) in MLflow through version 3.10.1 allows authenticated attackers to inject malicious payloads via YAML-based MLmodel artifacts that execute when other users view the artifact in the web interface, enabling session hijacking or unauthorized actions on behalf of victims. CVSS 5.1 reflects low severity due to authentication requirement and user interaction; SSVC framework rates exploitation as none, automatable as no, and technical impact as partial. Upstream fix is available in a GitHub PR, though no formally released patched version has been independently confirmed from provided data.

XSS Red Hat
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.1%
CVE-2026-39840 MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in Mediawiki Cargo Extension before version 3.8.7 allows authenticated users to inject malicious scripts into non-script page elements through improper input neutralization. The vulnerability requires user interaction (UI:P) and has limited scope impact, affecting only the confidentiality and integrity of session data. No public exploit code or active exploitation has been identified at the time of analysis.

XSS Mediawiki Cargo Extension
NVD VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-39347 MEDIUM PATCH This Month

OrangeHRM Open Source versions 5.0 through 5.8 allow high-privileged administrator users to modify self-appraisal submissions after those submissions have been marked as completed, compromising the integrity of finalized appraisal records. The vulnerability requires administrator authentication and has a CVSS score of 5.1 with low integrity impact. No public exploit code or active exploitation has been identified at the time of analysis.

Authentication Bypass Orangehrm
NVD GitHub
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-35613 MEDIUM PATCH GHSA This Month

Path traversal in coursevault-preview versions before 0.1.1 allows local attackers without authentication to read arbitrary files outside the configured base directory by exploiting a flawed boundary check in the resolveSafe utility. The vulnerability exists because the code uses String.prototype.startsWith() to validate normalized paths, which fails to enforce proper directory boundaries when sibling directories share the same string prefix. This enables disclosure of sensitive files on systems where the application is installed.

Path Traversal Coursevault Preview
NVD GitHub VulDB
CVSS 3.1
5.1
EPSS
0.0%
CVE-2025-14858 MEDIUM This Month

Information disclosure vulnerability in Semtech LR11xx LoRa transceivers (LR1110, LR1120, LR1121) allows attackers with physical SPI interface access to retrieve decrypted firmware contents by exploiting improper memory cleanup after firmware validation. The device fails to clear the last decrypted firmware block from memory after integrity checks complete, enabling an attacker to bypass firmware encryption protection via subsequent SPI memory read commands. This affects early firmware versions and requires direct physical access to the SPI interface.

Information Disclosure Lr1110 Lr1120 Lr1121
NVD
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-35516 MEDIUM PATCH This Month

Server-side request forgery (SSRF) in LinkAce prior to version 2.5.4 allows authenticated users to read responses from internal services by updating links to private IP addresses, exposing cloud credentials and internal service metadata. The links:check cron job executes requests without IP filtering, enabling attackers to probe AWS IMDSv1, cloud metadata endpoints, and internal APIs. The vulnerability requires authentication but operates over the network with low complexity, affecting all installations running versions before 2.5.4. No public exploit code or confirmed active exploitation has been identified at time of analysis.

SSRF Linkace
NVD GitHub
CVSS 3.1
5.0
EPSS
0.0%
CVE-2026-35461 MEDIUM PATCH This Month

Server-Side Request Forgery (SSRF) in Papra document management platform prior to 26.4.0 allows authenticated users to register arbitrary webhook endpoints without URL validation, enabling the server to make HTTP POST requests to localhost, internal networks, and cloud metadata endpoints on document events. Attack requires valid user authentication and knowledge of internal network topology but can exfiltrate sensitive data from restricted network segments.

SSRF Papra
NVD GitHub
CVSS 3.1
5.0
EPSS
0.0%
CVE-2026-24147 MEDIUM This Month

NVIDIA Triton Inference Server prior to r26.02 allows unauthenticated remote attackers to trigger information disclosure and denial of service through malicious model configuration uploads, exploiting a path traversal vulnerability (CWE-22) that enables access to sensitive files outside intended directories. The CVSS 4.8 score reflects moderate risk with high attack complexity, though real-world exploitation likelihood depends on network accessibility to model upload endpoints.

Information Disclosure Nvidia Denial Of Service Path Traversal
NVD VulDB
CVSS 3.1
4.8
EPSS
0.1%
CVE-2026-35571 MEDIUM PATCH GHSA This Month

Stored cross-site scripting in Emissary prior to 8.39.0 allows authenticated administrators to inject malicious javascript: URIs into navigation item configuration, which are then rendered unsafely in href attributes viewed by other authenticated users. The vulnerability requires high-privilege administrative access to modify navItems configuration but affects all other users accessing the web interface, with confirmed fix available in version 8.39.0.

