352 CVEs tracked today. 20 Critical, 108 High, 192 Medium, 29 Low.
-
CVE-2026-41468
CRITICAL
CVSS 9.3
Template injection combined with AngularJS 1.5.2 sandbox escape primitives in Beghelli Sicuro24 SicuroWeb enables arbitrary JavaScript execution in operator browsers, leading to session hijacking and persistent compromise. Network-adjacent attackers can exploit this via MITM on plaintext HTTP deployments requiring only passive user interaction. Publicly available POC exists (CVE-2026-22191 exploit chain documented by BoffSec Services and kmkz), confirming weaponization risk. CVSS 9.3 reflects adjacent-network access requirement (AV:A), but SSVC indicates total technical impact with POC-confirmed exploitation status.
Code Injection
Sicuroweb Sicuro24
-
CVE-2026-41203
CRITICAL
CVSS 9.4
Remote code execution in ci4ms content management system allows authenticated backend users with theme creation permissions to write arbitrary PHP files via Zip Slip path traversal. A working proof-of-concept demonstrates uploading a malicious theme archive containing path-traversal entries (../../public/shell.php) that bypass extraction directory boundaries, placing executable code under the web root. Vendor-released patch available in version 0.31.5.0. No CISA KEV listing or EPSS data available, but publicly disclosed PoC significantly lowers exploitation barrier for attackers with valid credentials.
PHP
RCE
Python
Path Traversal
-
CVE-2026-41202
CRITICAL
CVSS 9.4
Remote code execution in ci4ms (CodeIgniter 4 Management System) versions prior to 0.31.5.0 allows authenticated backend users with backup creation permissions to write PHP webshells to the public web root via Zip Slip path traversal during backup restoration. The vulnerability is confirmed actively exploited (CISA KEV) with publicly available exploit code exists. CVSS 9.4 (Critical) aligns with the real-world risk, as exploitation requires only low-privilege authentication and the affected route is exempt from CSRF protection, enabling drive-by attacks against logged-in administrators. Vendor-released patch version 0.31.5.0 addresses the flaw by implementing path validation during ZIP extraction.
PHP
RCE
Python
Path Traversal
-
CVE-2026-41201
CRITICAL
CVSS 9.1
Remote code execution and full account takeover in CI4MS (CodeIgniter 4 CMS/ERP) allows authenticated high-privilege users to escalate to superadmin and compromise all accounts via stored DOM XSS in backup module filename fields. Attackers craft malicious SQL backup files containing hidden JavaScript payloads that execute when administrators view backup listings. Vendor-released patch available in version 0.31.5.0, addressing XSS via output escaping in DataTables rendering. No CISA KEV listing or public POC identified at time of analysis, but CVSS 9.1 Critical reflects scope change and multi-stage exploitation potential.
XSS
Privilege Escalation
-
CVE-2026-41179
CRITICAL
CVSS 9.2
Remote code execution via unauthenticated command injection in rclone's remote control API allows network attackers to execute arbitrary commands on the host system through a single HTTP request. The vulnerability affects rclone deployments with the RC API enabled (--rc or rclone rcd) that are network-accessible and lack global HTTP authentication. An attacker exploits the unprotected operations/fsinfo endpoint by crafting a WebDAV backend definition with a malicious bearer_token_command parameter, which executes during backend initialization. Confirmed exploitable on master branch (commit bf55d5e6) and release v1.73.4 with public proof-of-concept available. CVSS 9.2 reflects critical severity with network attack vector and no authentication required, though exploitation requires specific deployment configuration (AT:P). No CISA KEV listing or EPSS data available at time of analysis.
Command Injection
Ubuntu
-
CVE-2026-41176
CRITICAL
CVSS 9.2
Authentication bypass in rclone's remote control (RC) API allows network attackers to disable authorization checks via unauthenticated configuration mutation, enabling full administrative access to RC endpoints. The `options/set` endpoint lacks authentication requirements and permits setting `rc.NoAuth=true`, which disables protection for all RC methods marked `AuthRequired: true`. Affects rclone v1.45 onward when RC is network-accessible without HTTP authentication. No CISA KEV listing or public exploit code identified at time of analysis, though GitHub security advisory provides detailed proof-of-concept reproduction steps. CVSS 9.2 reflects critical severity with network vector and no authentication required, though CVSS:4.0 AT:P (Attack Requirements: Present) indicates specific deployment prerequisites limit automatic exploitation.
Authentication Bypass
Ubuntu
Red Hat
Suse
-
CVE-2026-41167
CRITICAL
CVSS 9.1
SQL injection in Jellystat versions prior to 1.1.10 escalates to remote code execution on the PostgreSQL database host. Authenticated attackers can inject arbitrary SQL via multiple API endpoints (`/api/getUserDetails`, `/api/getLibrary`), initially exfiltrating sensitive credentials from the `app_config` table (including Jellystat admin credentials and Jellyfin API keys). Because the application uses node-postgres simple query protocol allowing stacked queries, attackers can leverage PostgreSQL's `COPY ... TO PROGRAM` to achieve command execution on the database server. The project's default docker-compose.yml deploys PostgreSQL with superuser privileges, removing any privilege barriers to RCE. Vendor patch released in version 1.1.10 (GitHub commit 735fe7c confirmed). No active exploitation confirmed by CISA KEV, but publicly available exploit code exists given the detailed technical disclosure in GitHub Security Advisory GHSA-fj7c-2p5q-g56m.
Docker
SQLi
PostgreSQL
-
CVE-2026-41070
CRITICAL
CVSS 10.0
Complete authentication bypass in openvpn-auth-oauth2 plugin mode (v1.26.3-1.27.2) grants VPN access to unauthenticated clients. Legacy OpenVPN clients lacking WebAuth/SSO support bypass OIDC authentication entirely and gain full network access due to incorrect plugin return codes. Only the experimental shared-library plugin deployment is affected; the default management-interface mode is not vulnerable. Vendor patch released in v1.27.3 with confirmed fix commits. No active exploitation reported, but trivial to exploit with standard Linux openvpn CLI against vulnerable deployments.
Authentication Bypass
-
CVE-2026-34415
CRITICAL
CVSS 9.3
Remote code execution in Xerte Online Toolkits 3.15 and earlier allows unauthenticated attackers to upload and execute arbitrary PHP code by chaining an incomplete file extension filter bypass (.php4 extension) with authentication bypass and path traversal vulnerabilities in the elFinder connector endpoint. Attackers can achieve complete server compromise by uploading malicious PHP files, renaming them with the .php4 extension to evade filtering, and executing operating system commands. Vendor-released patches available via three GitHub commits (02661be, 17e4f94, 507d55c). No public exploit code or active exploitation confirmed at time of analysis, though the attack chain is straightforward for skilled attackers.
PHP
Authentication Bypass
Path Traversal
-
CVE-2026-33656
CRITICAL
CVSS 9.1
Path traversal in EspoCRM's formula scripting engine allows authenticated administrators to achieve arbitrary file read/write on the web server by manipulating attachment sourceId fields. The vulnerability chains unsanitized user input with filesystem operations, enabling admins to overwrite or access files anywhere within PHP's open_basedir restriction. Publicly available exploit code exists. Vendor-released patch version 9.3.4 addresses this critical issue. Despite the 9.1 CVSS score and Changed scope indicating potential container escape or cross-tenant impact, EPSS data was not provided to assess real-world exploitation likelihood.
Path Traversal
-
CVE-2026-33471
CRITICAL
CVSS 9.6
Integer truncation in Nimiq core-rs-albatross's skip block proof verification allows authenticated validators to forge consensus quorum with insufficient signatures. Prior to v1.3.0, attackers exploit usize-to-u16 casting during BitSet iteration by inserting indices spaced at 65536 intervals - these inflate the quorum count via len() but collapse onto identical u16 slots during BLS signature aggregation, enabling a single malicious validator to masquerade as 2f+1 signers and pass verification. CVSS 9.6 (Critical) reflects network vector with low complexity and changed scope impacting integrity and availability of the Proof-of-Stake consensus. No EPSS or KEV data available; vendor-released patch confirmed in v1.3.0 via GitHub advisory and commit d020590.
Information Disclosure
-
CVE-2026-31501
CRITICAL
CVSS 9.8
Use-after-free in Linux kernel ICSSG PRU Ethernet driver allows remote code execution with CVSS 9.8 scoring. Affects TI ICSSG network driver in kernels 6.15 through 7.0 (patched in 6.19.11 and 7.0). The flaw causes CPPI descriptors to be freed before timestamp processing completes on every received packet, creating a exploitable memory corruption condition. Despite critical CVSS scoring, EPSS probability is very low (0.02%, 5th percentile) and no active exploitation or public POC has been identified. The network attack vector (AV:N) combined with zero-day timing suggests this may be scored for worst-case remote exploitation scenario, but actual exploitability via network packets requires deeper investigation of ICSSG hardware context and packet processing pipeline.
Information Disclosure
Linux
Use After Free
Memory Corruption
Red Hat
-
CVE-2026-31478
CRITICAL
CVSS 9.8
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: replace hardcoded hdr2_len with offsetof() in smb2_calc_max_out_buf_len()
After this commit (e2b76ab8b5c9 "ksmbd: add support for read compound"),
response buffer management was changed to use dynamic iov array.
In the new ...
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31463
CRITICAL
CVSS 9.8
Use-after-free vulnerability in Linux kernel iomap subsystem allows memory corruption when filesystem block size differs from I/O granularity. The flaw occurs during buffered read operations when ctx->cur_folio is accessed after ownership transfers to the I/O helper, potentially leading to data corruption, information disclosure, or system crashes. Affects Linux kernel 6.19.x series. CVSS 9.8 critical severity, but EPSS exploitation probability is very low (0.02%, 5th percentile). Vendor patches available via mainline kernel commits. No active exploitation or public POC identified at time of analysis.
Information Disclosure
Linux
-
CVE-2026-31448
CRITICAL
CVSS 9.4
Denial of service in Linux kernel ext4 filesystem allows remote attackers to trigger infinite loops and system hangs (143+ second inode lock blocking) via crafted mkdir/mknod operations. The vulnerability stems from incomplete cleanup when extent insertion fails - ext4_ext_map_blocks() reclaims physical blocks without deleting stale extent tree entries, causing reuse of blocks already allocated to xattrs. This triggers infinite loops in ext4_xattr_block_set() that hold inode locks indefinitely. With CVSS 9.4 (AV:N/AC:L/PR:N/UI:N) but EPSS only 0.02% (percentile 7), the network attack vector rating appears inconsistent with typical local filesystem exploitation. Patches available across stable kernel branches 6.1.168, 6.6.131, 6.12.80, 6.18.21, 6.19.11, and mainline 7.0. No active exploitation confirmed (not in CISA KEV), but tagged for denial-of-service impact.
Denial Of Service
Linux
-
CVE-2026-31444
CRITICAL
CVSS 9.8
Use-after-free and NULL pointer dereference vulnerabilities in Linux kernel's ksmbd SMB server allow remote unauthenticated attackers to achieve arbitrary code execution, information disclosure, or denial of service. The flaws occur during oplock (opportunistic lock) publication when error handling frees memory still referenced by concurrent readers, and when global lease lists are accessed before critical pointers are initialized. With CVSS 9.8 (AV:N/AC:L/PR:N/UI:N), this represents a critical remote attack surface, though EPSS score of 0.02% (5th percentile) suggests minimal observed exploitation activity. Vendor patches are available across affected kernel versions 6.6.130-6.19.9.
Information Disclosure
Linux
Use After Free
Memory Corruption
-
CVE-2026-31436
CRITICAL
CVSS 9.8
Use-after-free and descriptor management error in Linux kernel's Intel IDXD DMA engine driver allows NULL pointer dereferences, double completion, or descriptor leaks. The llist_abort_desc() function completes the wrong descriptor object due to a loop cursor bug introduced in commit aa8d18becc0c. Patches released for kernel 6.12.80, 6.18.21, 6.19.11, and 7.0. EPSS exploitation probability is very low (0.02%, 5th percentile), and no active exploitation or public exploit code identified. Despite CVSS 9.8 critical rating with network vector, the actual attack surface requires local access to DMA engine subsystems, making the CVSS vector likely inaccurate or context-dependent.
Denial Of Service
Linux
Null Pointer Dereference
-
CVE-2026-31431
HIGH
CVSS 7.8
Memory corruption in Linux kernel's algif_aead cryptographic interface allows local authenticated users to achieve arbitrary kernel memory read/write, leading to privilege escalation to root. The vulnerability stems from improper handling of in-place operations introduced in commit 72548b093ee3, affecting kernel versions from 4.14 through 6.19.x. Multiple public exploit codes exist including proof-of-concept demonstrations from security researchers, with EPSS score of 0.01% indicating currently low widespread exploitation likelihood despite POC availability.
Information Disclosure
Linux
-
CVE-2026-6356
CRITICAL
CVSS 9.6
Privilege escalation in Augmentt 1.0 allows authenticated low-privilege users to manipulate HTTP parameters and gain super administrator access, exposing all tenant data and configurations to unauthorized modification. CVSS 9.6 critical severity with scope change indicates cross-tenant impact potential. Public proof-of-concept code exists on GitHub (PENGUINSECQ repository). SSVC framework rates this as proof-of-concept exploitation with partial technical impact, not automatable due to authentication requirement.
Information Disclosure
-
CVE-2026-6235
CRITICAL
CVSS 9.8
Authorization bypass in Sendmachine for WordPress plugin (versions ≤1.0.20) allows unauthenticated remote attackers to overwrite SMTP configuration settings without authentication. Attackers can redirect all outbound emails from WordPress sites - including password reset tokens and sensitive communications - to attacker-controlled servers, enabling credential theft and account takeover. CVSS 9.8 (Critical) reflects network attack vector with no authentication or user interaction required. No active exploitation confirmed at time of analysis, though the straightforward attack path (single HTTP request to exposed admin function) makes this a high-priority remediation target for sites using this plugin.
WordPress
Authentication Bypass
-
CVE-2026-4119
CRITICAL
CVSS 9.1
Authorization bypass in Create DB Tables WordPress plugin allows any authenticated user, including Subscribers, to execute arbitrary database operations including DROP TABLE commands against critical WordPress core tables. Wordfence reported this vulnerability affecting all versions through 1.2.1, where admin_post hooks lack both capability checks and nonce verification. Attackers with minimal Subscriber-level credentials can destroy entire WordPress installations by deleting wp_users, wp_options, or other core tables. CVSS vector indicates network-based attack (AV:N) with no authentication required (PR:N), though the description confirms authentication IS required at Subscriber level - this discrepancy suggests the CVSS vector may be incorrectly scored. No active exploitation confirmed via CISA KEV at time of analysis, but the vulnerability is trivially exploitable given the code is publicly viewable in WordPress plugin repository.
WordPress
Authentication Bypass
-
CVE-2026-41683
HIGH
CVSS 8.6
HTTP response splitting and denial-of-service in i18next-http-middleware < 3.9.3 allows remote unauthenticated attackers to inject arbitrary HTTP headers or crash Node.js processes via CRLF sequences in the lng parameter. On Node.js < 14.6.0, attackers achieve response splitting enabling session fixation, cache poisoning, and reflected XSS. On Node.js ≥ 14.6.0, malformed headers trigger unhandled ERR_INVALID_CHAR exceptions, returning 500 errors to all concurrent users sharing the affected process. Vendor-released patch available in version 3.9.3. No public exploit identified at time of analysis, though exploitation is trivial given the attack vector (simple query parameter manipulation).
XSS
Denial Of Service
Node.js
-
CVE-2026-41681
HIGH
CVSS 8.1
Stack-based buffer overflow in rust-openssl's MdCtxRef::digest_final() allows safe Rust code to corrupt memory when EVP_DigestFinal() writes beyond the provided output buffer boundary. The vulnerability occurs when the output buffer is smaller than EVP_MD_CTX_size(ctx), causing EVP_DigestFinal() to write past the buffer end and corrupt stack memory. Vendor-released patch available in version 0.10.78 via GitHub commit 826c3888. No public exploit identified at time of analysis, but exploitable from memory-safe Rust code paths, violating Rust's safety guarantees.
Buffer Overflow
Stack Overflow
-
CVE-2026-41678
HIGH
CVSS 7.2
Out-of-bounds memory write in rust-openssl's AES key unwrap function allows attackers who control buffer sizes to corrupt memory via safe API misuse. The aes::unwrap_key() function contains an inverted bounds assertion that accepts undersized output buffers and rejects correctly sized ones, causing the function to write beyond allocated memory by in_.len() - 8 - out.len() bytes. Vendor patch available via GitHub PR #2604 and commit 718d07ff, released in openssl-v0.10.78. No evidence of active exploitation (not in CISA KEV) or public proof-of-concept at time of analysis, but the logic flaw is clearly documented in vendor advisory GHSA-8c75-8mhr-p7r9.
Buffer Overflow
Memory Corruption
-
CVE-2026-41676
HIGH
CVSS 7.2
Memory corruption in rust-openssl's key derivation functions allows heap or stack buffer overflow when applications pass undersized buffers to Deriver::derive or PkeyCtxRef::derive on OpenSSL 1.1.x. The vulnerability affects X25519, X448, DH, and HKDF-extract operations where OpenSSL ignores the caller-specified buffer length and unconditionally writes the full shared secret, causing safe Rust code to trigger memory corruption. Vendor patch available in v0.10.78; OpenSSL 3.x deployments are not affected as newer providers correctly validate buffer lengths.
Buffer Overflow
OpenSSL
-
CVE-2026-41675
HIGH
CVSS 8.7
XML node injection in @xmldom/xmldom allows remote unauthenticated attackers to inject arbitrary XML elements by embedding the processing instruction closing delimiter `?>` in PI data. The serializer emits attacker-controlled data verbatim without escaping or validation, causing the remainder of the payload to be interpreted as active XML markup. Publicly available exploit code exists (GitHub PoC from April 2026). EPSS data not provided; CVSS 8.7 reflects high integrity impact (VI:H) with network vector and no authentication required. Patch available in versions 0.8.13+ and 0.9.10+ but requires opt-in `requireWellFormed: true` flag - default behavior remains vulnerable for backward compatibility.
RCE
Google
Apple
Mozilla
Suse
-
CVE-2026-41674
HIGH
CVSS 8.7
XML injection in @xmldom/xmldom XMLSerializer allows remote attackers to inject arbitrary markup into serialized DOCTYPE declarations by crafting malicious DocumentType node properties (internalSubset, publicId, systemId). When applications programmatically create DocumentType nodes with attacker-controlled data via createDocumentType() and serialize the result, the serializer emits these fields verbatim without escaping or validation. Three distinct injection vectors exist: internalSubset containing ']>' terminates the DOCTYPE early; publicId containing quoted strings injects fake SYSTEM entities; systemId containing '>' breaks the declaration boundary. Downstream XML parsers re-parsing the serialized output may expand injected entities, enabling XXE attacks. No public exploit identified at time of analysis. EPSS data not provided. Vendor-released patch requires opt-in: applications must explicitly pass {requireWellFormed: true} to serializeToString() to enable validation guards; default behavior remains vulnerable to preserve backward compatibility with DOM Parsing spec.
XXE
Red Hat
Suse
-
CVE-2026-41673
HIGH
CVSS 8.7
Denial of service in @xmldom/xmldom Node.js XML library allows remote attackers to crash applications via deeply nested XML documents. Seven DOM traversal methods (normalize, serializeToString, getElementsByTagName, cloneNode, importNode, textContent getter, isEqualNode) implement unbounded recursion consuming call stack frames until RangeError exception terminates the process. Exploitation requires no authentication - attackers send a single valid XML payload nested ~5,000-10,000 levels deep to trigger stack exhaustion in any subsequent DOM operation. Browser implementations of identical DOM methods use iterative C++ code and are unaffected. CVSS 8.7 High severity reflects network attack vector with no complexity barriers. Vendor-released patches (0.8.13, 0.9.10) replace all recursive traversals with iterative 'walkDOM' utility consuming heap instead of stack. Legacy unscoped 'xmldom' package (≤0.6.0) remains unfixed.
Denial Of Service
Google
Node.js
Suse
-
CVE-2026-41672
HIGH
CVSS 8.7
XML node injection in the @xmldom/xmldom npm package allows remote attackers to inject arbitrary XML elements via maliciously crafted comment content containing the sequence '-->' which prematurely terminates comments during serialization. Applications processing untrusted input through createComment() or manipulating comment node data can emit structurally altered XML that downstream consumers parse as attacker-controlled elements. Public exploit code exists (GitHub PR #987). CVSS:4.0 rates this 8.7 (High) with network vector, low complexity, and no privileges required. Vendor-released patches require opt-in protection flag { requireWellFormed: true } to maintain backward compatibility with W3C spec defaults; existing code remains vulnerable unless explicitly migrated.
Information Disclosure
Google
Apple
Mozilla
Suse
-
CVE-2026-41651
HIGH
CVSS 8.8
Local privilege escalation in PackageKit 1.0.2-1.3.4 allows unprivileged Linux users to install arbitrary RPM packages as root without authentication via TOCTOU race condition on transaction flags. The vulnerability exploits three synchronized bugs in the transaction state machine: unconditional flag overwrite, silent state-transition rejection that leaves corrupted flags, and late flag validation at dispatch time. Actively exploited in targeted attacks according to vendor advisory. CVSS 8.8 with scope change reflects full system compromise from low-privileged account. Patched in version 1.3.5.
Privilege Escalation
-
CVE-2026-41644
HIGH
CVSS 8.3
Server-side request forgery in monetr's Lunch Flow integration allows authenticated users on self-hosted instances to force the server to issue HTTP GET requests to arbitrary URLs, with response bodies from failed requests reflected in API error messages. This enables information disclosure attacks against internal networks, cloud metadata endpoints (AWS EC2 instance metadata without IMDSv2), and RFC1918 private addresses. The vulnerability is compounded by unbounded response buffering that creates a denial-of-service vector via memory exhaustion. Patch available in v1.12.5. The hosted my.monetr.app service is not affected as Lunch Flow is disabled there. Self-hosted instances with default configuration (Lunch Flow enabled, public signup allowed) are at highest risk.
Information Disclosure
SSRF
-
CVE-2026-41641
HIGH
CVSS 7.2
SQL injection in NocoBase plugin-collection-sql allows authenticated users with collection management permissions to bypass validation controls and execute arbitrary SQL queries. The checkSQL() function blocks dangerous keywords on collection creation and execution but is completely absent from the update endpoint, enabling attackers to create benign SQL collections then modify them with malicious queries to exfiltrate sensitive data including user credentials. Vendor patch available via GitHub PR #9134 and commit 851aee5. CVSS 7.2 reflects high privileges required (PR:H), but real-world impact is severe for environments where collection managers are not fully trusted administrators.
Privilege Escalation
SQLi
PostgreSQL
-
CVE-2026-41640
HIGH
CVSS 7.5
SQL injection in NocoBase's @nocobase/database package allows authenticated users with record-creation privileges to execute arbitrary SQL queries and extract database credentials. The vulnerability exists in the queryParentSQL() function, which constructs recursive Common Table Expression (CTE) queries using string concatenation instead of parameterized queries when processing tree collections with string primary keys. An attacker can inject malicious SQL by creating records with crafted primary key values, triggering the vulnerability when recursive eager loading occurs. Successful exploitation leads to full database compromise, with confirmed extraction of administrator credentials (emails and password hashes) in testing against PostgreSQL. On databases where the service account has elevated privileges, attackers can achieve operating system command execution via PostgreSQL's COPY...TO PROGRAM feature. Vendor patch available via GitHub PR #9133.
SQLi
PostgreSQL
Command Injection
Debian
-
CVE-2026-41458
HIGH
CVSS 8.2
Concurrent DAAP login requests crash OwnTone Server 28.4-29.0 via race condition in session list handling, causing remote denial of service without authentication. Attack complexity is high (CVSS AC:H) but requires no privileges, enabling unauthenticated attackers to flood the /login endpoint and trigger crashes through unsynchronized global state access. Vendor patch available via GitHub commit dca94641; no active exploitation confirmed at time of analysis.
Denial Of Service
Race Condition
Suse
-
CVE-2026-41454
HIGH
CVSS 8.7
Privilege escalation in WeKan (versions prior to 8.35) allows authenticated board members with low privileges to perform administrative integration management without authorization checks. Attackers can enumerate webhook URLs and secrets, create/modify/delete integrations, and manipulate integration activities through unprotected REST API endpoints. CVSS 8.7 reflects high confidentiality and integrity impact with network attack vector and low complexity. VulnCheck reported this vulnerability with vendor patch available in version 8.35 and commit 2cd702f. EPSS data not available; no confirmed active exploitation or POC identified at time of analysis.
Authentication Bypass
-
CVE-2026-41422
HIGH
CVSS 8.3
SQL injection in Daptin's `/aggregate/:typename` endpoint allows authenticated low-privilege users to extract arbitrary database content via unsanitized query parameters. The `column` and `group` parameters are passed directly to raw SQL literal expressions without validation, enabling data exfiltration from any table including user credentials, database schema disclosure, and cross-table correlation attacks. Patched in version 0.11.4 which replaces all raw SQL construction with parameterized queries and schema-based validation. No evidence of active exploitation or public POC at time of analysis, though exploitation is straightforward for authenticated users.
SQLi
-
CVE-2026-41175
HIGH
CVSS 8.1
Mass deletion of content, assets, and user accounts in Statamic CMS versions prior to 5.73.20 and 6.13.0 occurs via query parameter manipulation on Control Panel endpoints (requiring minimal authentication like 'view entries' permission) or unauthenticated exploitation through REST/GraphQL APIs if explicitly enabled without authentication. Authenticated attackers with low-privilege viewer roles can escalate to delete resources they should only read. Unauthenticated attackers can exploit misconfigured API endpoints (non-default configuration) to achieve the same destructive impact. CVSS 8.1 (High) reflects network-accessible attack with low complexity, though exploitation conditions vary significantly by deployment configuration. No active exploitation confirmed (not in CISA KEV), EPSS data not provided.
Information Disclosure
-
CVE-2026-41172
HIGH
CVSS 7.3
Server-Side Request Forgery in Squidex versions prior to 7.23.0 allows authenticated users with asset upload permissions to force the CMS server to fetch arbitrary URLs, including internal network resources and localhost endpoints, storing the retrieved content as platform assets. This enables reconnaissance of internal infrastructure, exfiltration of cloud metadata endpoints (AWS/Azure credentials), and access to services not exposed to the internet. CVSS 7.3 (High) with CVSS 4.0 E:P (Proof-of-concept exists). Vendor patch available in version 7.23.0 per GitHub security advisory GHSA-x7cq-4f4c-8qcv.
SSRF
-
CVE-2026-41171
HIGH
CVSS 7.3
Server-Side Request Forgery (SSRF) in Squidex versions before 7.23.0 allows authenticated users with schema editing permissions to force the server to make arbitrary HTTP requests to internal services and cloud metadata endpoints through the Jint scripting engine. The vulnerability can expose cloud provider credentials (e.g., AWS IMDS) and enable lateral movement within internal networks. Exploitation requires only low-privilege authentication (PR:L) and has publicly available exploit code (E:P in CVSS 4.0 vector). Vendor-confirmed patch available in version 7.23.0.
SSRF
-
CVE-2026-41170
HIGH
CVSS 7.2
Server-Side Request Forgery in Squidex's backup restoration endpoint allows authenticated administrators to probe internal network services and access cloud metadata endpoints. The RestoreController.PostRestoreJob endpoint accepts arbitrary URLs without SSRF protection, enabling internal reconnaissance through the application's HTTP client. Exploitation requires high privileges (admin authentication) but grants access to confidential internal resources and sensitive cloud service metadata. Version 7.23.0 patches this vulnerability. EPSS exploitation probability and active exploitation status are not reported in available intelligence.
SSRF
-
CVE-2026-41166
HIGH
CVSS 7.0
OpenRemote Manager allows privilege escalation to Keycloak master realm administrator through improper authorization in the Manager API. Users with write:admin permission in any non-master realm can manipulate realm role assignments in other realms, including master, by exploiting missing authorization checks in the updateUserRealmRoles endpoint. An attacker controlling any user in the master realm can grant themselves admin privileges, achieving full Keycloak administrator access. Vendor-released patch version 1.22.1 addresses this vulnerability. No public exploit code identified at time of analysis, though a detailed proof-of-concept is documented in the advisory.
Authentication Bypass
Privilege Escalation
Java
-
CVE-2026-41146
HIGH
CVSS 8.7
Remote unauthenticated denial of service affects facil.io (all versions prior to commit 5128747) and iodine (all versions before 0.7.59) through malformed JSON input triggering infinite CPU loop. Attackers can send crafted JSON payloads as small as two bytes ('[i') to the `fio_json_parse` function, causing the process to consume 100% of a CPU core indefinitely without crashing or returning an error. This vulnerability allows trivial resource exhaustion against any web service using these frameworks to parse untrusted JSON. EPSS data not available; no confirmed active exploitation (CISA KEV absent), but the attack requires only network access with no authentication and minimal complexity (CVSS AV:N/AC:L/PR:N), making exploitation straightforward once discovered.
Denial Of Service
-
CVE-2026-41145
HIGH
CVSS 8.8
Authentication bypass in MinIO object storage allows remote attackers to write arbitrary objects to any bucket using only a valid access key, without the corresponding secret key or cryptographic signature. The vulnerability affects MinIO RELEASE.2023-05-18T00-05-36Z through RELEASE.2026-04-11T03-20-12Z. Attackers can impersonate any user with WRITE permissions by exploiting a logic flaw in the STREAMING-UNSIGNED-PAYLOAD-TRAILER code path that incorrectly validates credentials from query parameters while bypassing signature verification. Vendor-released patch available in RELEASE.2026-04-11T03-20-12Z (GitHub commit 76913a9f). No public exploit identified at time of analysis, but exploitation requires only knowledge of a valid access key and target bucket name.
Authentication Bypass
-
CVE-2026-41135
HIGH
CVSS 7.5
Unauthenticated remote attackers can crash free5GC Policy Control Function (PCF) versions before 1.4.3 via repeated HTTP requests to the OAM endpoint over the Service-Based Interface. Each request leaks memory by registering duplicate CORS middleware in the Gin router handler chain, causing progressive memory exhaustion that prevents all User Equipment from establishing 5G sessions. Patched in version 1.4.3 via commit 599803b. EPSS data unavailable; not listed in CISA KEV. CVSS 7.5 High severity reflects network-accessible unauthenticated attack with high availability impact.
Denial Of Service
-
CVE-2026-41134
HIGH
CVSS 7.3
Code injection in Microsoft Kiota versions prior to 1.31.1 allows attackers who control or tamper with OpenAPI descriptions to inject malicious code into generated HTTP client libraries. Exploitation requires developers to generate clients from untrusted or compromised OpenAPI specifications, then compile and execute the poisoned code. The attack chain culminates in arbitrary code execution within the context of applications using the tainted generated clients. CVSS 7.3 with local attack vector and user interaction required suggests lower immediate urgency, though EPSS data is unavailable. No public exploit code or active exploitation confirmed at time of analysis.
RCE
Deserialization
Code Injection
-
CVE-2026-41133
HIGH
CVSS 8.8
Session fixation in pyLoad 0.5.0b3.dev97 and earlier allows authenticated users to retain revoked administrative privileges until logout. After an administrator demotes a user's role or revokes permissions, the affected user's active session continues to operate with the old cached privileges, enabling unauthorized administrative actions. Publicly available exploit code exists via GitHub commit e95804fb0d06cbb07d2ba380fc494d9ff89b68c1. With CVSS 8.8 (High) but requiring low-privilege authentication (PR:L), this represents an elevation-of-privilege vector in multi-user pyLoad deployments where role changes are expected to take immediate effect.
Python
Information Disclosure
-
CVE-2026-40937
HIGH
CVSS 8.3
# Missing Admin Auth on Notification Target Endpoints in RustFS
### Finding Summary
All four notification target admin API endpoints in `rustfs/src/admin/handlers/event.rs` use a `check_permissions` helper that validates authentication only (access key + session token), without performing any adm...
Authentication Bypass
Deserialization
SSRF
Redis
-
CVE-2026-40542
HIGH
CVSS 7.3
Apache HttpClient 5.6 skips mutual authentication verification in SCRAM-SHA-256 handshakes, allowing network attackers to impersonate legitimate servers without credentials. Affected clients accept unauthenticated server responses, enabling man-in-the-middle attacks that compromise confidentiality and integrity of authenticated sessions. Apache released patched version 5.6.1 addressing the missing authentication check. EPSS score of 0.03% suggests low current exploitation activity, though the network-accessible attack surface (AV:N/AC:L/PR:N) and availability of detailed vendor advisory increase exploitation risk once attackers adapt tooling for SCRAM protocol manipulation.
Apache
Information Disclosure
Red Hat
-
CVE-2026-40517
HIGH
CVSS 8.4
Command injection in radare2 PDB parser (versions before 6.1.4) enables arbitrary OS command execution when users analyze malicious PDB files. Publicly available exploit code exists. Attackers craft PDB files with newline characters in symbol names to inject radare2 commands during flag renaming operations, which then execute OS commands via radare2's shell operator when victims run the 'idp' command. CVSS 8.4 reflects local attack vector requiring user interaction, though EPSS data not available. Patch released in version 6.1.4 with detailed technical disclosure at blog.calif.io showing 0-day discovery process.
Command Injection
Suse
-
CVE-2026-40344
HIGH
CVSS 8.8
Authentication bypass in MinIO RELEASE.2023-05-18T00-05-36Z through RELEASE.2026-04-11T03-20-12Z allows remote unauthenticated attackers to write arbitrary objects to any bucket by exploiting an unvalidated auth type in the Snowball auto-extract handler. Attackers need only a valid access key (including the default 'minioadmin') and can fabricate signatures without knowing the secret key. CVSS 8.8 reflects network-accessible, low-complexity exploitation with no authentication required (CVSS:4.0 PR:N). No public exploit identified at time of analysis, but exploitation requires only basic S3 API knowledge. Patched in RELEASE.2026-04-11T03-20-12Z per vendor advisory GHSA-9c4q-hq6p-c237.
Authentication Bypass
-
CVE-2026-35548
HIGH
CVSS 8.5
Server-Side Request Forgery in guardsix (formerly Logpoint) ODBC Enrichment Plugins allows authenticated Operator users to redirect stored database credentials to arbitrary internal systems by modifying connection endpoints without clearing cached credentials. The vulnerability affects versions before 5.2.1 and enables credential misuse against unintended internal databases despite Changed Scope (CVSS S:C) indicating potential cross-boundary impact. EPSS and exploitation data not available; SSVC indicates no known exploitation, non-automatable attack requiring low-privilege authentication, with partial technical impact to confidentiality and integrity.
SSRF
-
CVE-2026-35368
HIGH
CVSS 7.8
Privilege escalation to root in uutils coreutils chroot utility allows low-privileged local attackers with write access to the chroot target directory to execute arbitrary code via malicious NSS module injection. The vulnerability triggers when --userspec option causes getpwnam() to load attacker-controlled shared libraries from the new root before dropping privileges, enabling container escape or full system compromise on glibc-based systems. CVSS 7.8 with Scope Changed indicates host compromise from containerized environments. SSVC framework confirms POC availability and total technical impact, though exploitation requires specific configuration (writable NEWROOT) and is not automatable.
Privilege Escalation
RCE
-
CVE-2026-35352
HIGH
CVSS 7.0
Privilege escalation in uutils coreutils mkfifo utility allows local attackers with low privileges to manipulate file permissions on arbitrary system files. A TOCTOU race condition between FIFO creation and permission setting enables symlink swapping attacks, redirecting chmod operations to unintended targets. SSVC framework indicates proof-of-concept exists with total technical impact. While CVSS rates this 7.0 (High), exploitation requires high attack complexity (race condition timing), low privileges, and write access to the parent directory where mkfifo is executed - most impactful when the utility runs with elevated privileges in automated scripts or system processes. No active exploitation confirmed (not in CISA KEV); EPSS data not available.
Privilege Escalation
-
CVE-2026-35341
HIGH
CVSS 7.1
Local privilege escalation in uutils coreutils mkfifo allows authenticated users to downgrade permissions on arbitrary files to world-readable mode. When mkfifo attempts to create a FIFO at a path where a file already exists, it erroneously continues execution and calls set_permissions on the existing file, changing its mode to default (typically 644 after umask). This can expose sensitive files like SSH private keys (~/.ssh/id_rsa) or application secrets to unauthorized local users. CISA SSVC confirms proof-of-concept code exists with total technical impact, though EPSS data is not available and the vulnerability is not yet in CISA KEV, indicating exploitation remains theoretical rather than widespread.
Information Disclosure
-
CVE-2026-35338
HIGH
CVSS 7.3
Recursive chmod operations can bypass --preserve-root protection in uutils coreutils versions prior to 0.6.0, allowing local authenticated users to execute destructive permission changes across the entire root filesystem. The vulnerability stems from incomplete path canonicalization that permits path traversal variants (/../) and symbolic links to circumvent safety checks, potentially causing system-wide denial of service. EPSS score of 0.01% indicates minimal exploitation probability in the wild, with no public exploit code identified and vendor patch available in version 0.6.0.
Path Traversal
-
CVE-2026-34414
HIGH
CVSS 7.1
Path traversal in Xerte Online Toolkits' elFinder connector allows authenticated attackers to move files to arbitrary filesystem locations, enabling application file overwrites, stored XSS, or chained remote code execution. Affects versions 3.15 and earlier through unsanitized rename operations at /editor/elfinder/php/connector.php. Vendor patches available via GitHub commits 02661be, 507d55c, and 17e4f94. CVSS 7.1 with low attack complexity and low privileges required. No public exploitation confirmed (SSVC: exploitation=none), but attack is not automatable per CISA framework.
PHP
XSS
RCE
Path Traversal
-
CVE-2026-34413
HIGH
CVSS 8.8
Unauthenticated attackers can execute remote code and read arbitrary files in Xerte Online Toolkits 3.15 and earlier via a missing authentication flaw in the elFinder connector endpoint. The vulnerability stems from a logic error where HTTP redirects for unauthenticated requests fail to terminate PHP execution, allowing full server-side processing of file operations. Attackers can create directories, upload files, rename, duplicate, overwrite, and delete files in project media directories without authentication. When chained with path traversal and extension blocklist bypasses, this enables complete system compromise. VulnCheck identified the flaw, and vendor patches are available via three GitHub commits addressing versions 3.13.0 through 3.15.0.
PHP
Authentication Bypass
RCE
Path Traversal
-
CVE-2026-34065
HIGH
CVSS 7.5
Denial of service in nimiq-primitives (Nimiq blockchain core library) allows remote unauthenticated attackers to crash nodes via malformed peer-to-peer messages. Attackers announce election macro blocks containing invalid compressed BLS voting keys, triggering an unwrap() panic during header hash validation. Affects all versions prior to 1.3.0. CVSS 7.5 (High) with network attack vector and no complexity. No public exploit identified at time of analysis, but attack is trivial to execute given the network-accessible attack surface and lack of authentication requirements.
Information Disclosure
-
CVE-2026-34063
HIGH
CVSS 7.5
Remote unauthenticated denial of service crashes Nimiq blockchain nodes by exploiting a protocol state machine flaw. Attackers can force panic conditions in the libp2p discovery handler by opening duplicate protocol substreams, immediately taking peer-to-peer networking offline until manual restart. Vendor-released patch available in version 1.3.0 with no workarounds for unpatched systems, creating urgent upgrade requirement for blockchain node operators.
Denial Of Service
-
CVE-2026-33733
HIGH
CVSS 7.2
Path traversal in EspoCRM admin template management allows authenticated administrators to read, create, overwrite, or delete arbitrary files on the server filesystem. The vulnerability affects all versions prior to 9.3.4 and stems from unsanitized `name` and `scope` parameters in template path construction. Publicly available exploit code exists (GitHub security advisory GHSA-44c3-xjfp-3jrh), though no CISA KEV listing or confirmed active exploitation. CVSS 7.2 reflects high impact across confidentiality, integrity, and availability, but exploitation requires high-privilege (admin) access, significantly limiting real-world exposure to insider threats or compromised admin credentials.
Information Disclosure
-
CVE-2026-33608
HIGH
CVSS 7.4
Remote attackers can corrupt PowerDNS Authoritative Server configuration via specially crafted DNS NOTIFY requests, causing persistent denial of service requiring manual administrator intervention. The attack adds malformed secondary domains to the bind backend, rendering the configuration invalid and preventing the server from restarting. No active exploitation confirmed at time of analysis, but the network-accessible attack vector and lack of authentication requirements elevate risk for internet-facing authoritative DNS servers.
RCE
Code Injection
Suse
-
CVE-2026-33593
HIGH
CVSS 7.5
Remote denial of service in dnsdist allows unauthenticated attackers to crash the DNS load balancer by sending specially crafted DNSCrypt queries that trigger a divide-by-zero error. The vulnerability requires no authentication, low attack complexity, and directly impacts service availability for all DNS traffic routed through affected dnsdist instances. Organizations using DNSCrypt protocol support in dnsdist face immediate risk of service disruption from remote attackers.
Denial Of Service
Suse
-
CVE-2026-31530
HIGH
CVSS 7.8
Use-after-free in Linux kernel CXL (Compute Express Link) subsystem allows local authenticated attackers to corrupt memory and potentially execute arbitrary code or cause kernel panics. The flaw occurs in cxl_detach_ep() during device removal when parent port references are freed prematurely, before child operations complete. Affects Linux kernel 6.3 through 7.0-rc5; patched in versions 6.12.80, 6.18.21, 6.19.11, and 7.0. EPSS score of 0.02% indicates low exploitation probability. No active exploitation or public exploit code identified at time of analysis.
Buffer Overflow
Denial Of Service
Linux
Use After Free
Memory Corruption
-
CVE-2026-31528
HIGH
CVSS 7.8
Out-of-bounds memory access in Linux kernel perf subsystem allows local authenticated attackers with low privileges to achieve high confidentiality, integrity, and availability impact. The vulnerability occurs when group_sched_in() fails during performance monitoring event handling and event inheritance uses the wrong PMU (Performance Monitoring Unit) context, leading to improper rollback and memory corruption. Despite high CVSS score (7.8), EPSS probability indicates very low real-world exploitation likelihood (0.02%, 5th percentile). Vendor patches available across multiple stable kernel branches (6.6.131, 6.12.80, 6.18.21, 6.19.11, 7.0) per git.kernel.org commit references.
Buffer Overflow
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31527
HIGH
CVSS 7.8
Use-after-free in Linux Kernel platform driver core allows local authenticated attackers to achieve high-severity impacts including code execution, privilege escalation, or denial of service. The vulnerability stems from unsafe access to the driver_override field during device probing when the bus match() callback executes without device lock protection. Patches are available across multiple kernel branches (6.12.80, 6.18.21, 6.19.11, 7.0) per vendor commits. EPSS score of 0.02% (5th percentile) indicates low observed exploitation probability, and no CISA KEV listing exists, suggesting this remains a theoretical risk rather than actively exploited threat despite the high CVSS 7.8 score.
Information Disclosure
Linux
Use After Free
Memory Corruption
Red Hat
-
CVE-2026-31525
HIGH
CVSS 7.8
Signed integer overflow in the Linux kernel's BPF interpreter enables local attackers with low privileges to achieve out-of-bounds memory access and potentially execute arbitrary code. The flaw occurs when the 32-bit signed division/modulo operations handle INT_MIN (0x80000000), causing the abs() macro to trigger undefined behavior that creates a mismatch between the verifier's abstract interpretation and the interpreter's runtime behavior. With an EPSS score of 0.02% and no confirmed active exploitation, the primary risk is to systems where unprivileged users can load BPF programs, though default kernel configurations typically restrict BPF to privileged users. Patches are available across multiple stable kernel branches (6.6.131, 6.12.80, 6.18.21, 6.19.11).
Buffer Overflow
Linux
Memory Corruption
Red Hat
Suse
-
CVE-2026-31516
HIGH
CVSS 7.8
Use-after-free in Linux kernel XFRM subsystem allows local authenticated attackers to achieve arbitrary code execution with high privileges. The vulnerability arises when XFRM policy hash threshold work items (policy_hthresh.work) outlive network namespace teardown, dereferencing freed struct net memory in xfrm_hash_rebuild(). Vendor patches available across multiple stable kernel versions (6.12.80, 6.18.21, 6.19.11, 7.0) confirm the issue affects kernels since commit 880a6fab8f6b. EPSS score of 0.02% (5th percentile) indicates low observed exploitation probability despite CVSS:3.1 score of 7.8; no CISA KEV listing or public POC identified at time of analysis.
Information Disclosure
Linux
Race Condition
Red Hat
Suse
-
CVE-2026-31513
HIGH
CVSS 8.1
Buffer over-read in Linux kernel Bluetooth L2CAP allows adjacent network attackers to disclose sensitive kernel memory and crash systems via malformed Enhanced Credit Based Connection Requests. Affects multiple stable kernel versions (6.12.x, 6.18.x, 6.19.x). Vendor patches available for all affected branches. EPSS score of 0.02% indicates low observed exploitation probability despite the network-adjacent attack vector and lack of required authentication. No public exploit identified at time of analysis.
Buffer Overflow
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31511
HIGH
CVSS 7.8
Use-after-free in Linux kernel Bluetooth MGMT subsystem allows local authenticated users to achieve arbitrary code execution, privilege escalation, or denial of service. The vulnerability stems from improper condition checking in mgmt_add_adv_patterns_monitor_complete(), which can leave dangling pointers after freeing memory without unlinking from the list. Patches available across multiple kernel versions (6.12.80, 6.17, 6.18.21, 6.19.11, 7.0). No evidence of active exploitation (not in CISA KEV), low EPSS score (0.02%, 5th percentile) suggests limited attacker interest despite high CVSS severity.
Information Disclosure
Linux
Use After Free
Memory Corruption
-
CVE-2026-31508
HIGH
CVSS 7.8
Use-after-free in Linux kernel Open vSwitch module causes system crash when deleting network interfaces on PREEMPT_RT kernels. The vulnerability is confirmed patched in multiple stable kernel versions (5.10.253, 5.15.203, 6.1.168, 6.6.131, 6.12.80, 6.18.21, 6.19.11, 7.0) with upstream fixes available via kernel.org commits. EPSS score of 0.02% (7th percentile) indicates very low exploitation likelihood. No active exploitation confirmed (not in CISA KEV). Local authenticated access required (CVSS AV:L/PR:L) with high impact (CVSS 7.8), but exploitation depends on PREEMPT_RT kernel configuration and specific Open vSwitch teardown race conditions.
Information Disclosure
Linux
Red Hat
Dell
Canonical
-
CVE-2026-31507
HIGH
CVSS 7.8
Double-free vulnerability in Linux kernel SMC (Shared Memory Communications) splice handling allows local authenticated attackers to trigger use-after-free conditions and kernel panic. The flaw occurs when tee(2) duplicates an SMC pipe buffer: both the original and cloned pipe_buffer share the same smc_spd_priv pointer, causing smc_rx_pipe_buf_release() to free the same memory twice on pipe cleanup. This escalates from KASAN-detected slab-use-after-free to NULL pointer dereference in smc_rx_update_consumer(), resulting in denial of service via kernel crash. Vendor patches available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.131, 6.12.80, 6.18.21, 6.19.11, 7.0). EPSS exploitation probability is low (0.02%, 7th percentile) with no public exploit or CISA KEV listing at time of analysis.
Denial Of Service
Linux
Red Hat
Suse
-
CVE-2026-31506
HIGH
CVSS 7.8
Double-free memory corruption in Linux kernel bcmasp network driver allows local authenticated attackers with low privileges to achieve arbitrary code execution, privilege escalation, or system crash. The vulnerability affects kernel versions 6.6 through early 7.0 release candidates. Vendor patches available across stable branches (6.12.80, 6.18.21, 6.19.11, 7.0). EPSS score of 0.02% (5th percentile) indicates very low real-world exploitation probability, and no active exploitation or public POC has been identified. This represents a low-priority issue for most environments despite the 7.8 CVSS score, as it requires local authenticated access and affects only systems using the specific bcmasp Broadcom network driver.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31505
HIGH
CVSS 7.8
Out-of-bounds memory write in Linux kernel iavf (Intel Adaptive Virtual Function) driver allows local authenticated attackers with low privileges to achieve high confidentiality, integrity, and availability impact via race condition during concurrent ethtool operations. The vulnerability stems from inconsistent use of queue counters (real_num_tx_queues vs num_active_queues vs num_tx_queues) across ethtool statistics functions, enabling memory corruption when changing network channels via 'ethtool -L' while simultaneously querying statistics with 'ethtool -S'. Patches available for kernel versions 6.12.80, 6.18.21, 6.19.11, and 7.0. EPSS exploitation probability is low (0.02%, 5th percentile) with no public exploit or active exploitation identified at time of analysis.
Buffer Overflow
Linux
Memory Corruption
Debian
Red Hat
-
CVE-2026-31504
HIGH
CVSS 7.8
Use-after-free in Linux kernel packet socket handling allows local attackers with low privileges to achieve kernel memory corruption, potentially leading to privilege escalation, information disclosure, or denial of service. The vulnerability stems from a race condition in packet_release() where NETDEV_UP events can re-register a socket into a fanout group's array after cleanup begins but before the socket number is zeroed, leaving dangling pointers. Patches are available across multiple stable kernel versions (5.10.253, 5.15.203, 6.1.168, 6.6.131, 6.12.80, 6.18.21, 6.19.11, 7.0). EPSS score is low (0.02%, 7th percentile) and no active exploitation is confirmed (not in CISA KEV), suggesting limited real-world exploitation despite high CVSS 7.8 rating.
Information Disclosure
Linux
Use After Free
Memory Corruption
Red Hat
-
CVE-2026-31502
HIGH
CVSS 7.8
Type confusion in Linux kernel team driver allows local authenticated users to trigger memory corruption and potential privilege escalation. The team_setup_by_port() function incorrectly copies header_ops from non-Ethernet lower devices (such as GRE interfaces) without proper context validation, causing callbacks like dev_hard_header() to interpret netdev_priv() as the wrong structure type when processing stacked network topologies (e.g., gre → bond → team). While CVSS rates this 7.8 (High), EPSS probability is very low at 0.02% (5th percentile), and no active exploitation or public POC has been identified. Vendor patches are available across multiple stable kernel branches (6.12.80, 6.18.21, 6.19.11, 7.0).
Denial Of Service
Linux
Memory Corruption
Red Hat
Suse
-
CVE-2026-31500
HIGH
CVSS 7.8
Use-after-free in Linux kernel Bluetooth Intel driver enables local privilege escalation to kernel code execution. Affects Linux kernel 4.3 through 7.0-rc5, with patches available in versions 6.6.131, 6.12.80, 6.18.21, 6.19.11, and 7.0. Exploitation requires local authenticated access with low privileges (CVSS PR:L). EPSS score of 0.02% (5th percentile) indicates low probability of widespread exploitation. No public exploit code or active exploitation confirmed at time of analysis, though technical details in CVE description provide implementation roadmap.
Information Disclosure
Linux
Use After Free
Memory Corruption
Red Hat
-
CVE-2026-31494
HIGH
CVSS 7.8
Out-of-bounds write in the Linux kernel macb Ethernet driver allows local authenticated users with low privileges to corrupt kernel memory, potentially leading to privilege escalation, denial of service, or information disclosure. The vulnerability affects the ethtool statistics collection path where gem_get_ethtool_stats() writes statistics for MACB_MAX_QUEUES regardless of the actual number of active queues, causing a 760-byte buffer overflow when fewer queues are configured. KASAN validation confirms heap corruption with a write beyond allocated vmalloc region boundaries. No active exploitation confirmed (not in CISA KEV), and EPSS score is low (0.03%, 10th percentile), indicating minimal observed exploitation activity. Patches available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.131, 6.12.80, 6.18.21, 6.19.11, 7.0).
Buffer Overflow
Linux
Memory Corruption
Red Hat
Suse
-
CVE-2026-31493
HIGH
CVSS 7.8
Use-after-free in Linux kernel RDMA/EFA driver allows local authenticated users with low privileges to execute arbitrary code with high confidentiality, integrity, and availability impact. The vulnerability affects the admin queue completion handling where completion context data is accessed after being freed, creating a window for memory corruption exploitation. Affects kernel versions from 5.12 through 7.0-rc7, with vendor patches available for stable branches 6.18.21, 6.19.11, and 7.0. EPSS score of 0.02% (4th percentile) indicates low observed exploitation probability, and no public exploit code or CISA KEV listing identified at time of analysis.
Information Disclosure
Linux
Use After Free
Memory Corruption
Red Hat
-
CVE-2026-31490
HIGH
CVSS 7.8
Use-after-free in Linux kernel's xe GPU driver allows local authenticated users to execute arbitrary code with kernel privileges. The vulnerability occurs in the SR-IOV physical function migration restore path when error handling fails to nullify a freed data pointer, enabling subsequent write operations to reference deallocated memory. With CVSS 7.8 (High) and very low EPSS (0.02%), this represents typical kernel memory corruption risk requiring local access and low privileges. Vendor patches are available for affected 6.19 and 7.0-rc versions.
Information Disclosure
Linux
Use After Free
Memory Corruption
Red Hat
-
CVE-2026-31489
HIGH
CVSS 7.8
Use-after-free in Linux kernel meson-spicc SPI driver allows local authenticated attackers to escalate privileges or crash the system. The vulnerability stems from a double-put reference counting error during driver removal - devm_spi_register_controller() already handles cleanup automatically, but meson_spicc_remove() explicitly calls spi_controller_put() again, releasing the same memory twice. EPSS probability is low (0.02%, 5th percentile), no active exploitation confirmed, and vendor patches are available across multiple kernel versions (6.12.80, 6.18.21, 6.19.11, 7.0). This targets systems using Amlogic Meson SoC SPI controllers, requiring local authenticated access to exploit.
Information Disclosure
Linux
-
CVE-2026-31488
HIGH
CVSS 7.8
Use-after-free in Linux kernel AMD display driver allows local authenticated users to execute arbitrary code, corrupt memory, or cause denial of service. Affects systems with AMD graphics using Display Stream Compression (DSC) and multi-stream transport (MST), particularly laptops with integrated displays and external DP-MST monitors. The vulnerability arises when mode changes occur simultaneously with DSC reconfigurations, causing improper stream lifecycle management. Vendor patch available across multiple kernel versions (6.12.80, 6.18.21, 6.19.11, 7.0). EPSS score of 0.02% indicates low exploitation probability in the wild, with no CISA KEV listing or public exploit identified at time of analysis.
Information Disclosure
Linux
Use After Free
Memory Corruption
Amd
-
CVE-2026-31486
HIGH
CVSS 7.1
In the Linux kernel, the following vulnerability has been resolved:
hwmon: (pmbus/core) Protect regulator operations with mutex
The regulator operations pmbus_regulator_get_voltage(),
pmbus_regulator_set_voltage(), and pmbus_regulator_list_voltage()
access PMBus registers and shared data but were ...
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31485
HIGH
CVSS 7.8
Use-after-free in Linux kernel SPI subsystem (fsl_lpspi driver) causes NULL pointer dereference when DMA channels are torn down while SPI transfers are active. Local attackers with low privileges can trigger denial of service or potentially execute arbitrary code on affected systems running Linux kernel versions from 4.10 through 7.0-rc2, particularly impacting embedded and IoT devices using Freescale LPSPI controllers. EPSS score of 0.02% indicates very low observed exploitation probability, and no public exploit code or active exploitation has been identified at time of analysis. Vendor-released patches available across all affected stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.131, 6.12.80, 6.18.21, 6.19.11, 7.0).
Denial Of Service
Linux
Use After Free
Memory Corruption
Red Hat
-
CVE-2026-31484
HIGH
CVSS 7.1
In the Linux kernel, the following vulnerability has been resolved:
io_uring/fdinfo: fix OOB read in SQE_MIXED wrap check
__io_uring_show_fdinfo() iterates over pending SQEs and, for 128-byte
SQEs on an IORING_SETUP_SQE_MIXED ring, needs to detect when the second
half of the SQE would be past the ...
Buffer Overflow
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31479
HIGH
CVSS 7.8
In the Linux kernel, the following vulnerability has been resolved:
drm/xe: always keep track of remap prev/next
During 3D workload, user is reporting hitting:
[ 413.361679] WARNING: drivers/gpu/drm/xe/xe_vm.c:1217 at vm_bind_ioctl_ops_unwind+0x1e2/0x2e0 [xe], CPU#7: vkd3d_queue/9925
[ 413.3619...
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31477
HIGH
CVSS 7.5
Memory exhaustion and kernel crash in Linux kernel's ksmbd SMB server allows remote unauthenticated denial of service via crafted lock requests. The smb2_lock() function contains three critical error-handling defects: memory leaks when vfs_lock_file() returns unexpected errors, stale error propagation in UNLOCK operations, and NULL pointer dereference during rollback when smb_flock_init() allocation fails. CVSS vector indicates network-accessible, low-complexity exploitation requiring no authentication. EPSS score of 0.02% (7th percentile) suggests minimal observed scanning activity, and no KEV listing confirms no widespread exploitation detected. However, the network attack vector (AV:N) and high availability impact (A:H) make this a realistic DoS risk for systems running ksmbd. Vendor patches available across stable kernel series 5.15-6.19.
Denial Of Service
Linux
Null Pointer Dereference
Red Hat
Suse
-
CVE-2026-31476
HIGH
CVSS 8.2
Remote unauthenticated denial-of-service in Linux kernel's ksmbd SMB server allows attackers to terminate arbitrary active user sessions by sending crafted multichannel binding requests with invalid credentials. The flaw affects ksmbd (kernel-mode SMB server) across multiple stable kernel branches (6.1.x through 7.0). Vendor patches available for all affected versions. EPSS score of 0.08% (23rd percentile) indicates low observed exploitation likelihood, with no CISA KEV listing or public POC identified at time of analysis. The CVSS 8.2 rating reflects network-accessible attack surface with high availability impact, though actual exploitation requires specific SMB multichannel configuration.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31475
HIGH
CVSS 7.8
Memory corruption in the Linux kernel sma1307 ASoC driver allows local authenticated users to trigger a double-free condition leading to potential privilege escalation, denial of service, or information disclosure. The vulnerability stems from improper cleanup of device-managed memory allocations in error paths within the sma1307_setting_loaded() function, where devm_kzalloc()-allocated resources are incorrectly freed with kfree(), causing devres to later release the same memory a second time. Vendor patches are available across multiple stable kernel branches (6.18.21, 6.19.11, 7.0). EPSS score of 0.02% (4th percentile) indicates low observed exploitation probability, and no active exploitation or public POC has been identified.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31474
HIGH
CVSS 7.8
Use-after-free in Linux kernel ISO-TP CAN protocol driver allows local authenticated users to read freed memory, corrupt kernel state, or execute arbitrary code with kernel privileges. Affects kernels from commit 96d1c81e to 6.6.131, 6.12.80, 6.18.21, and 6.19.11. Vendor-released patches available across stable kernel branches. EPSS score 0.02% (5th percentile) indicates low probability of mass exploitation, and no public exploit identified at time of analysis, though CVSS 7.8 reflects high local privilege escalation potential if successfully exploited.
Information Disclosure
Linux
Use After Free
Memory Corruption
Red Hat
-
CVE-2026-31473
HIGH
CVSS 7.8
Use-after-free in Linux kernel media subsystem allows local authenticated attackers to potentially execute arbitrary code, escalate privileges, or cause system crashes. The race condition between MEDIA_REQUEST_IOC_REINIT and VIDIOC_REQBUFS(0) affects request-capable V4L2 media devices in kernels since version 4.20. Patches are available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.131, 6.12.80, 6.18.21, 6.19.11, and 7.0). EPSS score of 0.02% indicates very low likelihood of mass exploitation, and no active exploitation or public POC has been identified.
Information Disclosure
Linux
Use After Free
Memory Corruption
Red Hat
-
CVE-2026-31471
HIGH
CVSS 7.8
Use-after-free in Linux kernel XFRM IPTFS subsystem allows local authenticated attackers to trigger high-severity memory corruption through failed state cloning operations. The vulnerability stems from premature publication of mode_data pointer before allocation completion, enabling arbitrary code execution, privilege escalation, or denial of service when IPsec IP-TFS (IP Traffic Flow Security) mode cloning fails. Vendor patches available for kernel versions 6.18.21, 6.19.11, and 7.0. EPSS score of 0.02% (4th percentile) indicates very low observed exploitation probability despite CVSS 7.8 rating, likely due to the specific IPTFS configuration prerequisite and local access requirement.
Information Disclosure
Linux
-
CVE-2026-31470
HIGH
CVSS 7.1
A buffer validation flaw in Linux kernel's TDX guest driver (versions 6.7+) allows local authenticated attackers to leak kernel memory beyond allocated quote buffers into userspace, potentially crossing container isolation boundaries in multi-tenant TDX environments. The vulnerability stems from insufficient validation of host-controlled quote_buf->out_len values during remote attestation operations. Patches available for stable branches 6.12.80, 6.18.21, 6.19.11, and mainline 7.0. EPSS score of 0.02% (5th percentile) indicates low exploitation probability in the wild, with no public exploit code or active exploitation confirmed at time of analysis.
Buffer Overflow
Linux
Memory Corruption
-
CVE-2026-31469
HIGH
CVSS 7.8
Use-after-free in Linux kernel virtio_net driver allows local authenticated attackers with low privileges to potentially achieve high confidentiality, integrity, and availability impact. The flaw triggers when virtio_net is configured with napi_tx=N (non-NAPI transmit mode) and the IFF_XMIT_DST_RELEASE flag is cleared by tc route filter rules. When a network namespace is destroyed while packets remain queued in the virtio transmit ring, the freed dst_ops structure is later dereferenced during packet cleanup, causing kernel memory corruption. Vendor patches are available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.131, 6.12.80, 6.18.21, 6.19.11, 7.0). EPSS score of 0.02% (7th percentile) suggests low probability of mass exploitation, and no active exploitation or public POC has been identified at time of analysis.
Information Disclosure
Linux
Use After Free
Memory Corruption
-
CVE-2026-31468
HIGH
CVSS 7.8
Memory corruption in the Linux kernel VFIO PCI subsystem allows local authenticated users to trigger double-free conditions and potentially execute arbitrary code with kernel privileges. The vulnerability stems from an incorrect error-handling path in the dma-buf export feature that calls dma_buf_put() before dma_buf_export() succeeds, leading to unbalanced reference counts and memory corruption during file descriptor exhaustion scenarios. Exploitation probability remains very low (EPSS 0.02%, 5th percentile) with no public exploit code or evidence of active exploitation. Patches are available in stable kernel versions 6.19.11 and 7.0.
Information Disclosure
Linux
-
CVE-2026-31467
HIGH
CVSS 7.5
Deadlock in Linux kernel EROFS filesystem bio completion path enables remote denial of service. When EROFS decompress operations occur in process context (e.g., dm-verity scenarios), vm_map_ram() called with GFP_KERNEL can trigger memory swapping I/O under low memory conditions, causing submit_bio_wait() to deadlock when bio_list is already initialized. CVSS rates this 7.5 High with network attack vector requiring no authentication, yet EPSS scores only 0.02% (7th percentile), suggesting theoretical rather than observed exploitation. Patches available across multiple stable kernel branches (5.15.203, 6.1.168, 6.6.131, 6.12.80, 6.18.21, 6.19.11, 7.0). Not listed in CISA KEV and no public exploit identified at time of analysis.
Information Disclosure
Linux
-
CVE-2026-31464
HIGH
CVSS 8.1
Out-of-bounds memory access in Linux kernel's IBM Virtual Fibre Channel (ibmvfc) driver allows adjacent network attackers to leak kernel memory contents. A compromised or malicious VIO server can supply a crafted num_written value exceeding max_targets in discover targets MAD responses, causing unbounded indexing into disc_buf[] and embedding out-of-bounds kernel data in subsequent PLOGI and Implicit Logout MADs sent back to the attacker. Vendor patches available across all maintained kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.131, 6.12.80, 6.18.21, 6.19.11, 7.0). EPSS score of 0.02% (7th percentile) indicates low observed exploitation probability. No public exploit code or CISA KEV listing identified at time of analysis.
Buffer Overflow
Information Disclosure
Linux
-
CVE-2026-31455
HIGH
CVSS 7.8
Use-after-free in Linux Kernel XFS filesystem allows local authenticated users to execute arbitrary code, escalate privileges, or cause system crashes during filesystem unmount operations. The vulnerability stems from a race condition where background reclaim and inodegc processes continue running while the Active Item List (AIL) is being flushed during unmount, enabling concurrent access to freed memory structures. Patches are available across multiple stable kernel versions (5.10.253, 5.15.203, 6.1.168, 6.6.131, 6.12.80, 6.18.21, 6.19.11, 7.0). EPSS score of 0.02% suggests very low probability of mass exploitation, and no active exploitation or public POC is identified at time of analysis.
Information Disclosure
Linux
Use After Free
Memory Corruption
Red Hat
-
CVE-2026-31454
HIGH
CVSS 7.8
Use-after-free in Linux Kernel XFS file system allows local authenticated users to execute arbitrary code, escalate privileges, or cause denial of service. The vulnerability affects XFS implementations from kernel 5.9 onward due to improper handling of Active Item List (AIL) pointers when performing buffer I/O in inode and quota push callbacks. With EPSS exploitation probability at 0.02% and no confirmed active exploitation, this represents a moderate real-world risk limited by local access requirements and low attack complexity. Patches are available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.131, 6.12.80, 6.18.21, 6.19.11, and 7.0).
Information Disclosure
Linux
Use After Free
Memory Corruption
-
CVE-2026-31453
HIGH
CVSS 7.8
Use-after-free in Linux kernel's XFS filesystem allows local authenticated users to achieve arbitrary code execution, privilege escalation, or information disclosure. The vulnerability occurs in the XFS Active Item List (AIL) push mechanism where log items can be freed by background reclaim processes while still being dereferenced by tracepoints. Vendor patches are available for kernel versions 6.1.168, 6.6.131, 6.12.80, 6.18.21, 6.19.11, and 7.0. EPSS score of 0.02% (7th percentile) indicates very low observed exploitation probability in the wild, and no public exploit code or active exploitation (CISA KEV) has been identified at time of analysis.
Denial Of Service
Linux
Null Pointer Dereference
-
CVE-2026-31452
HIGH
CVSS 7.8
Local privilege escalation in Linux Kernel ext4 filesystem allows authenticated users to trigger kernel crashes and potentially execute arbitrary code with high privileges. The vulnerability stems from improper handling of inline data conversion when truncate() operations exceed inline storage capacity in ext4 filesystems. Affected kernel versions include mainline through 7.0-rc3 and stable branches 5.10.x through 6.19.x, with vendor patches available across all active kernel series. EPSS exploitation probability is very low (0.02%, 7th percentile) and no public exploit identified at time of analysis, though CVSS 7.8 reflects high local impact if exploited.
Buffer Overflow
Linux
Memory Corruption
Red Hat
Suse
-
CVE-2026-31450
HIGH
CVSS 8.8
Race condition in Linux kernel ext4 filesystem allows denial of service through kernel panic when fast commit feature processes incompletely initialized journal inodes. Affects Linux kernel versions from 3.11 through multiple stable branches (5.10.x, 5.15.x, 6.1.x, 6.6.x, 6.12.x, 6.18.x, 6.19.x) prior to patched versions released in early 2025. Vendor patches available across all affected stable branches. EPSS score of 0.02% (7th percentile) indicates low observed exploitation probability. Not listed in CISA KEV, and no public exploit code identified at time of analysis. CVSS 8.8 reflects authenticated network attack vector, though real-world risk limited to systems where attackers have filesystem write access and ext4 fast commit is enabled.
Denial Of Service
Linux
Null Pointer Dereference
-
CVE-2026-31449
HIGH
CVSS 7.8
Buffer overflow in Linux kernel ext4 filesystem allows local attackers with user interaction to achieve arbitrary code execution via crafted extent tree metadata. The ext4_ext_correct_indexes() function fails to validate index pointer bounds when walking up the extent tree, enabling slab-out-of-bounds memory reads when processing malicious filesystem images. With CVSS 7.8 (high severity) but only 0.02% EPSS (5th percentile), this represents elevated theoretical risk with minimal observed real-world exploitation. Vendor patches available across multiple stable kernel branches (6.12.80, 6.18.21, 6.19.11, 7.0), and no public exploit code or active exploitation confirmed at time of analysis.
Buffer Overflow
Information Disclosure
Linux
-
CVE-2026-31447
HIGH
CVSS 7.8
Linux kernel ext4 filesystem allows mounting of maliciously crafted filesystems with bigalloc and non-zero s_first_data_block, potentially triggering memory corruption or information disclosure. Affects all Linux kernel versions from 2.6.12 (commit 1da177e) through 7.0, with patches released in stable branches 5.10.253, 5.15.203, 6.1.168, 6.6.131, 6.12.80, 6.18.21, and 6.19.11. CVSS 7.8 indicates high severity with local access and user interaction required. EPSS score of 0.02% (7th percentile) suggests low probability of widespread exploitation, and no active exploitation confirmed (not in CISA KEV).
Information Disclosure
Linux
-
CVE-2026-31446
HIGH
CVSS 7.8
Use-after-free in Linux kernel ext4 filesystem allows local attackers to potentially execute arbitrary code or cause denial of service during unmount operations. The vulnerability stems from a race condition between ext4_put_super() teardown and update_super_work() error notification, where sysfs_notify() accesses a freed kernfs_node object after kobject_del() has released it. Fixed in stable kernel releases 5.15.203, 6.1.168, 6.6.131, 6.12.80, 6.18.21, 6.19.11, and mainline 7.0. EPSS score of 0.02% (7th percentile) suggests low probability of exploitation in the wild, though CVSS vector indicates straightforward local exploitation requiring user interaction.
Information Disclosure
Linux
Use After Free
Memory Corruption
-
CVE-2026-31442
HIGH
CVSS 7.8
Use-after-free in Linux kernel idxd DMA engine driver allows local authenticated attackers to execute arbitrary code, disclose sensitive memory, or crash the system when Function Level Reset operations fail to allocate scratch memory. The vulnerability affects Linux kernels from commit 98d187a98903 through versions 6.14, 6.18.x before 6.18.21, and 6.19.x before 6.19.11. Vendor patches are available across stable branches with EPSS indicating 0.02% exploitation probability (4th percentile), suggesting limited active targeting despite the high CVSS 7.8 score. No CISA KEV listing or public exploit code identified at time of analysis.
Buffer Overflow
Information Disclosure
Linux
-
CVE-2026-31435
HIGH
CVSS 8.8
Read retry logic in the Linux kernel's netfs subsystem can incorrectly abandon all remaining subrequests due to an uninitialized or invalid pointer, potentially exposing unintended memory contents or causing denial of service through kernel crashes. Affects Linux kernel 6.12 through early 6.19 and 7.0 development branches. Vendor patches available for 6.18.21, 6.19.11, and mainline 7.0. EPSS score of 0.02% (4th percentile) indicates low real-world exploitation probability. Not listed in CISA KEV. CVSS 8.8 reflects network attack vector with user interaction required.
Buffer Overflow
Information Disclosure
Linux
-
CVE-2026-31433
HIGH
CVSS 8.8
Out-of-bounds write in Linux kernel ksmbd allows authenticated remote attackers to cause memory corruption via crafted SMB2 compound requests combining QUERY_DIRECTORY and QUERY_INFO commands. The vulnerability arises when get_file_all_info() fails to validate OutputBufferLength against available buffer space before converting filenames to UTF-16, enabling buffer overflow beyond response buffer boundaries. With CVSS 8.8 (High) and network attack vector requiring only low privileges, this presents significant risk to systems running ksmbd SMB server. Vendor patches available across multiple kernel versions (5.15.203, 6.1.168, 6.6.131, 6.12.80, 6.18.21, 6.19.11, 7.0). EPSS exploitation probability remains low at 0.01% (2nd percentile), and no public exploit or CISA KEV listing identified at time of analysis.
Buffer Overflow
Linux
Red Hat
Suse
-
CVE-2026-31432
HIGH
CVSS 8.8
Out-of-bounds write in Linux kernel's ksmbd server allows authenticated remote attackers with low-privilege SMB access to corrupt memory and potentially execute arbitrary code or crash the system. The vulnerability triggers when processing compound SMB2 requests (e.g., READ + QUERY_INFO for security descriptors) where the first command consumes most of the response buffer, causing ksmbd to write beyond allocated memory when building security descriptors from POSIX ACLs. Vendor patches are available for kernel versions 6.12.81, 6.18.22, 6.19.12, and 7.0. EPSS score of 0.01% suggests low observed exploitation probability, and no public exploit code or active exploitation has been identified at time of analysis.
Buffer Overflow
Linux
Memory Corruption
-
CVE-2026-26354
HIGH
CVSS 8.1
Stack-based buffer overflow in Dell PowerProtect Data Domain DD OS allows remote unauthenticated attackers to execute arbitrary commands on vulnerable appliances. Affects Feature Release versions 7.7.1.0-8.6, LTS2025 (8.3.1.0-8.3.1.10), and LTS2024 (7.13.1.0-7.13.1.60). Despite network-accessible attack vector (AV:N/PR:N), high attack complexity (AC:H) indicates specialized exploit conditions. CISA SSVC framework rates exploitation as 'none' and automatable as 'no', suggesting manual, targeted exploitation rather than mass scanning. No active exploitation confirmed at time of analysis. Dell has released patches across all affected release tracks (DSA-2026-060).
Buffer Overflow
Stack Overflow
Dell
-
CVE-2026-22754
HIGH
CVSS 7.5
Authorization bypass in Spring Security 7.0.0-7.0.4 allows unauthenticated remote attackers to circumvent access controls when applications use servlet-path-based intercept-url configurations. The framework fails to include the servlet path when computing pattern matches for authorization rules, causing protected endpoints to become accessible without proper authorization checks. No public exploit code identified at time of analysis, but the straightforward bypass condition (misconfigured servlet-path directives) and network attack vector (CVSS AV:N/AC:L/PR:N) make this readily exploitable in affected deployments.
Authentication Bypass
Java
Red Hat
-
CVE-2026-22753
HIGH
CVSS 7.5
Path matching bypass in Spring Security 7.0.0-7.0.4 allows unauthenticated remote attackers to evade authentication, authorization, and other security controls when applications use securityMatchers(String) with a PathPatternRequestMatcher.Builder bean to prepend servlet paths. Improper matcher configuration causes filter chains to silently fail, leaving protected endpoints exposed without intended security controls. No active exploitation confirmed, but CVSS 7.5 with network attack vector (AV:N/AC:L/PR:N) indicates readily exploitable if applications use the specific configuration pattern. VMware-reported vulnerability requires immediate patching for affected Spring Security 7.x deployments.
Java
Information Disclosure
Red Hat
-
CVE-2026-6859
HIGH
CVSS 8.8
Remote code execution in InstructLab affects Red Hat Enterprise Linux AI 3 when users download or train models from HuggingFace Hub. The linux_train.py script hardcodes trust_remote_code=True, allowing attackers to execute arbitrary Python code by hosting malicious models on HuggingFace and convincing users to run ilab train, download, or generate commands. This configuration weakness enables complete system compromise through social engineering attacks. CVSS 8.8 with network vector but requires user interaction, reducing automatic exploitation risk. No active exploitation (CISA KEV) or public POC identified at time of analysis.
RCE
Python
-
CVE-2026-6857
HIGH
CVSS 7.5
Remote code execution in Red Hat Apache Camel Infinispan component allows low-privileged attackers to execute arbitrary code via unsafe deserialization in ProtoStream remote aggregation repository. Exploiting this vulnerability requires network access and low-privilege credentials but grants full system compromise affecting confidentiality, integrity, and availability. The attack complexity is rated high (AC:H), suggesting specific configuration or timing requirements. No active exploitation confirmed at time of analysis (not in CISA KEV), and public exploit code status is unknown.
RCE
Deserialization
-
CVE-2026-6855
HIGH
CVSS 7.1
Path traversal in InstructLab's chat session handler enables local authenticated attackers to write files to arbitrary filesystem locations by manipulating the logs_dir parameter. Red Hat Enterprise Linux AI 3 deployments are confirmed affected. CVSS 7.1 (High) reflects significant confidentiality and integrity impact, though exploitation requires local access and low-level privileges. No active exploitation (CISA KEV) or public proof-of-concept identified at time of analysis. EPSS data not available, suggesting limited immediate widespread exploitation risk despite high severity rating.
Path Traversal
-
CVE-2026-6846
HIGH
CVSS 7.8
Heap buffer overflow in GNU Binutils XCOFF linker allows arbitrary code execution when a local user processes a malicious object file. Red Hat Enterprise Linux versions 6 through 10 are confirmed affected via CPE data. CVSS 7.8 reflects local attack vector requiring user interaction (opening/linking the crafted file). No active exploitation confirmed (not in CISA KEV), and no public proof-of-concept identified at time of analysis. Real-world risk depends heavily on whether development workflows involve linking untrusted XCOFF files, which is uncommon outside AIX/PowerPC cross-compilation scenarios.
RCE
Buffer Overflow
Denial Of Service
Heap Overflow
-
CVE-2026-6834
HIGH
CVSS 7.1
Missing authorization in a+HRD API allows authenticated low-privilege remote attackers to read arbitrary database contents. The vulnerability exists in a specific API method that fails to properly verify user permissions, enabling lateral privilege escalation to access sensitive data beyond the attacker's authorization scope. The CVSS 4.0 score of 7.1 reflects high confidentiality impact with network attack vector and low attack complexity, though exploitation requires valid user credentials.
Authentication Bypass
-
CVE-2026-6833
HIGH
CVSS 7.1
SQL injection in aEnrich a+HRD allows authenticated remote attackers to read database contents through malicious SQL command injection. The vulnerability requires low-privilege authentication but enables complete confidentiality breach of database information. No active exploitation confirmed via CISA KEV, and EPSS data not available, but the low attack complexity (AC:L) and network attack vector (AV:N) make this exploitable by any authenticated user with basic SQL injection knowledge.
SQLi
-
CVE-2026-6023
HIGH
CVSS 8.1
Remote code execution in Progress Telerik UI for ASP.NET AJAX via insecure deserialization in the RadFilter control allows unauthenticated remote attackers to execute arbitrary code on the server by tampering with exposed client-side filter state. Affected versions span 2024.4.1114 through 2026.1.421. EPSS data not available; no public exploit or CISA KEV listing identified at time of analysis. The CVSS 8.1 (High) reflects network accessibility but 'High' attack complexity (AC:H), indicating successful exploitation requires specific conditions beyond simple network access.
RCE
Deserialization
-
CVE-2026-6022
HIGH
CVSS 7.5
Uncontrolled resource consumption in Progress Telerik UI for AJAX RadAsyncUpload component allows remote unauthenticated attackers to exhaust disk space by uploading files exceeding configured size limits through chunked upload bypass. The vulnerability arises from missing cumulative size validation during chunk reassembly, enabling attackers to circumvent intended upload restrictions. No authentication required (CVSS:3.1/AV:N/AC:L/PR:N/UI:N), making this exploitable against any internet-facing application using affected versions. Patch available in version 2026.1.421. No CISA KEV listing or public exploit code identified at time of analysis, but low attack complexity and no authentication barrier indicate straightforward exploitation potential.
Denial Of Service
-
CVE-2026-5816
HIGH
CVSS 8.0
Cross-site scripting (XSS) in GitLab CE/EE versions 18.10.0-18.10.3 and 18.11.0 enables unauthenticated attackers to execute arbitrary JavaScript in victim browser sessions via improper path validation. GitLab disclosed this vulnerability with publicly available exploit code (HackerOne report 3572231), though CISA SSVC indicates no active exploitation confirmed at time of analysis. CVSS 8.0 reflects the changed scope (S:C) allowing impact beyond the vulnerable component, though High attack complexity (AC:H) and required user interaction (UI:R) limit ease of exploitation. Patched in versions 18.10.4 and 18.11.1.
Information Disclosure
Gitlab
-
CVE-2026-5750
HIGH
CVSS 7.6
Insecure direct object reference in Fullstep V5 allows authenticated users to enumerate and modify other users' supplier registration data via predictable API endpoints. Authenticated attackers with low privileges can exploit vulnerable GET and POST endpoints to list sensitive user information (/api/suppliers/v1/suppliers/) and update arbitrary user profiles including personal details and documents (/#/supplier-registration/supplier-registration/). CVSS 7.6 reflects high confidentiality and integrity impact with low attack complexity. No public exploit code identified at time of analysis, but the IDOR pattern is trivial to exploit once authenticated. INCIBE-CERT advisory confirms patch availability from vendor.
Authentication Bypass
-
CVE-2026-5749
HIGH
CVSS 8.7
Authentication bypass in Fullstep V5 registration process enables unauthenticated remote attackers to obtain valid JWT tokens for accessing protected API resources without credentials. CVSS v4.0 score of 8.7 reflects the severity of network-accessible authentication bypass with high confidentiality impact. Vendor patch is available through INCIBE coordination. No evidence of active exploitation (not in CISA KEV) or public exploit code at time of analysis, though the vulnerability's low complexity (AC:L) and lack of required authentication (PR:N) make it readily exploitable once discovered.
Authentication Bypass
-
CVE-2026-5398
HIGH
CVSS 8.4
Local privilege escalation in FreeBSD 13.5 through 15.0 allows unprivileged processes to gain root privileges by exploiting a use-after-free condition in the TIOCNOTTY ioctl implementation. When a process detaches from its controlling terminal and exits, a dangling pointer in the terminal structure references freed session memory, which attackers can manipulate to escalate privileges. This vulnerability affects multiple stable and release branches with CVSS 8.4 (High) but low EPSS probability (0.02%, 5th percentile), indicating theoretical severity without observed widespread exploitation. Not listed in CISA KEV, suggesting no confirmed active exploitation at time of analysis.
Information Disclosure
Use After Free
Memory Corruption
-
CVE-2026-5262
HIGH
CVSS 8.0
Cross-site scripting vulnerability in GitLab's Storybook development environment allows remote unauthenticated attackers to steal access tokens via crafted user interaction. Affects GitLab CE/EE versions 16.1.0 through 18.9.5, 18.10 through 18.10.3, and 18.11.0. Publicly available exploit code exists (HackerOne report 3574642), though CISA SSVC indicates no confirmed active exploitation at time of analysis. CVSS 8.0 reflects high confidentiality and integrity impact with scope change, but CVSS vector AC:H (high complexity) and UI:R (user interaction required) indicate exploitation requires targeted social engineering rather than automated mass exploitation.
XSS
Gitlab
-
CVE-2026-4922
HIGH
CVSS 8.1
Cross-Site Request Forgery (CSRF) in GitLab CE/EE allows remote unauthenticated attackers to execute GraphQL mutations as authenticated victims through crafted web pages. Affects all versions from 17.0 through 18.11.0, with publicly available exploit code (HackerOne report 3627285). Despite high CVSS 8.1, exploitation requires user interaction (phishing/social engineering) and is not automatable per CISA SSVC framework. No evidence of active exploitation in CISA KEV at time of analysis. Vendor patches released: 18.9.6, 18.10.4, and 18.11.1.
CSRF
Gitlab
-
CVE-2026-4132
HIGH
CVSS 7.2
Arbitrary file write in HTTP Headers plugin for WordPress versions ≤1.19.2 enables authenticated administrators to achieve remote code execution by manipulating htpasswd file path configuration and injecting PHP code via unsanitized username input. Administrators can set a malicious file path (e.g., webroot/shell.php) through 'hh_htpasswd_path' option and inject executable code via the 'hh_www_authenticate_user' field, which is written directly to disk without validation. Wordfence disclosure includes direct source code references showing the vulnerable apache_auth_credentials() and update_auth_credentials() functions. No public exploit code or active exploitation confirmed at time of analysis.
PHP
WordPress
RCE
-
CVE-2026-3621
HIGH
CVSS 7.5
Identity spoofing in IBM WebSphere Application Server Liberty 17.0.0.3 through 26.0.0.4 allows authenticated attackers with low privileges to impersonate other users and escalate privileges when applications are deployed without proper authentication and authorization controls. The vulnerability requires high attack complexity and low-privilege credentials, but enables complete compromise of confidentiality, integrity, and availability within the application scope. CVSS 7.5 (High) reflects the significant impact once exploitation conditions are met. No public exploit identified at time of analysis, and vendor patch is available per IBM advisory.
Privilege Escalation
IBM
-
CVE-2026-0539
HIGH
CVSS 8.5
Local privilege escalation in pcvisit Remote Host Modul on Windows allows low-privileged users to gain NT AUTHORITY\SYSTEM by overwriting the service binary with malicious code that executes automatically at boot. All versions after 22.6.22.1329 through 25.12.3.1745 are affected due to weak file permissions (CWE-276). Vendor patched in version 25.12.3.1745 per advisory. EPSS and KEV status unknown, but vulnerability is trivial to exploit (CVSS AV:L/AC:L/PR:L) with maximum local impact (8.5 High).
Privilege Escalation
Microsoft
-
CVE-2026-41667
MEDIUM
CVSS 6.6
Integer overflow in constant tensor data size calculation in Samsung Open Source ONE prior to version 1.30.0 allows local attackers with user interaction to cause incorrect buffer sizing for large constant nodes, leading to buffer overflow conditions that may result in information disclosure or denial of service. The vulnerability requires local access and user interaction but can trigger high-severity memory corruption due to incorrect buffer allocation for tensors exceeding integer size limits.
Buffer Overflow
Integer Overflow
Samsung
-
CVE-2026-41666
MEDIUM
CVSS 6.6
Integer overflow in tensor copy size calculation within Samsung Open Source ONE enables out of bounds memory access during loop state propagation. Unauthenticated local attackers with user interaction can trigger the overflow to read sensitive data, modify memory, or cause denial of service on affected versions prior to 1.30.0. CVSS 6.6 indicates moderate severity with high availability impact.
Buffer Overflow
Integer Overflow
Samsung
-
CVE-2026-41665
MEDIUM
CVSS 6.1
Integer overflow in scratch buffer initialization within Samsung Open Source ONE allows local attackers with user interaction to cause denial of service and memory corruption affecting large intermediate tensor processing. Versions prior to 1.30.0 are vulnerable. The vulnerability stems from incorrect size calculation during memory allocation for scratch buffers, resulting in undersized allocations that corrupt adjacent memory regions when large tensors are processed.
Buffer Overflow
Integer Overflow
Samsung
-
CVE-2026-41664
MEDIUM
CVSS 6.6
Integer overflow in memory copy size calculation in Samsung Open Source ONE prior to commit 1.30.0 allows local attackers with user privileges to trigger invalid memory operations by supplying tensors with large shapes, potentially causing information disclosure, data corruption, or denial of service. The vulnerability requires user interaction (UI:R) and operates with low attack complexity on local systems. No public exploit code or active exploitation has been identified.
Buffer Overflow
Integer Overflow
Samsung
-
CVE-2026-41650
MEDIUM
CVSS 6.1
fast-xml-parser XMLBuilder fails to escape comment and CDATA delimiters when building XML from JavaScript objects, allowing XML injection via unescaped `-->` and `]]>` sequences in user-controlled content. Attackers can inject malicious XML elements into comments or CDATA sections, enabling XSS attacks in browser contexts, SOAP message manipulation, RSS feed poisoning, or XML structure breakage. The vulnerability requires user interaction (UI:R) and affects only XMLBuilder output that includes user-controlled comments or CDATA; no public exploit code identified at time of analysis.
XSS
Node.js
Red Hat
Suse
-
CVE-2026-41646
MEDIUM
CVSS 5.5
Nuclei v3.7.0 and earlier allow JavaScript templates to read arbitrary `.js` and `.json` files from the host filesystem via the `require()` function, bypassing the `allow-local-file-access` restriction. This enables unauthenticated local attackers or users running untrusted templates to extract sensitive data from configuration files, credential stores, and cloud credentials. The vulnerability is limited to these two file types but can expose secrets in `package.json`, environment configs, and similar files commonly present on developer or server systems.
Authentication Bypass
Information Disclosure
-
CVE-2026-41645
MEDIUM
CVSS 5.3
Expression injection in Nuclei's template evaluation engine allows malicious HTTP servers to inject and execute DSL expressions via response data reused in multi-step templates. When the `-env-vars` flag is enabled (off by default), attackers can exfiltrate host environment variables including API keys and credentials; without this flag, injected expressions may trigger helper functions with limited security impact. Nuclei v3.8.0+ patches the vulnerability by collecting expressions from template source before placeholder substitution, preventing response-derived data from being reinterpreted as executable DSL syntax.
RCE
Information Disclosure
Code Injection
-
CVE-2026-41591
MEDIUM
CVSS 6.4
Cross-site scripting in Marko template engine allows authenticated attackers to break out of script and style tags using mixed-case closing tags (e.g., </SCRIPT>, </Style>) and inject arbitrary HTML/JavaScript. The vulnerability affects any Marko template that interpolates untrusted user data inside <script> or <style> blocks, enabling stored XSS attacks against victim browsers with CVSS 6.4 (network-accessible, low complexity, requires low privileges). Vendor-released patch available.
XSS
-
CVE-2026-41511
MEDIUM
CVSS 6.2
OpenMcdf fails to detect cycles in Compound File Binary (CFB) directory entry red-black trees, causing indefinite loops in Storage.EnumerateEntries() and Storage.OpenStream() when processing crafted CFB files with sibling ID cycles. This denial-of-service vulnerability consumes the calling thread permanently with no recovery path via exception handling, affecting any application opening untrusted CFB documents. Patch available in version 3.1.3.
Denial Of Service
-
CVE-2026-41469
MEDIUM
CVSS 5.1
Beghelli SicuroWeb (Sicuro24) lacks Content Security Policy enforcement, permitting unrestricted loading of external JavaScript from attacker-controlled origins. When combined with template injection and sandbox escape flaws in the same application, this missing security header removes browser-enforced protections that would otherwise prevent external script execution, enabling attackers to inject arbitrary remote payloads into operator sessions. Publicly available exploit code exists, and SSVC analysis confirms exploitability is achievable but not automatable, with partial technical impact.
Code Injection
Sicuroweb Sicuro24
-
CVE-2026-41459
MEDIUM
CVSS 6.9
Xerte Online Toolkits versions 3.15 and earlier expose the server-side filesystem root path through an unauthenticated GET request to the /setup page, allowing remote attackers to retrieve sensitive path information rendered in HTML responses. This information disclosure enables exploitation of path-dependent vulnerabilities such as relative path traversal in connector.php, potentially leading to unauthorized file access or further system compromise.
PHP
Information Disclosure
Path Traversal
-
CVE-2026-41457
MEDIUM
CVSS 6.9
SQL injection in OwnTone Server 28.4 through 29.0 allows unauthenticated remote attackers to inject arbitrary SQL expressions via the query= and filter= parameters in DAAP requests, enabling bypass of access controls and unauthorized retrieval of media library data. The vulnerability stems from insufficient sanitization of integer-mapped DAAP field parameters and affects default network-accessible deployments without requiring user interaction.
Authentication Bypass
SQLi
Suse
-
CVE-2026-41455
MEDIUM
CVSS 6.3
Server-side request forgery in WeKan before 8.35 allows authenticated users to create or modify webhook integrations with arbitrary URLs, enabling the server to issue HTTP POST requests to internal network addresses and attacker-controlled targets. The vulnerability additionally permits unauthorized modification of comment text through response handling, affecting systems where users have integration management privileges. No active exploitation has been confirmed at time of analysis.
SSRF
-
CVE-2026-41314
MEDIUM
CVSS 4.8
Denial of service via memory exhaustion in pypdf prior to 6.10.2 allows local attackers with user interaction to crash applications processing crafted PDF files containing FlateDecode-compressed images with inflated size values. The vulnerability exhausts available RAM during decompression, affecting any system using vulnerable pypdf versions to parse untrusted PDF documents.
Python
Information Disclosure
Red Hat
Suse
-
CVE-2026-41313
MEDIUM
CVSS 4.8
Denial of service via algorithmic complexity in pypdf versions prior to 6.10.2 allows local attackers to cause long runtimes by crafting a PDF with an excessively large trailer /Size value when loaded in incremental mode. The vulnerability requires user interaction to load the malicious PDF and results in availability degradation rather than data compromise. Patch version 6.10.2 is available from the vendor.
Python
Information Disclosure
Red Hat
Suse
-
CVE-2026-41312
MEDIUM
CVSS 4.8
Memory exhaustion in pypdf prior to 6.10.2 allows local attackers to craft malicious PDF files that exhaust system RAM when processed. The vulnerability requires user interaction to open a specially crafted PDF containing a /FlateDecode stream with a /Predictor value other than 1 and large predictor parameters. Vendor-released patch available in version 6.10.2.
Python
Information Disclosure
Red Hat
Suse
-
CVE-2026-41240
MEDIUM
CVSS 6.0
Cross-site scripting (XSS) in DOMPurify occurs when function-based ADD_TAGS configuration is used with FORBID_TAGS, allowing attackers to bypass tag filtering and inject dangerous elements such as iframe, form, object, and embed with their attributes intact. The vulnerability stems from inconsistent handling of FORBID_TAGS compared to the separately-fixed FORBID_ATTR logic, where the forbidden tag check is short-circuited by a function-based ADD_TAGS predicate. Publicly available proof-of-concept demonstrates iframe and form injection with external URLs surviving sanitization; patch is available in version 3.4.0.
XSS
Node.js
Red Hat
-
CVE-2026-41239
MEDIUM
CVSS 6.8
Cross-site scripting (XSS) in DOMPurify when using SAFE_FOR_TEMPLATES with RETURN_DOM or RETURN_DOM_FRAGMENT modes allows remote attackers to execute arbitrary JavaScript by crafting malformed HTML that reassembles into template expressions after DOM normalization. The vulnerability affects DOMPurify from v1.0.10 through at least v3.3.3, exploitable when sanitized output is mounted into template-evaluating frameworks like Vue 2. A proof-of-concept demonstrates reliable exploitation with alert(1) execution.
XSS
Node.js
Red Hat
-
CVE-2026-41238
MEDIUM
CVSS 6.9
DOMPurify versions 3.0.1 through 3.3.3 fail to prevent prototype pollution-based XSS attacks when using default configurations. An attacker who can exploit a prototype pollution gadget elsewhere in the application can pollute Object.prototype with permissive regex values, causing DOMPurify to bypass sanitization and allow arbitrary custom elements with event handler attributes. The vulnerability affects the standard DOMPurify.sanitize(userInput) call without requiring special configuration.
XSS
Google
Red Hat
-
CVE-2026-41177
MEDIUM
CVSS 5.5
Blind Server-Side Request Forgery (SSRF) in Squidex prior to version 7.23.0 allows authenticated administrators to force the backend server to interact with the local filesystem via the `file://` protocol in the Restore API's `Url` parameter, potentially disclosing sensitive system information through side-channel analysis of internal logs. No public exploit code or active exploitation has been identified at time of analysis.
SSRF
-
CVE-2026-41168
MEDIUM
CVSS 6.9
Denial of service in pypdf prior to version 6.10.1 allows remote attackers to craft malicious PDF files with oversized cross-reference stream `/Size` values or object stream `/N` values, causing excessive processing time and long runtimes. No authentication is required; the vulnerability is triggered by parsing a specially crafted PDF file. Patch version 6.10.1 is available from the vendor.
Python
Information Disclosure
Red Hat
Suse
-
CVE-2026-41136
MEDIUM
CVSS 5.5
Improper error handling in free5GC AMF prior to version 1.4.3 allows remote attackers to invoke the HTTPUEContextTransfer handler with uninitialized request objects by sending requests with unsupported Content-Type headers. The missing default case in the Content-Type switch statement silently skips deserialization without raising an error, resulting in integrity loss when malformed or crafted payloads reach the processor with null/uninitialized state. CVSS score of 5.5 reflects low integrity impact; publicly available exploit code exists (E:P).
Deserialization
-
CVE-2026-41131
MEDIUM
CVSS 5.0
OpenFGA versions prior to 1.14.1 suffer from a cache key collision vulnerability in conditional authorization models that enables attackers to obtain unauthorized access to resources by forcing reuse of cached authorization decisions. When conditions are evaluated with caching enabled, different check requests can generate identical cache keys, causing OpenFGA to incorrectly return a previously cached authorization result for a subsequent request with different parameters. This affects deployments using relational models with condition evaluation where caching is active, allowing authenticated users to bypass intended access controls and disclose information about resources they should not access.
Information Disclosure
Red Hat
-
CVE-2026-41130
MEDIUM
CVSS 5.5
Server-Side Request Forgery (SSRF) in Craft CMS 4.x through 4.17.8 and 5.x through 5.9.14 allows unauthenticated attackers to proxy arbitrary remote HTTP requests via the `resource-js` endpoint when `trustedHosts` is not explicitly configured. By manipulating the Host header, attackers can control the derived `baseUrl` used in validation, bypassing prefix checks and forcing the server to issue requests to arbitrary destinations. Patch versions 4.17.9 and 5.9.15 address the vulnerability.
SSRF
-
CVE-2026-41129
MEDIUM
CVSS 5.5
Server-Side Request Forgery in Craft CMS 4.x through 4.17.8 and 5.x through 5.9.14 allows authenticated users with asset management permissions to request arbitrary URLs via the GraphQL API, potentially exposing internal services or performing actions on behalf of the CMS server. Exploitation requires high-privilege role assignments ('Edit assets' and 'Create assets' in a volume) and is patched in versions 4.17.9 and 5.9.15. EPSS score indicates moderate exploitation probability despite high CVSS, suggesting this is primarily a risk in multi-user CMS deployments where privilege separation is weak.
SSRF
-
CVE-2026-41128
MEDIUM
CVSS 5.3
Craft CMS versions 5.6.0 through 5.9.14 allow authenticated users with only viewUsers permission to remove arbitrary users from all user groups via the actionSavePermissions() endpoint, bypassing per-group authorization controls that protect group additions. An attacker can submit an empty groups value to strip all group memberships from any user, degrading access control integrity. The vulnerability has been patched in version 5.9.15.
Authentication Bypass
-
CVE-2026-41127
MEDIUM
CVSS 6.5
BigBlueButton versions prior to 3.0.24 allow authenticated viewers to inject or overwrite captions due to missing authorization controls, enabling unauthorized modification of classroom content. The vulnerability requires an authenticated session but does not need user interaction, affecting the integrity of real-time collaboration in virtual classroom deployments. Version 3.0.24 restricts caption submission permissions to authorized roles only.
Authentication Bypass
-
CVE-2026-41126
MEDIUM
CVSS 4.3
Open redirect vulnerability in BigBlueButton prior to version 3.0.24 allows unauthenticated remote attackers to redirect users to arbitrary external URLs via manipulation of the logoutURL parameter in the /api/join endpoint. The vulnerability requires user interaction (clicking a malicious link) but has low technical complexity and could facilitate phishing attacks by redirecting authenticated users away from the legitimate logout flow to attacker-controlled domains. Version 3.0.24 mitigates this by enforcing checksum validation and defaulting to the legitimate logoutURL when validation fails.
Open Redirect
-
CVE-2026-40451
MEDIUM
CVSS 5.1
Cross-site scripting (XSS) vulnerability in DeepL Chrome browser extension versions 1.22.0 through 1.23.0 allows remote attackers to execute arbitrary JavaScript and inject malicious HTML into web pages viewed by users. The vulnerability requires user interaction with a malicious web page but can compromise the security context of all visited websites.
XSS
Google
-
CVE-2026-40450
MEDIUM
CVSS 6.6
Integer overflow in Samsung Open Source ONE's output tensor copy size calculation allows local attackers with user interaction to cause memory corruption and potential code execution through oversized tensor processing. The vulnerability affects versions prior to 1.30.0 and stems from improper integer arithmetic when computing copy lengths for tensor data, enabling an attacker to trigger buffer overflows by crafting malicious tensor inputs that bypass size validation.
Buffer Overflow
Integer Overflow
Samsung
-
CVE-2026-40449
MEDIUM
CVSS 6.6
Integer overflow in tensor buffer size calculation in Samsung Open Source ONE prior to version 1.30.0 allows local attackers with user-level privileges to cause out-of-bounds memory access, leading to information disclosure and denial of service. The vulnerability requires user interaction to process specially crafted large tensor data. CVSS 6.6 indicates moderate severity with local attack vector and high availability impact.
Buffer Overflow
Integer Overflow
Samsung
-
CVE-2026-40448
MEDIUM
CVSS 5.3
Integer overflow in tensor allocation size calculation within Samsung Open Source ONE prior to version 1.30.0 allows local attackers with user interaction to cause denial of service or memory corruption. The vulnerability arises when processing large tensors, where insufficient memory allocation due to integer wraparound can lead to heap corruption. While CVSS indicates moderate severity (5.3), the high attack complexity and user interaction requirements limit practical exploitation.
Buffer Overflow
Integer Overflow
Samsung
-
CVE-2026-35380
MEDIUM
CVSS 5.5
Logic error in uutils coreutils cut utility causes incorrect interpretation of the literal two-byte string '' (two single quotes) as an empty delimiter, leading to silent data corruption when processing strings with these characters. The vulnerability affects uutils coreutils versions prior to 0.8.0 and impacts automated scripts and data pipelines that rely on precise delimiter handling, as the utility may unintentionally split or join data on NUL bytes rather than intended literal characters.
Information Disclosure
-
CVE-2026-35376
MEDIUM
CVSS 4.5
Time-of-Check to Time-of-Use (TOCTOU) race condition in the chcon utility of uutils coreutils allows local attackers with directory write access to redirect recursive security label operations to unintended files or directories via symbolic link or rename races, potentially compromising SELinux security controls. The vulnerability affects versions prior to 0.8.0 and requires low privileges and high attack complexity to exploit, making it a moderate-severity issue with partial technical impact.
Information Disclosure
-
CVE-2026-35374
MEDIUM
CVSS 6.3
The split utility in uutils coreutils contains a time-of-check to time-of-use (TOCTOU) race condition that allows local attackers with directory write access to manipulate symbolic links between the initial path validation and file truncation, causing data loss to unintended target files including the input file or other sensitive files. CVSS 6.3 (local, high complexity, low privilege required); SSVC assesses as non-exploitable in automated attacks but partial technical impact due to manual race window exploitation requirements.
Information Disclosure
-
CVE-2026-35372
MEDIUM
CVSS 5.0
The ln utility in uutils coreutils fails to honor the --no-dereference flag when the --force flag is not simultaneously enabled, allowing local attackers with low privileges to redirect symbolic link operations into unintended directories. An attacker can manipulate existing symlinks to cause a privileged user or system script running ln -n to create files in sensitive directories, leading to unauthorized file creation or system misconfiguration. CVSS score of 5.0 reflects local attack vector and low complexity; SSVC framework indicates non-automatable exploitation with partial technical impact.
Information Disclosure
-
CVE-2026-35370
MEDIUM
CVSS 4.4
The id utility in uutils coreutils miscalculates group membership by using real GID instead of effective GID, causing output divergence from GNU coreutils and potentially enabling unauthorized access when scripts rely on id output for access-control decisions. Affects local users with privileges to execute the id command. Proof-of-concept code exists but no active exploitation in the wild has been confirmed.
Authentication Bypass
-
CVE-2026-35369
MEDIUM
CVSS 5.5
Local denial of service in uutils coreutils kill utility before version 0.6.0 allows unprivileged users to crash the system or terminate all visible processes by exploiting incorrect argument parsing that sends SIGTERM to PID -1 instead of reporting a missing PID argument. The vulnerability requires local access and can be triggered without user interaction, distinguishing it from the correct behavior in GNU coreutils where -1 is interpreted as a signal number rather than a process identifier.
Denial Of Service
-
CVE-2026-35366
MEDIUM
CVSS 4.4
The printenv utility in uutils coreutils versions before 0.6.0 silently omits environment variables containing invalid UTF-8 byte sequences, allowing adversarial environment variables such as malicious LD_PRELOAD values to evade inspection by administrators and security auditing tools. This evasion capability enables library injection and other environment-based attacks to bypass detection, affecting systems that rely on printenv for security auditing or environment validation. The vulnerability requires local access with unprivileged user privileges (PR:L) to exploit and carries a CVSS score of 4.4 with confirmed proof-of-concept availability.
Code Injection
-
CVE-2026-35365
MEDIUM
CVSS 6.6
The mv utility in uutils coreutils improperly expands symbolic links instead of preserving them during moves across filesystem boundaries, allowing local authenticated users to trigger resource exhaustion via disk space consumption, disclose sensitive data through unexpected file duplication, or cause denial of service through infinite symlink loop recursion. Affected versions prior to 0.7.0 are vulnerable; a vendor-released patch is available.
Denial Of Service
Information Disclosure
-
CVE-2026-35364
MEDIUM
CVSS 6.3
A time-of-check to time-of-use (TOCTOU) race condition in the mv utility of uutils coreutils during cross-device move operations allows local attackers with write access to the destination directory to exploit a window between file deletion and recreation, injecting a symbolic link to redirect privileged write operations and overwrite arbitrary files. Exploitation requires moderate attack complexity and local access with limited privileges, but grants the ability to corrupt or modify files beyond the attacker's normal permissions. Publicly available exploit code exists but the vulnerability has not been confirmed in active exploitation.
Information Disclosure
-
CVE-2026-35363
MEDIUM
CVSS 5.6
The rm utility in uutils coreutils fails to properly validate current directory paths with trailing slashes (./ or .///), allowing local users with write access to silently delete all contents of the current directory via rm -rf ./ while the utility reports a misleading 'Invalid input' error. CVSS score 5.6 reflects local attack vector and required user interaction, though the impact is severe data loss with potential recovery complications.
Path Traversal
-
CVE-2026-35360
MEDIUM
CVSS 6.3
The touch utility in uutils coreutils suffers from a Time-of-Check to Time-of-Use (TOCTOU) race condition that allows local attackers with user-level privileges to truncate arbitrary files and cause permanent data loss. The vulnerability exists in the window between when touch checks for a missing file and when it attempts file creation with O_TRUNC flag; an attacker can inject a symlink or create a file at the target path during this interval, causing touch to truncate an existing file that the attacker controls. SSVC framework indicates exploitation is possible via proof-of-concept code, though automation is not feasible due to race condition complexity.
Information Disclosure
-
CVE-2026-35359
MEDIUM
CVSS 4.7
Time-of-Check to Time-of-Use (TOCTOU) vulnerability in uutils coreutils cp utility allows local attackers with write access to bypass no-dereference protections and read arbitrary sensitive files. The cp command checks symbolic link status via metadata but opens files without O_NOFOLLOW, permitting race condition exploitation where an attacker swaps a regular file for a symbolic link between check and use, causing a privileged cp process to copy sensitive file contents to attacker-controlled destinations. Publicly available exploit code exists; SSVC framework indicates partial technical impact with non-automatable exploitation.
Information Disclosure
-
CVE-2026-35358
MEDIUM
CVSS 4.4
The cp utility in uutils coreutils versions before 0.7.0 incorrectly handles recursive copy operations (-R flag) by converting character and block device nodes into regular files instead of preserving them via mknod, destroying device semantics and enabling denial of service through disk exhaustion or process hangs when unbounded device nodes are copied.
Denial Of Service
-
CVE-2026-35357
MEDIUM
CVSS 4.7
The cp utility in uutils coreutils exposes sensitive file contents through a race condition where destination files are created with overly permissive umask-derived permissions before being restricted to their final restrictive mode. A local authenticated attacker can open the file during this narrow window to obtain a valid file descriptor that remains readable even after permissions are tightened, bypassing intended access controls. CVSS 4.7 with high confidentiality impact but limited exploitability due to high attack complexity and moderate SSVC rating.
Information Disclosure
-
CVE-2026-35356
MEDIUM
CVSS 6.3
Privilege escalation via symlink attack in uutils coreutils install utility when using the -D flag allows local attackers with write access to redirect privileged file writes to arbitrary locations. The vulnerability exploits a Time-of-Check to Time-of-Use (TOCTOU) race condition between parent directory creation and target file creation, neither anchored to a directory file descriptor. CISA reports no active exploitation (SSVC: none), but the attack is non-automatable and requires specific concurrent write access conditions.
Information Disclosure
-
CVE-2026-35355
MEDIUM
CVSS 6.3
Time-of-Check to Time-of-Use (TOCTOU) race condition in uutils coreutils install utility allows local authenticated attackers to redirect privileged file writes to arbitrary system locations via symbolic link swapping. By exploiting the window between file unlinking and recreation, an attacker with local access and low privileges can overwrite critical system files when the install command runs with elevated privileges, achieving both integrity compromise and denial of service.
Information Disclosure
-
CVE-2026-35354
MEDIUM
CVSS 4.7
Time-of-check-time-of-use (TOCTOU) vulnerability in uutils coreutils mv utility during cross-device file moves allows local attackers with directory write access to manipulate extended attributes (xattrs) on destination files by swapping files between sequential path-based system calls, potentially causing security labels like SELinux attributes or file capabilities to be applied inconsistently. CVSS 4.7 (local, high complexity) with confirmed vulnerability reported by Canonical; CISA SSVC assessment indicates non-automatable exploitation with partial technical impact.
Information Disclosure
-
CVE-2026-35351
MEDIUM
CVSS 4.2
The mv utility in uutils coreutils fails to preserve file ownership when moving files across filesystem boundaries, causing moved files to be reassigned to the caller's UID/GID instead of retaining the source file's ownership metadata. When invoked by privileged users (such as root), this results in unexpected ownership changes that can lead to information disclosure or access restrictions for legitimate file owners. Exploitation requires local access and high privileges; a public proof-of-concept exists but active exploitation has not been confirmed in the wild.
Information Disclosure
-
CVE-2026-35350
MEDIUM
CVSS 6.6
The cp utility in uutils coreutils improperly preserves setuid and setgid bits when the chown operation fails during file copying with the -p flag, potentially creating unprivileged user-owned files that retain elevated privilege bits and violate security policies. This behavior diverges from GNU cp, which strips these bits when ownership preservation fails. Local users with write access to directories can exploit this to create unexpected privileged executables.
Information Disclosure
-
CVE-2026-35349
MEDIUM
CVSS 6.7
Bypass of --preserve-root protection in uutils coreutils rm utility allows local users to recursively delete the root filesystem by supplying a symbolic link that resolves to the root directory, rather than relying on authentic root inode comparison. The vulnerability affects coreutils versions before 0.7.0 and requires local access with no special privileges, though successful exploitation is hindered by high complexity (AC:H). CISA exploitation status is none at time of analysis, and a vendor patch has been released.
Authentication Bypass
-
CVE-2026-35348
MEDIUM
CVSS 5.5
The sort utility in uutils coreutils crashes with a process panic when the --files0-from option processes inputs containing non-UTF-8 filenames, allowing local authenticated attackers to cause denial of service. Unlike GNU sort, which handles filenames as raw bytes, uutils enforces UTF-8 encoding via expect() calls that immediately panic on invalid sequences. A proof-of-concept exploit exists; SSVC analysis indicates partial technical impact with non-automatable exploitation.
Denial Of Service
-
CVE-2026-35347
MEDIUM
CVSS 4.4
The comm utility in uutils coreutils drains FIFO and pipe streams before performing file comparison due to premature data consumption in the are_files_identical function, causing silent data loss and potential indefinite hangs on infinite streams. Local authenticated users can trigger this vulnerability to corrupt or lose data in piped workflows, affecting the integrity of command-line data processing chains.
Information Disclosure
-
CVE-2026-35345
MEDIUM
CVSS 5.3
The tail utility in uutils coreutils discloses sensitive file contents through improper symlink handling when using the --follow=name option. Unlike GNU tail, uutils continues monitoring a file path after it has been replaced with a symbolic link, causing it to output the contents of the link's target. A local attacker with write access to a monitored directory can exploit this to exfiltrate sensitive system files such as /etc/shadow when a privileged user (e.g., root) runs tail in follow mode. Publicly available exploit code exists, and the vulnerability requires local access and specific deployment conditions (privileged tail process monitoring user-writable directories).
Information Disclosure
-
CVE-2026-35340
MEDIUM
CVSS 5.5
uutils coreutils chown and chgrp utilities return incorrect exit codes during recursive directory operations, masking ownership change failures and allowing administrative scripts to incorrectly assume successful permission transfers. When processing multiple files recursively, the final exit code reflects only the last file's result; if that file succeeds, the command returns 0 even if earlier operations failed due to permission errors. This integrity flaw affects local users with limited privileges on systems running affected versions below 0.6.0, creating risk of security misconfigurations in automated deployment and configuration management scripts.
Information Disclosure
-
CVE-2026-35339
MEDIUM
CVSS 5.5
The chmod utility in uutils coreutils versions prior to 0.6.0 incorrectly reports success (exit code 0) when recursively processing multiple files, even if permission changes fail on earlier files due to access restrictions or other errors. This causes scripts and automation to proceed under a false assumption that all files were modified correctly, potentially leaving sensitive files with unintended or restrictive permissions.
Information Disclosure
-
CVE-2026-34068
MEDIUM
CVSS 6.8
The Nimiq staking contract accepts UpdateValidator transactions that omit proof-of-knowledge validation when updating voting keys, enabling rogue-key attacks against BLS signature aggregation used in Tendermint block justification. An attacker who can predict the next epoch's validator set could forge quorum-appearing block justifications with a single signature. Exploitation is constrained by the requirement to predict future validator set composition via VRF, making real-world attacks unlikely despite the critical cryptographic impact. Vendor-released patch v1.3.0 addresses the vulnerability.
Information Disclosure
Jwt Attack
-
CVE-2026-34066
MEDIUM
CVSS 5.3
Denial of service in Nimiq Core's history synchronization allows remote peers to trigger a panic in HistoryStore::put_historic_txns by submitting malformed transaction history with block numbers violating invariant constraints. During history sync, the panic occurs before validation checks compare the computed history root against the macro block header, causing affected nodes to crash. The CVSS score of 5.3 reflects high availability impact but requires user interaction and high attack complexity to exploit.
Information Disclosure
-
CVE-2026-34064
MEDIUM
CVSS 5.3
Denial of service in Nimiq's vesting contract allows remote unauthenticated attackers to crash nodes by crafting a vesting contract with `total_amount` exceeding the actual contract balance, then triggering a panic during error handling when `min_cap > balance`. The vulnerability exploits insufficient validation of vesting contract creation data and integer underflow in the `Coin::sub` operation, affecting all versions before 1.3.0. Active exploitation would require ability to broadcast transactions to the Nimiq network.
Denial Of Service
Integer Overflow
-
CVE-2026-34062
MEDIUM
CVSS 5.3
Denial of service in nimiq-libp2p prior to version 1.3.0 allows remote peers to exhaust node resources by sending partial frames on inbound substreams and keeping them open. The vulnerability combines unbounded stream reading via `read_to_end()` with a high concurrent stream limit of 1000, enabling attackers to accumulate stalled slots and degrade network availability without authentication or user interaction.
Denial Of Service
-
CVE-2026-33611
MEDIUM
CVSS 6.5
PowerDNS Authoritative server allows authenticated REST API operators to inject malformed HTTPS or SVCB record data, corrupting the LMDB backend database and causing service degradation or denial of availability. The vulnerability requires high-privilege REST API access and affects deployments using LMDB as the backend storage engine, with confirmed impact on data integrity and availability.
Information Disclosure
Integer Overflow
-
CVE-2026-33610
MEDIUM
CVSS 5.9
Denial of service in PowerDNS secondary servers occurs when a rogue primary server sends crafted DNS update requests that cause file descriptor exhaustion on the secondary, eventually rendering the secondary unable to process legitimate DNS queries. The attack requires network-level coordination between a compromised or attacker-controlled primary server and a target secondary server, with moderate attack complexity due to the need to establish a primary-secondary relationship. No active exploitation has been confirmed in CISA KEV at time of analysis.
Denial Of Service
Suse
-
CVE-2026-33609
MEDIUM
CVSS 5.3
Incomplete LDAP query escaping in PowerDNS Authoritative with 8bit-dns enabled allows authenticated users to enumerate internal domain subtrees through LDAP injection, leading to information disclosure of sensitive DNS zone data. The vulnerability requires valid authentication, high attack complexity due to LDAP protocol constraints, and has been reported by the vendor security team. No active exploitation data is currently available.
Information Disclosure
LDAP
Code Injection
Suse
-
CVE-2026-33602
MEDIUM
CVSS 6.5
DNSdist is vulnerable to denial of service via out-of-bounds write when processing crafted UDP responses from a rogue backend server. An attacker controlling a backend DNS server can send a specially crafted UDP response with a query ID set off-by-one from the maximum configured value, triggering memory corruption that crashes the DNS forwarder. The CVSS score of 6.5 reflects network attack vector with high complexity and absence of confidentiality impact, though availability and integrity are affected.
Buffer Overflow
Denial Of Service
Heap Overflow
Suse
-
CVE-2026-33601
MEDIUM
CVSS 4.4
Denial of service in PowerDNS Recursor via null pointer dereference in the zoneToCache function when processing zone data from a malicious authoritative server. Affects Recursor 5.2.0 through 5.4.0 and requires high privileges and non-standard network conditions to exploit, resulting in service availability impact but not data compromise. Patch available from vendor.
Denial Of Service
Null Pointer Dereference
Suse
-
CVE-2026-33600
MEDIUM
CVSS 4.4
Denial of service in PowerDNS Recursor occurs when processing a malicious Response Policy Zone (RPZ) from an authoritative server, triggering a null pointer dereference due to missing validation logic. Versions 5.2.0-5.2.8, 5.3.0-5.3.5, and 5.4.0 are affected. An authenticated remote attacker controlling an authoritative nameserver can crash the Recursor service by sending a specially crafted RPZ response, requiring high privilege level (PR:H) and complex attack conditions (AC:H) as mitigating factors.
Denial Of Service
Null Pointer Dereference
Suse
-
CVE-2026-33598
MEDIUM
CVSS 4.8
Out-of-bounds memory read in dnsdist allows remote attackers to trigger information disclosure or denial of service when custom Lua code invokes getDomainListByAddress() or getAddressListByDomain() functions on a crafted packet cache entry. The vulnerability requires network access but has high attack complexity, limiting real-world exploitation despite the remote attack vector.
Buffer Overflow
Information Disclosure
Suse
-
CVE-2026-33595
MEDIUM
CVSS 5.3
dnsdist allows remote denial-of-service attacks through memory exhaustion by generating numerous error responses on single DoQ (DNS-over-QUIC) and DoH3 (DNS-over-HTTPS/3) connections. An unauthenticated remote attacker can trigger excessive memory allocation by rapidly sending queries that produce error responses, with resources not properly released until connection termination. CVSS 5.3 (AV:N/AC:L/PR:N/UI:N) reflects network-accessible availability impact; no public exploit identified at time of analysis.
Denial Of Service
Suse
-
CVE-2026-33594
MEDIUM
CVSS 5.3
dnsdist can be forced into excessive memory allocation when a client generates high volumes of DNS queries routed to an overloaded DNS-over-HTTPS (DoH) backend, causing queries to accumulate in an unbounded buffer that persists until connection closure. This denial-of-service condition affects dnsdist deployments with DoH backends under load, allowing unauthenticated remote attackers to exhaust server memory with sustained query traffic.
Denial Of Service
Suse
-
CVE-2026-33262
MEDIUM
CVSS 5.9
Null pointer dereference in PowerDNS Recursor allows remote attackers to trigger a denial of service by sending crafted DNS replies that bypass a missing consistency check. The vulnerability affects Recursor versions 5.2.0 through 5.2.8, 5.3.0 through 5.3.5, and 5.4.0, with CVSS 5.9 reflecting high availability impact but requiring special network conditions (AC:H). No public exploit code identified at time of analysis.
Denial Of Service
Null Pointer Dereference
Suse
-
CVE-2026-33261
MEDIUM
CVSS 5.9
PowerDNS Recursor versions 5.2.x, 5.3.x, and 5.4.0 are vulnerable to denial of service when processing a zone transition from NSEC to NSEC3 DNSSEC record types, causing internal inconsistency and resolver unavailability. The vulnerability requires network access but elevated attack complexity, affecting recursive DNS resolvers in production environments. Vendor patches are available for all affected branches.
Denial Of Service
Suse
-
CVE-2026-33260
MEDIUM
CVSS 5.3
Denial of service in PowerDNS Authoritative, Recursor, and dnsdist via unbounded memory allocation in their internal web servers when processing specially crafted web requests. Multiple product lines are affected across several version ranges. The internal web server is disabled by default, significantly limiting real-world exposure. A vendor-released patch is available. CVSS 5.3 (low severity) with network-accessible vector but no authentication required reflects the ease of exploitation offset by the availability limitation and DoS-only impact.
Denial Of Service
Suse
-
CVE-2026-33259
MEDIUM
CVSS 5.0
PowerDNS Recursor versions 5.2.0-5.2.8, 5.3.0-5.3.5, and 5.4.0 suffer denial of service and potential data corruption when a malfunctioning RPZ provider causes concurrent transfers of the same RPZ zone, leading to use-after-free conditions, inconsistent zone data, and recursor crashes. The vulnerability requires high privilege attacker control over an RPZ provider and non-standard network conditions, resulting in availability and integrity impact with a CVSS score of 5.0.
Denial Of Service
Use After Free
Memory Corruption
Suse
-
CVE-2026-33258
MEDIUM
CVSS 5.3
Denial of service in PowerDNS Recursor allows remote unauthenticated attackers to exhaust resolver memory by publishing and querying crafted DNS zones that trigger excessive allocation in the negative and aggressive NSEC(3) caches. The vulnerability affects Recursor versions 5.2.0-5.2.8, 5.3.0-5.3.5, and 5.4.0, with a CVSS score of 5.3 reflecting low severity due to availability impact only (no code execution or data breach). Vendor-released patches are available.
Denial Of Service
Suse
-
CVE-2026-33257
MEDIUM
CVSS 5.3
Unlimited memory allocation in PowerDNS internal web server allows remote denial of service via crafted web requests. The vulnerability affects multiple PowerDNS products (dnsdist, Authoritative, and Recursor) across multiple versions, though the internal web server is disabled by default, significantly limiting real-world exposure. CVSS 5.3 reflects low attack complexity and no authentication requirements, but the default-disabled state and requirement to enable the internal web server substantially reduce practical risk.
Denial Of Service
Suse
-
CVE-2026-33256
MEDIUM
CVSS 5.3
Denial of service via unlimited memory allocation in PowerDNS Recursor's internal web server affects versions 5.2.0-5.2.8, 5.3.0-5.3.5, and 5.4.0. An unauthenticated remote attacker can send a crafted web request to exhaust server memory when the internal web server is enabled, causing service unavailability. No public exploit code or active exploitation has been identified, but patch versions are available from the vendor.
Denial Of Service
Suse
-
CVE-2026-33254
MEDIUM
CVSS 5.3
DNSdist allows remote attackers to create unlimited concurrent DoQ (DNS over QUIC) or DoH3 (DNS over HTTPS/3) connections, triggering unbounded memory allocation and denial of service. The vulnerability affects configurations where these protocols are explicitly enabled, as both are disabled by default. No authentication is required for exploitation, and CVSS 5.3 (AC:L, AV:N) indicates straightforward network-based triggering under default conditions.
Denial Of Service
Suse
-
CVE-2026-32885
MEDIUM
CVSS 6.5
Path traversal in DDEV versions prior to 1.25.2 allows remote attackers to write files outside intended extraction directories when downloading and extracting archives from remote sources. The vulnerability affects the Untar() and Unzip() functions in pkg/archive/archive.go, which lack path validation during extraction. Exploitation requires user interaction (UI:R) to trigger archive extraction but can achieve high integrity impact through arbitrary file write. A proof-of-concept exists, and CISA SSVC framework rates this as exploitable with partial technical impact.
PHP
Path Traversal
Node.js
-
CVE-2026-31529
MEDIUM
CVSS 5.5
Memory leak in Linux kernel CXL region initialization allows local privileged attackers to cause denial of service through resource exhaustion. The vulnerability exists in the __construct_region() function where failed sysfs_update_group() calls fail to properly free allocated resources, resulting in cumulative memory exhaustion when region construction is repeatedly attempted and fails. CVSS 5.5 reflects local attack vector with low complexity and high availability impact; EPSS 0.02% indicates minimal real-world exploitation probability despite the vulnerability's severity classification.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31526
MEDIUM
CVSS 5.5
The Linux kernel BPF verifier fails to validate lock release on exception exits from static subprograms when bpf_throw() is invoked, potentially allowing denial of service or system instability through uncontrolled RCU and preemption lock retention. Affected versions span from 6.7 through 7.0-rc4; CVSS 5.5 (local privilege escalation path) but EPSS 0.02% suggests low real-world exploitation probability. Patch available in stable releases 6.18.21, 6.19.11, and 7.0.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31524
MEDIUM
CVSS 5.5
Memory leak and out-of-bounds read in the asus_report_fixup() HID driver function allows local authenticated attackers with limited privileges to cause denial of service through memory exhaustion. The vulnerability affects the ASUS HID device driver across multiple Linux kernel versions, where kmemdup()-allocated buffers were not freed properly and an out-of-bounds read could access memory beyond the original descriptor size. A patch is available from Linux kernel maintainers switching to devm_kzalloc() for proper memory lifecycle management.
Buffer Overflow
Linux
Red Hat
Suse
-
CVE-2026-31523
MEDIUM
CVSS 4.7
Double completions in NVMe-PCI polled queue handling occur when a high-priority task attempts to poll a queue during kernel reset before block layer queue maps are updated, causing race conditions between interrupt-driven and polled I/O paths. Affects Linux kernel versions before 5.10.253, 5.15.203, 6.1.168, 6.6.131, 6.12.80, 6.18.21, 6.19.11, and 7.0-rc2, requiring local authentication and high attack complexity to trigger. No public exploit identified, but vendor-released patches are available across all affected stable and development branches.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31522
MEDIUM
CVSS 5.5
Memory leak in the HID magicmouse driver's report_fixup() function allows local authenticated attackers to cause a denial of service through repeated device interactions. The magicmouse_report_fixup() function allocates memory via kmemdup() but fails to free the allocated buffer before returning, leading to exhaustion of kernel memory on systems with a Magic Mouse connected. Vendor patches are available across multiple stable branches.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31521
MEDIUM
CVSS 5.5
Linux kernel module loader fails to validate ELF section index bounds in simplify_symbols(), causing kernel panic when processing modules with out-of-bounds st_shndx values such as SHN_XINDEX (0xffff). Local privileged attackers can crash the system by loading malformed or legitimately-crafted modules that exploit this missing bounds check, resulting in denial of service. The vulnerability affects all stable kernel versions from 2.6.12 through current releases; patches are available across multiple stable branches (5.15.203+, 6.1.168+, 6.6.131+, 6.12.80+, 6.18.21+, 6.19.11+, 7.0+).
Buffer Overflow
Linux
Memory Corruption
Red Hat
Suse
-
CVE-2026-31520
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
HID: apple: avoid memory leak in apple_report_fixup()
The apple_report_fixup() function was returning a
newly kmemdup()-allocated buffer, but never freeing it.
The caller of report_fixup() does not take ownership of the returned
...
Information Disclosure
Linux
Apple
Red Hat
Suse
-
CVE-2026-31519
MEDIUM
CVSS 5.5
A denial-of-service vulnerability in the Linux kernel's Btrfs filesystem implementation allows local authenticated attackers to cause filesystem corruption and crashes through a race condition during subvolume creation and lookup. When a newly created Btrfs subvolume's dentry cache is dropped before the BTRFS_ROOT_ORPHAN_CLEANUP flag is set, concurrent orphan cleanup operations can fail with ENOENT, creating negative dentries that prevent subvolume deletion and cause filesystem aborts. EPSS score of 0.02% indicates this is a low-probability exploitation scenario requiring specific timing and configuration conditions, though the impact is severe for affected systems. No public exploit code is identified at time of analysis.
Denial Of Service
Linux
Null Pointer Dereference
Red Hat
Suse
-
CVE-2026-31518
MEDIUM
CVSS 5.5
Memory leak in Linux kernel ESP-over-TCP implementation with asynchronous cryptography causes denial of service via socket queue exhaustion when crypto operations complete asynchronously. Authenticated local attackers can trigger the vulnerability by filling the TX queue for espintcp connections while using async crypto algorithms, preventing proper cleanup of socket buffers and gradually consuming system memory until services become unavailable. EPSS score of 0.02% indicates low real-world exploitation probability despite moderate CVSS severity.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31517
MEDIUM
CVSS 5.5
Denial of service via kernel panic in the Linux kernel xfrm_iptfs module when processing fragmented IP-TFS packets with mixed fast-path and slow-path reassembly conditions. The vulnerability triggers an invalid memory access (SKB_LINEAR_ASSERT) in skb_put() when attempting to append data to a non-linear socket buffer during packet reassembly, affecting systems using IP-TFS encapsulation over IPsec. Local attackers with network access to send crafted IPsec packets can crash the kernel; active exploitation not confirmed but patch is available.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31515
MEDIUM
CVSS 5.5
Denial of service in Linux kernel af_key module allows local authenticated attackers to crash the system via buffer overflow in pfkey_send_migrate() function. The vulnerability occurs because pfkey_send_migrate() fails to validate address family parameters before passing them to set_ipsecrequest(), causing truncation that overfills the socket buffer and triggers kernel panic in skb_put(). EPSS score of 0.02% indicates minimal real-world exploitation risk despite moderate CVSS severity.
Denial Of Service
Linux
Null Pointer Dereference
Red Hat
Suse
-
CVE-2026-31514
MEDIUM
CVSS 5.5
Short read handling in EROFS file-backed mounts can mark unread file pages as uptodate when vfs_iocb_iter_read() is interrupted by signals, leading to potential data corruption or information disclosure on systems using EROFS with file-backed mounts. Affected Linux kernel versions prior to fixes in 6.18.21, 6.19.11, and 6.12.80. Local authenticated users can trigger this via signal interruption during I/O operations.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31512
MEDIUM
CVSS 5.5
Denial of service via buffer over-read in Linux kernel Bluetooth L2CAP Enhanced Credit Based Flow Control data path allows local authenticated attackers to crash the system by sending malformed L2CAP packets with insufficient payload length. The vulnerability exists in l2cap_ecred_data_rcv() which reads the SDU length field without validating that the socket buffer contains the required 2 bytes, causing an out-of-bounds read that triggers a kernel panic when the buffer is too small. EPSS exploitation probability is 0.02% (percentile 7%), and a vendor patch is available.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31510
MEDIUM
CVSS 5.5
Null pointer dereference in the Linux kernel Bluetooth L2CAP implementation allows local authenticated attackers to cause a kernel panic and denial of service via the l2cap_sock_ready_cb function during L2CAP connection initialization. The vulnerability occurs when a socket pointer is dereferenced without null validation, triggering a KASAN null-ptr-deref exception that crashes the kernel. EPSS score of 0.02% indicates low real-world exploitation probability despite the moderate CVSS score; no public exploit code or active KEV listing has been identified at time of analysis.
Denial Of Service
Linux
Null Pointer Dereference
Red Hat
Suse
-
CVE-2026-31509
MEDIUM
CVSS 5.5
Denial of service via deadlock in NFC NCI subsystem when nci_close_device() flushes work queues while holding req_lock, triggering a circular lock dependency with nci_rx_work(). The vulnerability affects Linux kernels across multiple stable branches (5.10, 5.15, 6.1, 6.6, 6.12, 6.18, 6.19, 7.0) and was reproduced in roughly 4% of nci selftest runs on debug kernels, though EPSS scoring (0.02% percentile 7%) indicates low baseline exploitation probability. Local privilege requirement and high attack complexity in practice mean real-world impact is limited to NFC-capable systems with specific workload timing.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31503
MEDIUM
CVSS 5.5
Linux kernel UDP socket binding fails to properly detect wildcard address conflicts when hash table collision count exceeds 10, allowing a socket to bind to a wildcard address (such as [::]:8888 or 0.0.0.0:8888) even when specific addresses on that port are already in use. This denial-of-service vulnerability affects local authenticated users who can create UDP sockets, bypassing port conflict checks that should prevent duplicate bindings. The issue stems from improper hash table selection logic in UDP's bind path, which switches from a port-only hash to an address-port hash at a threshold, creating a window where wildcard bindings are incorrectly permitted.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31499
MEDIUM
CVSS 5.5
A deadlock condition in Linux kernel Bluetooth L2CAP connection deletion allows local authenticated users to trigger a denial of service by causing the l2cap_conn_del() function to deadlock when canceling delayed work timers while holding the connection lock. The vulnerability affects multiple Linux kernel versions across the 6.x and 7.0 release branches and has been resolved through upstream patch commits that reorganize lock acquisition and work cancellation order.
Information Disclosure
Linux
-
CVE-2026-31498
MEDIUM
CVSS 5.5
Denial of service via infinite loop in Bluetooth L2CAP ERTM reconfiguration allows local authenticated attackers to exhaust system memory. The vulnerability arises from two distinct flaws: improper handling of L2CAP channel reconfiguration that leaks ERTM resources and fails to validate minimum PDU size, causing an infinite loop in l2cap_segment_sdu() when remote_mps is set to zero. EPSS score of 0.02% indicates limited exploitation likelihood despite the high CVSS score, reflecting the requirement for local access and authenticated Bluetooth channel state.
Denial Of Service
Linux
Red Hat
Suse
-
CVE-2026-31497
MEDIUM
CVSS 5.5
Out-of-bounds array access in the btusb driver's Bluetooth SCO link handling allows local authenticated attackers to cause denial of service by exhausting kernel memory or crashing the Bluetooth subsystem. The btusb_work() function fails to constrain the sco_num variable before indexing a three-entry lookup table, permitting reads and potential writes past allocated buffer boundaries when four or more SCO links are active. This affects Linux kernel versions 5.8 through 7.0-rc2 and requires local access with unprivileged user privileges to trigger.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31496
MEDIUM
CVSS 5.5
Information disclosure in Linux kernel netfilter nf_conntrack_expect proc interface allows local authenticated users to read connection tracking expectations from other network namespaces, bypassing namespace isolation. The vulnerability affects kernel versions through 6.x and 7.0-rc releases with CVSS 5.5 (local, low complexity, high availability impact) and EPSS 0.02% exploitation probability; vendor-released patches are available for multiple stable branches (6.1.168, 6.6.131, 6.12.80, 6.18.21, 6.19.11, 7.0).
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31495
MEDIUM
CVSS 5.5
Denial of service in Linux kernel netfilter ctnetlink subsystem allows local authenticated attackers to trigger undefined behavior via improper validation of TCP window scale and connection tracking state parameters. The vulnerability stems from missing netlink policy range checks that permit out-of-bounds values (TCP window scale 0-255 instead of clamped 0-14, TCP state values exceeding TCP_CONNTRACK_MAX) to be passed to kernel code expecting constrained ranges, leading to undefined behavior in shift operations and state machine logic. CVSS 5.5 (local, low complexity, requires low privileges) with EPSS 0.03% indicates low real-world exploitation likelihood despite availability of vendor patches.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31492
MEDIUM
CVSS 5.5
Use-after-free in Linux kernel RDMA/irdma driver allows local authenticated users to cause denial of service by triggering uninitialized completion handling during queue pair creation failure. When ib_copy_to_udata fails in irdma_create_qp, the cleanup path attempts to wait on an uninitialized free_qp completion structure, resulting in a kernel panic or system hang. EPSS score of 0.02% indicates low exploitation probability despite moderate CVSS score; patch is available from vendor.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31491
MEDIUM
CVSS 5.5
Integer overflow in Linux kernel RDMA/irdma depth calculation functions allows local authenticated users to trigger a denial of service via improper handling of U32_MAX values passed for SQ/RQ/SRQ size parameters. The vulnerability stems from depth calculations performed in 32-bit integers rather than 64-bit, enabling truncation that bypasses validation and returns success when allocation should fail, potentially causing system instability or resource exhaustion.
Buffer Overflow
Linux
Integer Overflow
Red Hat
Suse
-
CVE-2026-31487
MEDIUM
CVSS 5.5
Use-after-free vulnerability in the Linux kernel SPI subsystem allows local authenticated attackers to cause denial of service by exploiting unsynchronized access to the driver_override field during device probe operations. The vulnerability occurs because __driver_attach() calls the bus match() callback without holding the device lock, creating a race condition when driver_override is accessed without proper synchronization. CVSS score of 5.5 reflects local attack vector with low complexity and high availability impact. EPSS exploitation probability is minimal at 0.02%, suggesting this is a localized memory safety issue rather than a widely-exploited attack vector.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31483
MEDIUM
CVSS 5.5
Denial of service in Linux kernel on s390 architecture allows local authenticated attackers to crash the system by triggering an out-of-bounds access in the syscall dispatch table. The s390 syscall number is directly controlled by userspace without spectre boundary protection (array_index_nospec), enabling an attacker with local user privileges to supply an invalid syscall number that bypasses array bounds checking and causes a memory access violation. EPSS score is extremely low (0.03%), consistent with limited attack surface on s390-specific systems and requirement for local authentication.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31482
MEDIUM
CVSS 5.5
Information disclosure in Linux kernel s390 architecture allows local authenticated attackers to read residual data from r12 register during kernel entry transitions, enabling potential exposure of sensitive kernel state through register side channels. This occurs on s390 systems running kernel versions 6.4 through 7.0-rc5 and affects all architectures due to incomplete register scrubbing following removal of branch prediction isolation code. EPSS score of 0.02% indicates minimal real-world exploitation likelihood despite moderate CVSS impact rating.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31481
MEDIUM
CVSS 5.5
Kernel panic via null pointer dereference in the tracing subsystem occurs when boot-time trigger registration fails and kthread creation does not succeed, allowing deferred trigger frees to accumulate indefinitely and crash the system. Local authenticated attackers can trigger this by specifying malformed trace event parameters on the kernel command line, resulting in denial of service. EPSS exploitation probability is 0.02% (very low) despite moderate CVSS score, suggesting this requires specific boot-time configuration and local access.
Denial Of Service
Linux
Null Pointer Dereference
Red Hat
Suse
-
CVE-2026-31480
MEDIUM
CVSS 5.5
Denial of service via deadlock in the Linux kernel tracing subsystem occurs when CPU hotplug operations interact with osnoise tracing thread lifecycle management. A local privileged user can trigger a deadlock by inducing CPU offline events while osnoise threads hold conflicting locks (interface_lock and cpus_read_lock), causing system hang. CVSS 5.5 reflects local attack vector and privilege requirement; EPSS 0.02% indicates low real-world exploitation likelihood despite deadlock severity.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31472
MEDIUM
CVSS 5.5
Denial of service in Linux kernel IPTFS (IP Traffic Flow Security) subsystem allows local authenticated attackers to trigger an infinite loop via crafted ESP packets with malformed inner IPv4 headers containing tot_len=0. The vulnerability bypasses input validation in __input_process_payload() that should reject IPv4 packets where tot_len is less than the header length, causing the kernel to spin indefinitely in softirq context and hang the system.
Denial Of Service
Linux
Red Hat
Suse
-
CVE-2026-31466
MEDIUM
CVSS 4.7
A race condition in Linux kernel memory management causes folio objects to be accessed without proper locking during concurrent mega-transparent huge page (mTHP) splitting and zap operations on arm64, triggering a denial-of-service condition via VM_WARN_ON_ONCE() panic when the missing memory barrier allows CPU reordering to expose unlocked folio state. The vulnerability affects Linux kernel versions before 5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.21, 6.19.11, and 7.0 with EPSS score of 0.02% indicating low real-world exploitation likelihood despite moderate CVSS impact rating.
Information Disclosure
Linux
Race Condition
Red Hat
Suse
-
CVE-2026-31465
MEDIUM
CVSS 5.5
A denial-of-service condition in the Linux kernel writeback subsystem causes system hangs during suspend-to-RAM on filesystems with no data integrity guarantees (such as FUSE-based overlayfs). When the sync operation waits for flusher threads to complete writeback on these filesystems, the kernel can deadlock if the underlying filesystem daemon is frozen or unresponsive, particularly during system power management. The vulnerability affects Linux kernel versions prior to the fix and is resolved by introducing the SB_I_NO_DATA_INTEGRITY superblock flag to skip unnecessary writeback completion waits on filesystems that cannot guarantee data persistence.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31462
MEDIUM
CVSS 5.5
AMD GPU driver in the Linux kernel fails to prevent rapid PASID (Process Address Space ID) reuse, allowing local authenticated attackers to trigger interrupt handling errors and denial of service. When a process exits with an assigned PASID, page faults may remain pending in the interrupt handler ring buffer; if a new process is immediately assigned the same PASID, it inherits these stale interrupts causing system instability. The vulnerability affects Linux kernel versions prior to 7.0 RC1 and requires local user access with standard privileges. EPSS score of 0.02% indicates minimal real-world exploitation likelihood despite moderate CVSS impact rating.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31461
MEDIUM
CVSS 5.5
Memory leak in AMD display driver (amdgpu_dm) on Linux kernel allows local authenticated attackers to cause denial of service by exhausting kernel memory when display sinks are connected and the system resumes from sleep. The vulnerability arises from failure to free previously allocated drm_edid structures before overwriting them, and is confirmed in kernel versions up to 7.0 RC5 with EPSS exploitation probability of 0.02% indicating low real-world exploitation likelihood.
Information Disclosure
Linux
Red Hat
Amd
Suse
-
CVE-2026-31460
MEDIUM
CVSS 5.5
Denial of service via null pointer dereference in AMD display driver backlight setup affects Linux kernel versions 6.19 through 7.0-rc5 when LVDS connectors are present without extended backlight capabilities. Local authenticated users with low privileges can trigger a crash by accessing backlight controls on affected systems, causing system instability. Patch available from vendor with EPSS score of 0.02% indicating low real-world exploitation probability.
Information Disclosure
Linux
Red Hat
Amd
Suse
-
CVE-2026-31459
MEDIUM
CVSS 5.5
Memory leak in Linux kernel DAMON subsystem allows local authenticated users to exhaust system memory via failed allocation in damon_sysfs_new_test_ctx(), causing denial of service. The vulnerability affects kernel versions 6.17.6 through 7.0-rc1 when DAMON_SYSFS is enabled. A privileged user can trigger the leak by making specific control sequences that cause early function returns, bypassing cleanup code and leaving param_ctx unfreed.
Denial Of Service
Linux
Red Hat
Suse
-
CVE-2026-31458
MEDIUM
CVSS 5.5
Denial of service via null pointer dereference in Linux kernel DAMON sysfs module allows local privileged users to crash the system by setting nr_contexts to zero while DAMON is running, then issuing state-change commands that dereference an empty contexts array without bounds checking. EPSS exploitation probability is minimal at 0.02%, reflecting the requirement for local privileged access and active DAMON configuration.
Denial Of Service
Linux
Null Pointer Dereference
Red Hat
Suse
-
CVE-2026-31457
MEDIUM
CVSS 5.5
Null pointer dereference in Linux kernel DAMON sysfs interface allows local authenticated users to cause denial of service by setting nr_contexts to zero while DAMON is running, triggering dereference of uninitialized context array pointers in damon_sysfs_repeat_call_fn(). The vulnerability requires local access and low-level privileges (non-root user with sysfs write access), with an EPSS exploitation probability of 0.02% indicating low real-world attack likelihood despite the straightforward trigger mechanism.
Denial Of Service
Linux
Null Pointer Dereference
Red Hat
Suse
-
CVE-2026-31456
MEDIUM
CVSS 4.7
A race condition in the Linux kernel's page table walking code (mm/pagewalk) allows local authenticated attackers to trigger a kernel panic (denial of service) by concurrent PUD splitting and refaulting operations. The vulnerability occurs when one thread is reading proc/[pid]/numa_maps while another thread (e.g., VFIO-PCI DMA setup) modifies the page table hierarchy, causing walk_pmd_range() to attempt walking a PMD range that no longer exists. The condition requires local access and a privileged operation (VFIO DMA pinning), but can reliably crash the kernel, affecting system availability.
Information Disclosure
Linux
Race Condition
Red Hat
Suse
-
CVE-2026-31451
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
ext4: replace BUG_ON with proper error handling in ext4_read_inline_folio
Replace BUG_ON() with proper error handling when inline data size
exceeds PAGE_SIZE. This prevents kernel panic and allows the system to
continue running wh...
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31445
MEDIUM
CVSS 5.5
Null pointer dereference in Linux kernel DAMON subsystem allows local authenticated attackers to cause denial of service when memory allocation failures occur during online parameter updates. The vulnerability affects DAMON's context commit mechanism (damon_commit_ctx), which can partially corrupt kernel state if internal memory allocation fails, potentially leading to NULL pointer dereference in damos_commit_dests(). While real-world impact is rare due to the low probability of allocation failure, the severe consequence of kernel panic necessitates this fix.
Denial Of Service
Linux
Null Pointer Dereference
Red Hat
Suse
-
CVE-2026-31443
MEDIUM
CVSS 5.5
Denial of service in the Linux kernel dmaengine idxd subsystem allows local attackers with low privileges to crash the system by triggering a Function Level Reset when the hardware does not support event log reporting. The vulnerability occurs when the driver attempts to restore or free an event log that was never allocated, resulting in a kernel crash with high availability impact.
Denial Of Service
Linux
Red Hat
Suse
-
CVE-2026-31441
MEDIUM
CVSS 5.5
Memory leak in the Linux kernel dmaengine idxd driver occurs when a workqueue is reset, causing resources to be improperly released due to premature setting of the workqueue type to NONE. A local attacker with low privileges can trigger this condition to exhaust kernel memory and cause a denial of service. The vulnerability affects kernel versions 5.8 through 7.0 and has an available vendor patch with low exploitation probability (EPSS 0.02%).
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31440
MEDIUM
CVSS 5.5
Memory leak in the Linux kernel dmaengine idxd driver during device removal allows local authenticated attackers to cause a denial of service by exhausting kernel memory. The vulnerability occurs when the device reset causes configuration registers to revert to default state, preventing proper deallocation of event log memory. EPSS exploitation probability is very low at 0.02%, and no public exploit has been identified.
Information Disclosure
Linux
-
CVE-2026-31439
MEDIUM
CVSS 5.5
Incorrect error-handling in the Linux kernel's Xilinx XDMA DMA engine driver causes a kernel denial-of-service when regmap initialization fails. The driver's probe function checks the return value of devm_regmap_init_mmio against NULL rather than using IS_ERR(), meaning a failure returns an ERR_PTR() value that is non-NULL and passes the check silently; the corrupted pointer is then used, triggering a kernel panic. Affected systems require Xilinx XDMA hardware to be present and actively probed by the driver. No public exploit has been identified at time of analysis, and EPSS exploitation probability stands at a negligible 0.02%.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31438
MEDIUM
CVSS 5.5
Kernel panic in the Linux netfs subsystem's netfs_limit_iter() function crashes systems when a process writes a core dump to a 9P-mounted filesystem. The function handles only ITER_FOLIOQ, ITER_BVEC, and ITER_XARRAY iterator types, triggering a hard BUG() when __kernel_write() supplies an ITER_KVEC iterator via netfs_unbuffered_write(), producing a local denial of service via kernel panic. No public exploit code exists and no active exploitation has been identified; this is a no public exploit identified at time of analysis scenario with EPSS at 0.02% (5th percentile), indicating minimal widespread exploitation interest.
Denial Of Service
Linux
Null Pointer Dereference
Red Hat
Suse
-
CVE-2026-31437
MEDIUM
CVSS 5.5
NULL pointer dereference in the Linux kernel's netfs subsystem crashes the kernel when retrying unbuffered writes on filesystems that omit the prepare_write stream operation, such as 9P. A local low-privilege user who can write to such a mounted filesystem and induce a get_user_pages() -EFAULT failure can trigger a kernel panic, causing a denial of service. No public exploit has been identified at time of analysis, and the EPSS score of 0.02% (4th percentile) reflects negligible observed exploitation probability; the vulnerability is not listed in CISA KEV.
Denial Of Service
Linux
Null Pointer Dereference
Red Hat
Suse
-
CVE-2026-31434
MEDIUM
CVSS 5.5
Memory leak in the Linux kernel btrfs filesystem driver allows a local authenticated attacker to gradually exhaust kernel memory through repeated mount and unmount operations on affected configurations. The flaw exists in check_removing_space_info(), which incorrectly uses kfree() on kobject-initialized sub-group space_info elements instead of the proper kobject_put() teardown path, leaving kobj->name string allocations unreferenced and unfreed. No public exploit exists (EPSS 0.02%, 7th percentile) and the vulnerability is not listed in CISA KEV, placing real-world risk well below the CVSS 5.5 Medium score might suggest.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31192
MEDIUM
CVSS 6.5
Raindrop.io Bookmark Manager Web App version 5.6.76.0 allows remote unauthenticated attackers to obtain sensitive user data through insufficient validation of Chrome extension identifiers in crafted requests. The vulnerability exploits improper input validation (CWE-20) to bypass security controls, enabling information disclosure with low integrity impact. No active exploitation has been confirmed in CISA KEV, but publicly available vulnerability research exists on GitHub.
Information Disclosure
Google
-
CVE-2026-30139
MEDIUM
CVSS 6.1
Reflected cross-site scripting (XSS) in Silverpeas Core before version 6.4.6 allows unauthenticated remote attackers to execute arbitrary JavaScript in users' browsers via malicious input to the AdvancedSearch functionality. The vulnerability requires user interaction (clicking a crafted link) and affects confidentiality and integrity with partial technical impact. Publicly available exploit code exists, and CISA SSVC assessment confirms proof-of-concept availability, though this vulnerability is not yet confirmed in active widespread exploitation.
XSS
N A
-
CVE-2026-28950
MEDIUM
CVSS 6.2
A logging issue was addressed with improved data redaction. This issue is fixed in iOS 18.7.8 and iPadOS 18.7.8, iOS 26.4.2 and iPadOS 26.4.2. Notifications marked for deletion could be unexpectedly retained on the device.
Information Disclosure
Apple
-
CVE-2026-22748
MEDIUM
CVSS 5.3
JWT token validation bypass in Spring Security allows authenticated attackers to forge or manipulate JWT tokens when NimbusJwtDecoder or NimbusReactiveJwtDecoder is used without explicit OAuth2TokenValidator configuration, enabling unauthorized access to protected resources. The vulnerability affects Spring Security versions 6.3.0-6.3.14, 6.4.0-6.4.14, 6.5.0-6.5.9, and 7.0.0-7.0.4. CVSS 5.3 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N) reflects network-accessible exploitation requiring low-privilege authentication and high attack complexity.
Java
Information Disclosure
Red Hat
-
CVE-2026-22747
MEDIUM
CVSS 6.8
Spring Security 7.0.0 through 7.0.4 mishandles malformed X.509 certificate CN values in the SubjectX500PrincipalExtractor, allowing authenticated attackers to craft certificates that extract incorrect username values and impersonate other users. The vulnerability requires network access and authenticated privileges but does not require user interaction; it affects certificate-based authentication flows where X.509 principal extraction is used.
Java
Information Disclosure
Red Hat
-
CVE-2026-6862
MEDIUM
CVSS 5.5
Libefiboot in efivar fails to validate that EFI device path node length fields meet the 4-byte minimum requirement, allowing local users to trigger infinite recursion and stack exhaustion via crafted device paths. The vulnerability requires user interaction but causes denial of service by crashing affected processes, with no privilege escalation or data compromise. No active exploitation has been confirmed at the time of analysis.
Denial Of Service
-
CVE-2026-6861
MEDIUM
CVSS 6.1
Memory corruption in GNU Emacs SVG/CSS processing allows local attackers to trigger denial of service or information disclosure by convincing users to open specially crafted SVG files. The vulnerability requires user interaction (file opening) and local access, but results in significant impact including service disruption and potential data leakage through memory corruption exploitation.
Buffer Overflow
Denial Of Service
Information Disclosure
-
CVE-2026-6848
MEDIUM
CVSS 5.4
Red Hat Quay 3 bypasses password re-verification for sensitive operations such as token generation and robot account creation, allowing users with timed-out or idle authenticated sessions to perform privileged actions without providing valid credentials. An attacker with access to an abandoned browser session can execute sensitive operations despite the UI displaying authentication errors, resulting in unauthorized token creation, robot account manipulation, and information disclosure. CVSS 5.4 reflects moderate risk with network attack vector and low privilege requirements.
Information Disclosure
Red Hat
-
CVE-2026-6845
MEDIUM
CVSS 5.0
The readelf utility in binutils is vulnerable to denial of service through null pointer dereference when processing specially crafted ELF files. A local attacker with limited privileges can trigger excessive resource consumption or program crashes by convincing a user to process a malicious ELF binary, affecting Red Hat Enterprise Linux 6, 7, 8, and 10. No public exploit code or active exploitation has been confirmed at this time.
Denial Of Service
Null Pointer Dereference
-
CVE-2026-6844
MEDIUM
CVSS 5.5
The readelf utility in binutils is vulnerable to denial of service through two distinct flaws triggered by maliciously crafted ELF files: a resource exhaustion vulnerability (CWE-400) causing out-of-memory conditions and a null pointer dereference (CWE-476) causing segmentation faults. Both vulnerabilities require local access and user interaction to open a malicious file, resulting in the readelf utility crashing or becoming unresponsive. No public exploit code or active exploitation has been identified at the time of analysis.
Denial Of Service
-
CVE-2026-6843
MEDIUM
CVSS 5.5
Format string vulnerability in nano's statusline() function allows local users to trigger a segmentation fault via directory names containing printf specifiers, causing denial of service. Exploitation requires user interaction (opening a directory with the crafted name) on systems where nano is available to local users. No public exploit code identified at time of analysis.
Denial Of Service
-
CVE-2026-6840
MEDIUM
CVSS 5.5
Denial of service via out-of-range operator-code lookup in Samsung ONE machine learning framework prior to version 1.30.0 allows local attackers with user interaction to crash the model loading process. Missing bounds validation during operator code indexing permits access to invalid memory locations, triggering application termination without authentication.
Information Disclosure
-
CVE-2026-6839
MEDIUM
CVSS 6.6
Improper validation of STRING tensor offsets in Samsung Open Source ONE prior to commit 1.30.0 allows local attackers with user interaction to trigger out-of-bounds memory access during constant tensor import, potentially causing information disclosure, data modification, or denial of service. The vulnerability affects the tensor metadata parsing logic when processing malformed string tensor definitions.
Information Disclosure
Samsung
-
CVE-2026-6835
MEDIUM
CVSS 5.1
Unauthenticated remote attackers can upload arbitrary files to any path in a+HCM developed by aEnrich, including executable HTML documents, enabling cross-site scripting and potential server-side impacts. The vulnerability requires user interaction (UI:A) but allows unrestricted file placement with low scope and integrity impact. No patch version or active exploitation data is currently available.
XSS
File Upload
-
CVE-2026-6515
MEDIUM
CVSS 5.4
GitLab CE/EE versions 18.2 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 allow authenticated users to access Virtual Registries using invalidated or incorrectly scoped credentials under certain conditions, resulting in unauthorized information disclosure and modification. The vulnerability requires valid user credentials and network access but no user interaction, affecting confidentiality and integrity with partial technical impact per SSVC. No public exploit code or active exploitation has been identified at time of analysis.
Information Disclosure
Gitlab
-
CVE-2026-6396
MEDIUM
CVSS 4.3
Cross-Site Request Forgery in Fast & Fancy Filter - 3F WordPress plugin up to version 1.2.2 allows unauthenticated attackers to modify plugin filter settings, update arbitrary site options, or create filter posts by tricking site administrators into clicking a malicious link. The vulnerability exists in the saveFields() function which handles the fff_save_settins AJAX action without nonce verification, enabling attackers to forge requests that execute administrative actions on behalf of logged-in administrators.
WordPress
CSRF
-
CVE-2026-6386
MEDIUM
CVSS 6.2
Unprivileged local users on FreeBSD can read sensitive kernel memory via a page table manipulation bug in pmap_pkru_update_range(). When applying protection keys to 1GB largepage mappings created through shm_create_largepage(3), the kernel incorrectly treats userspace memory as page table entries, enabling unauthorized information disclosure. This affects FreeBSD 13.5, 14.3, 14.4, and 15.0 releases and has been confirmed fixed by vendor patches.
Privilege Escalation
-
CVE-2026-6355
MEDIUM
CVSS 6.5
Insecure direct object references in Augmentt 1.0 allow unauthenticated remote attackers to access and modify sensitive tenant data across different organizational contexts, bypassing authentication mechanisms through direct manipulation of object identifiers. The vulnerability enables both unauthorized information disclosure and modification of tenant configuration with CVSS 6.5 (medium severity); no public exploit code has been identified at the time of analysis, though the attack is automatable and requires no user interaction.
Authentication Bypass
Information Disclosure
-
CVE-2026-6294
MEDIUM
CVSS 4.3
Cross-Site Request Forgery in Google PageRank Display plugin for WordPress (versions up to 1.4) allows unauthenticated attackers to trick logged-in administrators into changing plugin settings via a crafted request, due to missing nonce validation in the settings form handler. The vulnerability has a CVSS score of 4.3 (network-based, low complexity, requires user interaction) and enables modification of plugin configuration such as display style without administrator knowledge.
WordPress
Google
CSRF
-
CVE-2026-6246
MEDIUM
CVSS 6.4
Simple Random Posts Shortcode plugin for WordPress versions up to 0.3 contains stored cross-site scripting (XSS) via insufficient sanitization of the 'container_right_width' shortcode attribute, allowing authenticated contributors and above to inject arbitrary JavaScript that executes in browsers of all users accessing affected pages. No active exploitation has been confirmed, but the vulnerability requires only contributor-level access and carries network-based attack vector with low complexity.
WordPress
XSS
-
CVE-2026-6236
MEDIUM
CVSS 6.4
Stored Cross-Site Scripting in Posts Map plugin for WordPress up to version 0.1.3 allows authenticated contributors to inject arbitrary JavaScript via the 'name' shortcode attribute. When any user accesses a page containing the malicious shortcode, the injected script executes in their browser with the privileges of their WordPress session, potentially enabling account compromise, admin impersonation, or malware distribution. The vulnerability requires contributor-level or higher access and affects all versions through 0.1.3.
WordPress
XSS
-
CVE-2026-6041
MEDIUM
CVSS 4.4
Stored cross-site scripting in the Buzz Comments WordPress plugin (all versions up to 0.9.4) allows authenticated administrators to inject arbitrary JavaScript via the 'Custom Buzz Avatar' setting, with the malicious script executing whenever any user accesses the plugin settings page. The vulnerability requires high-privilege administrative access and manual interaction with the settings interface, limiting its practical exploitability to insider threats or compromised administrator accounts.
WordPress
XSS
-
CVE-2026-5820
MEDIUM
CVSS 6.4
Stored cross-site scripting in Zypento Blocks plugin for WordPress up to version 1.0.6 allows authenticated attackers with Author-level privileges to inject arbitrary JavaScript into page content via the Table of Contents block. The vulnerability exists because the front-end rendering script reads heading text using innerText and renders it via innerHTML without sanitization, causing injected scripts to execute whenever users access the compromised page. No public exploit code or active exploitation has been reported at time of analysis.
WordPress
XSS
-
CVE-2026-5767
MEDIUM
CVSS 6.4
Stored cross-site scripting (XSS) in SlideShowPro SC plugin for WordPress versions up to 1.0.2 allows authenticated attackers with contributor-level access to inject arbitrary JavaScript through the `slideShowProSC` shortcode attributes due to insufficient input sanitization and output escaping. The injected scripts execute in the context of any user viewing the affected page, potentially compromising session tokens, stealing credentials, or performing unauthorized actions on behalf of site visitors. No public exploit code or active exploitation has been confirmed at the time of analysis.
WordPress
XSS
-
CVE-2026-5748
MEDIUM
CVSS 6.4
Stored cross-site scripting (XSS) in the Text Snippets plugin for WordPress up to version 0.0.1 allows authenticated attackers with contributor-level access to inject arbitrary JavaScript into pages via unsanitized shortcode attributes, which executes whenever any user visits the affected page. The vulnerability stems from insufficient input sanitization and output escaping on the `ts` shortcode, enabling persistent payload injection. No public exploit code or active exploitation has been identified at time of analysis.
WordPress
XSS
-
CVE-2026-5377
MEDIUM
CVSS 4.3
GitLab CE/EE 18.11 before 18.11.1 allows authenticated users to bypass access controls and read titles of confidential or private issues in public projects through improper validation in the issue description rendering process. The vulnerability requires valid user credentials but no elevated privileges, affecting the confidentiality of issue metadata that should be restricted. Publicly available exploit code exists, and a vendor patch is available.
Authentication Bypass
Gitlab
-
CVE-2026-4919
MEDIUM
CVSS 4.8
Stored cross-site scripting (XSS) in IBM Guardium Data Protection 12.1 through 26.0.0.4 allows authenticated administrative users to inject arbitrary JavaScript into the Web UI, enabling credential theft and session hijacking of other administrators within a trusted session. The vulnerability requires administrative privileges and user interaction (clicking a malicious link or visiting a crafted page), limiting its scope but maintaining high impact for multi-admin environments. EPSS context and active exploitation status are not publicly confirmed at this time.
XSS
IBM
-
CVE-2026-4918
MEDIUM
CVSS 5.5
Stored cross-site scripting in IBM Guardium Data Protection 12.1 allows high-privileged administrative users to inject malicious JavaScript into the Web UI, enabling credential theft and session hijacking within trusted administrative sessions. The vulnerability requires administrative privileges and does not trigger user interaction, allowing attackers with admin access to persistently compromise the confidentiality and integrity of the system. A patch is available from IBM.
XSS
IBM
-
CVE-2026-4353
MEDIUM
CVSS 6.4
Stored cross-site scripting in CI HUB Connector plugin for WordPress up to version 1.2.106 allows authenticated attackers with Contributor-level access or above to inject arbitrary JavaScript through the 'id' attribute of the cihub_metadata shortcode, which executes in the context of any user visiting the injected page. The vulnerability stems from insufficient input sanitization and output escaping in the shortcode handler, enabling persistent XSS attacks that can compromise site visitors and administrative accounts.
WordPress
XSS
-
CVE-2026-4280
MEDIUM
CVSS 6.5
Local file inclusion in Breaking News WP plugin for WordPress (versions up to 1.3) allows authenticated attackers with Subscriber-level access to read arbitrary files on the server. The vulnerability stems from insufficient path validation in the brnwp_show_breaking_news_wp() shortcode handler, which passes unsanitized user input directly to PHP's include() function after stripping only text field characters but not directory traversal sequences. Attackers can exploit the unprotected brnwp_ajax_form AJAX endpoint to overwrite the brnwp_theme option with paths like ../../../../etc/passwd, then trigger file inclusion when the shortcode renders.
WordPress
Path Traversal
CSRF
-
CVE-2026-4279
MEDIUM
CVSS 6.4
Stored cross-site scripting in Bread & Butter plugin for WordPress up to version 8.2.0.25 allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript via the 'event' attribute of the 'breadbutter-customevent-button' shortcode. The vulnerability arises from missing output escaping in the customEventShortCodeButton() function, which directly interpolates unsanitized user input into an onclick HTML attribute. Scripts execute in the context of any user viewing the affected page, enabling session hijacking, credential theft, or malicious content injection.
WordPress
XSS
-
CVE-2026-4142
MEDIUM
CVSS 4.4
Stored cross-site scripting in the Sentence To SEO WordPress plugin (versions up to 1.0) allows authenticated administrators to inject arbitrary JavaScript into the plugin settings page via the 'Permanent keywords' field. The vulnerability stems from insufficient input sanitization and output escaping, enabling attackers to break out of a textarea element and inject malicious scripts that execute when other users access the settings page. This requires administrator-level privileges and does not affect unauthenticated users.
PHP
WordPress
XSS
-
CVE-2026-4140
MEDIUM
CVSS 4.3
Cross-Site Request Forgery in Ni WooCommerce Order Export plugin for WordPress allows unauthenticated attackers to modify plugin settings by tricking an administrator into clicking a malicious link, due to missing nonce validation in the AJAX settings handler. Affected versions through 3.1.6 accept direct $_REQUEST input to update_option() without any CSRF protection or capability checks, enabling unauthorized configuration changes.
WordPress
CSRF
-
CVE-2026-4139
MEDIUM
CVSS 4.3
Cross-site request forgery in mCatFilter WordPress plugin up to version 0.5.2 allows unauthenticated attackers to modify all plugin settings including category exclusion rules, feed exclusion flags, and tag page exclusion flags by tricking site administrators into clicking a malicious link. The vulnerability exists because the compute_post() function processes $_POST data without nonce verification or capability checks, executing on every page load via the plugins_loaded hook.
WordPress
CSRF
-
CVE-2026-4138
MEDIUM
CVSS 4.3
Cross-Site Request Forgery (CSRF) in the DX Unanswered Comments WordPress plugin versions up to 1.7 allows unauthenticated attackers to modify critical plugin settings (authors list and comment count) by tricking a site administrator into clicking a malicious link, due to missing nonce validation in the settings form handler. The CVSS 4.3 score reflects low severity with integrity impact limited to plugin configuration rather than data or code execution, but successful exploitation could alter site functionality if an attacker controls which comments are flagged as unanswered.
PHP
WordPress
CSRF
-
CVE-2026-4133
MEDIUM
CVSS 4.3
Cross-site request forgery in TextP2P Texting Widget plugin for WordPress up to version 1.7 allows unauthenticated attackers to modify all plugin settings including API credentials and widget configuration by tricking site administrators into clicking a malicious link. The vulnerability stems from missing nonce validation in the settings update handler, enabling attackers to change chat titles, messages, colors, reCAPTCHA configuration, and other sensitive options without authentication or authorization verification. This requires user interaction (admin must click attacker-controlled link) but affects any WordPress site running the vulnerable plugin with an active administrator.
WordPress
CSRF
-
CVE-2026-4131
MEDIUM
CVSS 6.1
WP Responsive Popup + Optin plugin for WordPress versions up to 1.4 is vulnerable to Cross-Site Request Forgery (CSRF) allowing unauthenticated attackers to modify all plugin settings, including the 'wpo_image_url' parameter, by tricking site administrators into clicking a malicious link. The vulnerability exists because the settings form in wpo_admin_page.php lacks WordPress nonce generation and verification functions. Exploitation requires administrator interaction but can alter critical plugin configuration with broader impact across the site.
PHP
WordPress
CSRF
-
CVE-2026-4128
MEDIUM
CVSS 4.3
TP Restore Categories And Taxonomies WordPress plugin versions up to 1.0.1 lack capability checks in the delete_term() AJAX handler, allowing authenticated Subscriber-level users to permanently delete taxonomy terms from backup tables by reusing a nonce exposed to all authenticated users. The vulnerability bypasses authorization despite nonce validation, enabling low-privileged attackers to cause data loss via a simple crafted AJAX request.
PHP
WordPress
Authentication Bypass
-
CVE-2026-4126
MEDIUM
CVSS 4.3
Table Manager plugin for WordPress versions up to 1.0.0 allows authenticated Contributor-level users and above to extract sensitive data from arbitrary WordPress database tables via the 'table_manager' shortcode. The vulnerability stems from insufficient input validation on the table name parameter-the plugin uses only sanitize_key() without an allowlist check, enabling attackers to enumerate and read data from any accessible database table by manipulating the shortcode attribute. No public exploit code has been identified, but the attack requires only valid WordPress credentials at Contributor level or higher.
WordPress
Information Disclosure
-
CVE-2026-4125
MEDIUM
CVSS 6.4
Stored Cross-Site Scripting in WPMK Block plugin for WordPress up to version 1.0.1 allows authenticated attackers with Contributor-level access to inject arbitrary web scripts via the 'class' shortcode attribute, which is directly concatenated into HTML without proper escaping. The vulnerability affects all versions through 1.0.1 due to insufficient input sanitization in the wpmk_block_shortcode() function, enabling persistent XSS attacks that execute whenever users access compromised pages.
WordPress
XSS
-
CVE-2026-4121
MEDIUM
CVSS 4.3
The Kcaptcha WordPress plugin versions up to 1.0.1 fails to validate nonces on the settings page, allowing unauthenticated attackers to modify CAPTCHA configuration (enable/disable on login, registration, lost password, and comment forms) via cross-site request forgery if a site administrator can be tricked into clicking a malicious link. The vulnerability requires user interaction (administrator click) but carries a CVSS score of 4.3 with integrity impact; no public exploit code or active exploitation has been identified at the time of analysis.
PHP
WordPress
CSRF
-
CVE-2026-4118
MEDIUM
CVSS 4.3
Call To Action Plugin for WordPress versions up to 3.1.3 contains a Cross-Site Request Forgery (CSRF) vulnerability in the settings page that allows unauthenticated attackers to modify plugin configuration via forged requests. The vulnerability exists because the cbox_options_page() function lacks nonce validation (missing wp_nonce_field() and wp_verify_nonce() checks), enabling attackers to trick site administrators into clicking malicious links that alter call-to-action box settings including title, content, URL, colors, and other options. No public exploit code has been identified, but the attack requires minimal complexity (AC:L) and relies on user interaction (UI:R) to succeed.
WordPress
CSRF
-
CVE-2026-4117
MEDIUM
CVSS 5.3
Authenticated users with Subscriber-level access can modify the CalJ Shabbat Times plugin's API key and clear its cache due to missing authorization checks in the CalJSettingsPage class constructor. The vulnerability affects all versions up to and including 1.5, with no special network or interaction requirements beyond valid WordPress authentication. While CVSS 5.3 reflects moderate integrity impact, the practical risk depends on whether WordPress sites allow Subscriber-level registrations and whether the plugin's API key provides sensitive access to external services.
PHP
WordPress
Authentication Bypass
-
CVE-2026-4090
MEDIUM
CVSS 6.1
Inquiry Cart plugin for WordPress versions up to 3.4.2 allows unauthenticated attackers to modify plugin settings and inject malicious scripts into the admin area via Cross-Site Request Forgery (CSRF) attacks. The vulnerability exploits missing nonce verification in the settings form handler, requiring an administrator to be socially engineered into clicking a malicious link. Stored scripts execute with admin privileges, enabling account hijacking and complete site compromise.
WordPress
CSRF
-
CVE-2026-4089
MEDIUM
CVSS 6.4
Stored cross-site scripting in Twittee Text Tweet WordPress plugin versions up to 1.0.8 allows authenticated users with Contributor-level access to inject arbitrary JavaScript via unsanitized shortcode attributes. The ttt_twittee_tweeter() function uses extract() to process shortcode parameters and concatenates them directly into HTML and inline JavaScript contexts without escaping, enabling attackers to break out of attribute contexts and inject event handlers that execute against site visitors. The vulnerability affects the 'id', 'tweet', 'content', 'balloon', and 'theme' parameters.
WordPress
XSS
-
CVE-2026-4088
MEDIUM
CVSS 6.4
Stored Cross-Site Scripting in Switch CTA Box WordPress plugin up to version 1.1 allows authenticated contributors and above to inject arbitrary JavaScript through unsanitized post meta fields including button link, button ID, button text, and description. The vulnerability arises from direct output of user-supplied data into HTML without escaping functions, enabling attackers to execute malicious scripts whenever pages containing injected shortcodes are accessed by any visitor.
WordPress
XSS
-
CVE-2026-4085
MEDIUM
CVSS 6.4
Stored cross-site scripting (XSS) in Easy Social Photos Gallery - MIF plugin for WordPress (versions up to 3.1.2) allows authenticated attackers with contributor-level access to inject arbitrary HTML and JavaScript via the 'wrapper_class' shortcode attribute of the 'my-instagram-feed' shortcode. The vulnerability exists because the plugin uses sanitize_text_field() instead of esc_attr() when outputting the attribute inside HTML class tags, allowing attackers to break out of the attribute context and inject event handlers that execute in users' browsers when they visit affected pages.
WordPress
XSS
-
CVE-2026-4082
MEDIUM
CVSS 6.4
Stored cross-site scripting in the ER Swiffy Insert WordPress plugin through version 1.0.0 allows authenticated users with Contributor access or higher to inject arbitrary JavaScript via unsanitized shortcode attributes that are directly interpolated into page output. The vulnerability affects all versions of the plugin and requires only contributor-level privileges to exploit, making it a persistence and privilege-escalation vector on WordPress sites with multiple user accounts.
WordPress
XSS
-
CVE-2026-4076
MEDIUM
CVSS 6.4
Stored cross-site scripting in Slider Bootstrap Carousel WordPress plugin up to version 1.0.7 allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript via unsanitized 'category' and 'template' shortcode attributes, executing malicious scripts in pages viewed by any user. The vulnerability stems from improper use of extract() on shortcode attributes combined with missing output escaping (esc_attr()) on multiple HTML attributes, enabling persistent XSS injection that affects site security and user data.
WordPress
XSS
-
CVE-2026-4074
MEDIUM
CVSS 6.4
Stored Cross-Site Scripting in the Quran Live Multilanguage WordPress plugin versions up to 1.0.3 allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript via unsanitized shortcode attributes ('cheikh' and 'lang'). The vulnerability exploits insufficient input validation in the quran_live_render() function and direct output of user-supplied values into inline <script> blocks without escaping, enabling injection of arbitrary web scripts that execute whenever a user accesses the compromised page.
PHP
WordPress
XSS
-
CVE-2026-3837
MEDIUM
CVSS 4.6
Stored cross-site scripting (XSS) in Frappe 16.10.0 allows authenticated attackers with high privileges to inject malicious scripts into document fields, which execute in the browser of any user who subsequently opens the affected document in Desk. The vulnerability stems from unsafe HTML interpolation in multiple formatter implementations that fail to escape user-supplied values, enabling persistent client-side code execution with limited scope (low integrity/availability impact). CVSS 4.6 reflects the requirement for authenticated high-privilege access and user interaction, but the XSS vector represents a significant persistence and social engineering risk in collaborative document environments.
XSS
-
CVE-2026-3673
MEDIUM
CVSS 4.6
Stored cross-site scripting (XSS) in Frappe 16.10.10 allows authenticated attackers with high privileges to inject malicious JavaScript via crafted tag values in the _user_tags field, which execute when victims open list or report views. The vulnerability stems from unescaped interpolation of tag content into HTML attributes and element content. Exploitation requires user interaction (victim must open affected view) and high-level authentication, but results in session hijacking or data theft with partial technical impact; CISA SSVC framework rates this as exploitable via proof-of-concept with partial technical impact.
XSS
-
CVE-2026-3362
MEDIUM
CVSS 4.4
Stored Cross-Site Scripting in Short Comment Filter WordPress plugin up to version 2.2 allows authenticated administrators to inject arbitrary JavaScript through the 'Minimum Count' settings field due to missing input sanitization and output escaping. The vulnerability affects all versions through 2.2 and has particular impact in WordPress multisite environments or when DISALLOW_UNFILTERED_HTML is configured, where administrators lack unfiltered_html capabilities. No public exploit code or active exploitation has been identified at the time of analysis.
WordPress
XSS
-
CVE-2026-2719
MEDIUM
CVSS 4.4
Stored cross-site scripting in Private WP Suite plugin for WordPress through version 0.4.1 allows authenticated administrators to inject arbitrary JavaScript via the Exceptions setting, which executes in the browsers of any user accessing affected pages. The vulnerability requires high-privilege authenticated access and only manifests in multi-site installations or those with unfiltered_html disabled, limiting real-world exposure despite network-accessible attack vector.
WordPress
XSS
-
CVE-2026-2717
MEDIUM
CVSS 5.5
CRLF injection in HTTP Headers WordPress plugin up to version 1.19.2 allows authenticated administrators to inject arbitrary Apache directives into .htaccess files via unsanitized custom header fields, causing configuration parse errors and potential site-wide denial of service. Attack requires Administrator-level WordPress access and no user interaction. CVSS 5.5 reflects high availability impact (A:H) balanced against high privilege requirements (PR:H).
WordPress
Denial Of Service
Apache
-
CVE-2026-2714
MEDIUM
CVSS 4.4
Stored Cross-Site Scripting in Institute Management plugin for WordPress up to version 5.5 allows authenticated administrators to inject arbitrary JavaScript via the 'Enquiry Form Title' setting, which executes when users access affected pages. The vulnerability is limited to multi-site WordPress installations or sites with unfiltered_html disabled. CVSS 4.4 reflects high privilege requirements (PR:H) and conditional scope (multi-site only), but the stored XSS nature and administrator access requirement make this a targeted insider threat rather than a broad attack surface.
WordPress
XSS
-
CVE-2026-1930
MEDIUM
CVSS 4.3
Emailchef WordPress plugin versions up to 3.5.1 allow authenticated attackers with Subscriber-level access to delete plugin settings via an unprotected AJAX action due to missing capability checks. The vulnerability enables unauthorized modification of plugin configuration without administrative privileges, affecting any WordPress site using the affected plugin versions. No public exploit code or active exploitation has been identified at time of analysis.
WordPress
Authentication Bypass
-
CVE-2026-1913
MEDIUM
CVSS 6.4
Stored Cross-Site Scripting (XSS) in the Gallagher Website Design WordPress plugin through version 2.6.4 allows authenticated attackers with Contributor-level access or higher to inject arbitrary JavaScript into pages via the 'prefix' attribute of the login_link shortcode, bypassing input sanitization and output escaping controls. The injected scripts execute in the context of any user viewing the affected page, potentially enabling session hijacking, credential theft, or malicious redirection. Wordfence has documented the vulnerability with proof-of-concept references to the vulnerable code in the WordPress plugin repository.
WordPress
XSS
-
CVE-2026-1845
MEDIUM
CVSS 5.5
Stored Cross-Site Scripting in Real Estate Pro plugin for WordPress up to version 1.0.9 allows authenticated administrators to inject arbitrary JavaScript into admin settings that executes for all users viewing affected pages. The vulnerability is limited to multi-site installations or single-site instances with the unfiltered_html capability disabled. Attack requires administrator-level privileges and no user interaction, but scope is changed (cross-site impact), resulting in a moderate CVSS score of 5.5.
WordPress
XSS
-
CVE-2026-1660
MEDIUM
CVSS 6.5
Denial of service in GitLab CE/EE versions 12.3 through 18.11.0 allows authenticated users to trigger excessive resource consumption during issue import operations due to improper input validation on user-supplied data. The vulnerability affects all minor versions from 12.3 onwards until patched versions 18.9.6, 18.10.4, and 18.11.1. Publicly available exploit code exists, and CISA SSVC assessment indicates the vulnerability is exploitable but not automatable at scale.
Denial Of Service
Gitlab
-
CVE-2026-1395
MEDIUM
CVSS 6.4
Stored Cross-Site Scripting in the Gutentools WordPress plugin (versions up to 1.1.3) allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript into pages via the Post Slider block's block_id attribute. The vulnerability exploits insufficient input sanitization combined with a custom unescaping routine that reintroduces dangerous characters, enabling persistent payload execution whenever users access injected pages. This affects all installations using the plugin at or below version 1.1.3 and requires only low-privileged WordPress authentication.
WordPress
XSS
-
CVE-2026-1379
MEDIUM
CVSS 4.4
Stored cross-site scripting in HTTP Headers plugin for WordPress up to version 1.19.2 allows authenticated administrators to inject arbitrary scripts into admin settings that execute when users access affected pages. This vulnerability is limited to multi-site installations or sites where the unfiltered_html capability has been disabled, significantly reducing real-world exposure. No active exploitation has been publicly reported, and the high privilege requirement (administrator role) narrows the practical attack surface.
WordPress
XSS
-
CVE-2025-58922
MEDIUM
CVSS 4.3
Cross-Site Request Forgery (CSRF) vulnerability in ThemeFusion Avada theme allows unauthenticated remote attackers to perform unauthorized actions on behalf of authenticated users through malicious web pages, affecting versions before 7.13.2. The vulnerability requires user interaction (clicking a malicious link or visiting a crafted page) but carries low overall risk due to SSVC assessment indicating none-automatable exploitation with partial technical impact. No active exploitation has been confirmed in CISA KEV at time of analysis.
CSRF
Avada
-
CVE-2025-6016
MEDIUM
CVSS 6.5
Denial of service in GitLab CE/EE affects authenticated users who can trigger resource exhaustion when retrieving notes under specific conditions, causing service unavailability. Versions 9.2 through 18.9.5, 18.10.0 through 18.10.3, and 18.11.0 are vulnerable. An authenticated attacker with standard user privileges can exploit this remotely without user interaction via crafted note retrieval requests. A publicly available exploit exists, and patches have been released by GitLab.
Denial Of Service
Gitlab
-
CVE-2025-3922
MEDIUM
CVSS 6.5
Authenticated users can trigger denial of service in GitLab by overwhelming system resources through the GraphQL API due to insufficient resource allocation limits. Affected versions span from 12.4 through 18.11.0 across three release branches. Publicly available exploit code exists, though active exploitation has not been confirmed in CISA KEV. CVSS 6.5 reflects moderate severity with high availability impact but requires valid authentication.
Denial Of Service
Gitlab
-
CVE-2025-0186
MEDIUM
CVSS 6.5
Authenticated users can trigger denial of service in GitLab CE/EE versions 10.6 through 18.11.0 by sending crafted requests to the discussions endpoint that exhaust server resources. The vulnerability requires valid authentication credentials and affects all affected versions across the 10.6, 18.9, 18.10, and 18.11 release branches. Publicly available exploit code exists; CISA has not yet listed this in the Known Exploited Vulnerabilities catalog, but active exploitation likelihood is moderate given public POC availability and the low complexity of resource exhaustion attacks.
Denial Of Service
Gitlab
-
CVE-2026-41677
LOW
CVSS 1.7
Buffer over-read in rust-openssl's password callback APIs allows information disclosure when a user-supplied callback returns a value larger than the provided buffer. The vulnerability affects rust-openssl bindings to OpenSSL 1.x and 2.x; OpenSSL 3.x implementations are not vulnerable. An attacker who controls the password callback can read sensitive data from adjacent memory regions.
Buffer Overflow
Information Disclosure
OpenSSL
-
CVE-2026-41144
NONE
F Prime framework before version 4.2.0 allows remote code execution via integer overflow in bounds checking combined with path traversal in file upload functionality. An attacker sending a crafted DataPacket with byteOffset=0xFFFFFF9C and dataSize=100 causes U32 addition to wrap to zero, bypassing the fileSize validation. This enables writing arbitrary data to any file at any offset on the target system, leading to remote code execution on embedded spaceflight and other critical systems. CISA KEV status and active exploitation unknown; vendor patch available in version 4.2.0.
RCE
Integer Overflow
-
CVE-2026-41140
LOW
CVSS 0.6
Path traversal vulnerability in Poetry's tar extraction function allows arbitrary file writes when processing untrusted source distributions on Python 3.10.0-3.10.12 and 3.11.0-3.11.4, where the tarfile.data_filter safety mechanism is absent or broken. The vulnerability is triggered during dependency resolution (poetry add --lock) or installation before the build backend executes, enabling attackers to write files outside the intended extraction directory via crafted tar member paths, symlinks, or hardlinks in malicious sdists.
RCE
Python
Path Traversal
Debian
Ubuntu
-
CVE-2026-40215
None
Pre-NVD disclosure via GitHub release 'v2.6.20' (openvpn/openvpn). ### Security fixes:
* [CVE-2026-40215](https://www.cve.org/CVERecord?id=CVE-2026-40215): fix race condition in TLS handshake that could lead to leaking of
packet data from a previous handshake under specific circumstances
* [C...
Information Disclosure
-
CVE-2026-35381
LOW
CVSS 3.3
Logic error in uutils coreutils cut utility causes incorrect behavior when combining the -s (only-delimited), -z (null-terminated), and -d '' (empty delimiter) flags, resulting in unfiltered records being emitted instead of suppressed. This breaks data integrity for automated pipelines relying on cut -s to exclude records without delimiters, affecting local users with limited privileges. The vulnerability has low exploitability (CVSS 3.3, SSVC indicates no exploitation status and non-automatable attack), but poses information disclosure and data corruption risks in security-sensitive data processing workflows.
Information Disclosure
-
CVE-2026-35379
LOW
CVSS 3.3
uutils coreutils tr utility misdefines POSIX character classes [:graph:] and [:print:], incorrectly including ASCII space (0x20) in [:graph:] and excluding it from [:print:] - the opposite of standard behavior. This logic error causes unintended data modification or loss when tr is used in automated scripts or data pipelines that depend on correct character class semantics, such as deletion of graphical characters inadvertently removing all spaces and corrupting structured data. Affects coreutils versions prior to 0.8.0; patch is available from vendor.
Information Disclosure
-
CVE-2026-35378
LOW
CVSS 3.3
Logic error in uutils coreutils expr utility evaluates parenthesized subexpressions during parsing rather than execution, breaking short-circuit evaluation for logical OR and AND operations. This causes arithmetic errors in dead code branches (e.g., division by zero) to trigger fatal errors instead of being safely ignored, breaking shell script control flow and diverging from GNU expr compatibility. Affects uutils coreutils versions prior to 0.8.0; publicly available exploit code exists per SSVC data.
Information Disclosure
-
CVE-2026-35377
LOW
CVSS 3.3
The env utility in uutils coreutils incorrectly rejects valid backslash escape sequences in single-quoted strings when using the -S (split-string) option, terminating with exit status 125 and causing local denial of service for scripts relying on GNU env compatibility. The implementation performs overly strict validation that diverges from GNU behavior, where backslashes outside of \\ and \' are treated literally rather than invalid, breaking automated administrative workflows.
Denial Of Service
-
CVE-2026-35375
LOW
CVSS 3.3
The split utility in uutils coreutils corrupts output filenames when processing non-UTF-8 prefix or suffix inputs by converting invalid byte sequences to UTF-8 replacement characters, causing filename mismatches, collisions, and potential data misdirection. Affected versions prior to 0.8.0 on all platforms exhibit this behavior, which deviates from GNU split's byte-preservation semantics. Local authenticated users can trigger the vulnerability through crafted non-UTF-8 input, leading to integrity issues in automated workflows relying on predictable filename generation.
Information Disclosure
-
CVE-2026-35373
LOW
CVSS 3.3
The ln utility in uutils coreutils fails to process source paths containing non-UTF-8 filename bytes when using target-directory forms, rejecting valid filenames that GNU ln handles correctly. This logic error affects automated scripts and system tasks on Unix filesystems where non-UTF-8 filenames are common, causing denial of service for those specific operations. SSVC classifies exploitation as possible (POC available) but not automatable, with partial technical impact.
Denial Of Service
-
CVE-2026-35371
LOW
CVSS 3.3
The id utility in uutils coreutils displays incorrect effective user information in its pretty-print output when real and effective UIDs differ, using the effective GID instead of effective UID for name lookup. This causes misleading diagnostic output that could lead system administrators or automated scripts to make incorrect access control decisions, though impact is limited to information disclosure with no direct code execution or system compromise.
Information Disclosure
-
CVE-2026-35367
LOW
CVSS 3.3
The nohup utility in uutils coreutils creates its default output file with world-readable permissions (0644) instead of owner-only (0600), allowing any local user to read captured stdout/stderr and access potentially sensitive information in multi-user systems. This information disclosure vulnerability affects all versions of uutils coreutils and diverges from the secure permission model implemented in GNU coreutils.
Information Disclosure
-
CVE-2026-35362
LOW
CVSS 3.6
Time-of-Check to Time-of-Use (TOCTOU) symlink race condition vulnerability in uutils coreutils affects directory traversal operations on macOS and FreeBSD because the safe_traversal module's file-descriptor-relative syscall protections are incorrectly limited to Linux targets only. Local authenticated attackers with limited privileges can exploit this race condition to read or modify files via symlink manipulation, though exploitation requires specific timing conditions and is not automatable. EPSS and CISA SSVC assessment indicate partial technical impact with no evidence of active exploitation.
Path Traversal
Apple
-
CVE-2026-35361
LOW
CVSS 3.4
The mknod utility in uutils coreutils creates device nodes before atomically applying SELinux security labels, and fails to properly clean up mislabeled nodes if labeling operations fail. This leaves device nodes with incorrect default SELinux contexts, potentially bypassing mandatory access control restrictions on systems where SELinux is enforcing. Affects coreutils versions prior to 0.6.0; exploitation requires local root or elevated privileges and is not currently publicly exploited, though cleanup failures are guaranteed on labeling failure.
Authentication Bypass
-
CVE-2026-35353
LOW
CVSS 3.3
The mkdir utility in uutils coreutils creates directories with default umask-derived permissions (0755) before applying the requested mode via chmod, creating a race condition window where a directory intended to be private becomes briefly accessible to other local users. This affects uutils coreutils versions prior to 0.6.0 and requires local authenticated access to exploit, limiting real-world impact despite the CVSS score of 3.3.
Authentication Bypass
-
CVE-2026-35346
LOW
CVSS 3.3
The comm utility in uutils coreutils silently corrupts binary and non-UTF-8 encoded file output by replacing invalid UTF-8 byte sequences with the Unicode replacement character (U+FFFD), diverging from GNU comm's byte-preserving behavior. This affects any user comparing files with legacy encodings or binary content, resulting in data integrity loss. A proof-of-concept demonstrating the lossy conversion exists, and a patch is available.
Information Disclosure
-
CVE-2026-35344
LOW
CVSS 3.3
Silent data corruption in uutils coreutils dd utility results from unconditionally suppressing truncation errors on regular files and directories, allowing backup and migration scripts to report successful operations while destination files contain old or corrupted data when disk space is exhausted or file systems are read-only.
Information Disclosure
-
CVE-2026-35343
LOW
CVSS 3.3
The cut utility in uutils coreutils fails to suppress non-delimited lines when the -s (only-delimited) option is used with a newline character as the delimiter, causing unfiltered data to be passed to downstream processes. Affected versions prior to 0.8.0 exhibit this logic error, which has low real-world impact due to local-only attack vector and partial technical scope, though it violates strict data filtering contracts that scripts may depend upon.
Information Disclosure
-
CVE-2026-35342
LOW
CVSS 3.3
mktemp utility in uutils coreutils mishandles empty TMPDIR environment variables by creating temporary files in the current working directory instead of falling back to /tmp, potentially exposing sensitive data if the CWD has overly permissive access controls. Affects uutils coreutils versions prior to 0.6.0 and requires local attacker with limited privileges to manipulate the environment or exploit overly accessible working directories; CVSS 3.3 reflects low severity (local access, limited confidentiality impact) despite information disclosure risk.
Authentication Bypass
Information Disclosure
-
CVE-2026-35058
None
Pre-NVD disclosure via GitHub release 'v2.6.20' (openvpn/openvpn). ### Security fixes:
* [CVE-2026-40215](https://www.cve.org/CVERecord?id=CVE-2026-40215): fix race condition in TLS handshake that could lead to leaking of
packet data from a previous handshake under specific circumstances
* [C...
Information Disclosure
-
CVE-2026-34067
LOW
CVSS 3.1
Nimiq Core-rs-Albatross prior to v1.3.0 crashes when processing malformed transaction inclusion proofs with mismatched history and positions arrays. A remote attacker can trigger a denial of service by sending a crafted ResponseTransactionsProof with unequal array lengths, causing