XSS Emissary
NVD GitHub VulDB
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-39345 MEDIUM PATCH This Month

OrangeHRM Open Source 5.0 through 5.8 allows authenticated users with high privileges to read arbitrary local files by manipulating email template file paths, bypassing the intended plugin directory restriction. The vulnerability requires high-privilege credentials and manual path influence but enables confidential file disclosure. Vendor has released patch version 5.8.1; no public exploit code or active exploitation is confirmed.

Path Traversal Orangehrm
NVD GitHub
CVSS 4.0
4.6
EPSS
0.0%
CVE-2026-5383 MEDIUM PATCH This Month

RunZero Explorer versions prior to 4.0.260208.0 allow high-privileged authenticated users to access Explorer groups outside their authorized organization scope, enabling unauthorized cross-organizational information disclosure and potential service disruption. The vulnerability stems from incorrect authorization controls (CWE-863) and requires administrator-level credentials and high attack complexity to exploit. No public exploit code or active exploitation has been identified at time of analysis.

Authentication Bypass Explorer
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-33227 MEDIUM PATCH This Month

Improper path validation in Apache ActiveMQ Client and Broker allows authenticated users to traverse the classpath via crafted 'key' values in Stomp consumer creation and Web console message browsing operations, potentially enabling information disclosure or chaining with secondary attacks for greater impact. Affects ActiveMQ Client/Broker versions before 5.19.3 and 6.0.0-6.2.1; patch available in 5.19.4 and 6.2.3 (5.19.3/6.2.2 have platform-specific limitations). EPSS score of 0.04% indicates l

Apache Path Traversal Microsoft
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-35462 MEDIUM PATCH This Month

Papra API key expiration validation bypass in versions before 26.4.0 allows authenticated users with expired API keys to maintain indefinite access to protected endpoints. An attacker who obtains or retains a valid API key can continue authenticating even after the key's expiresAt timestamp has passed, enabling persistent unauthorized data access. This affects all Papra deployments using API key authentication without the 26.4.0 patch, though exploitation requires initial possession of a valid API key.

Information Disclosure Papra
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-35460 MEDIUM PATCH This Month

Papra document management platform versions prior to 26.4.0 allow authenticated attackers to inject HTML into transactional email templates by registering with a display name containing HTML tags, enabling convincing phishing attacks through legitimate Papra email domains. The vulnerability affects verification and password reset emails, which are sent from official Papra domains, making socially engineered attacks highly credible. No public exploit code or active exploitation has been identified at time of analysis.

XSS Papra
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-39395 MEDIUM PATCH GHSA This Month

Cosign verify-blob-attestation incorrectly validates attestation signatures and predicate types in versions before 3.0.6 and 2.6.3, allowing remote attackers to bypass integrity verification by submitting malformed attestations or mismatched predicate types that are falsely reported as verified. The vulnerability affects container and binary code signing workflows where attestation integrity is critical for supply chain security.

Authentication Bypass Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-20446 MEDIUM This Month

Integer overflow in MediaTek secure boot (sec boot) leads to out-of-bounds write causing local denial of service on affected MediaTek chipsets. Attack requires physical device access and local user execution privileges, with no user interaction needed. EPSS score of 0.02% and CISA SSVC assessment of 'none' exploitation status indicate low real-world risk despite the moderate CVSS base score of 4.3.

Integer Overflow Denial Of Service Mediatek Chipset
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-39316 MEDIUM PATCH This Month

Local denial of service and potential remote code execution in OpenPrinting CUPS 2.4.16 and prior occurs when the scheduler (cupsd) deletes temporary printers without expiring associated subscriptions, leaving dangling pointers in memory that are subsequently dereferenced. An unauthenticated local attacker can crash the cupsd daemon or, with heap grooming techniques, achieve arbitrary code execution on systems running affected CUPS versions.

Denial Of Service Use After Free RCE Memory Corruption Red Hat +1
NVD GitHub VulDB
CVSS 3.1
4.0
EPSS
0.0%
CVE-2026-39314 MEDIUM PATCH This Month

Denial of service in OpenPrinting CUPS 2.4.16 and prior allows unprivileged local users to crash the cupsd root process via integer underflow in _ppdCreateFromIPP() by supplying a negative job-password-supported IPP attribute, which wraps to a large size_t value and triggers a stack buffer overflow in memset(). When combined with systemd's automatic restart mechanism, an attacker can sustain repeated crashes without requiring elevated privileges or user interaction.

Denial Of Service Integer Overflow Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
4.0
EPSS
0.0%
Prev Page 2 of 2

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy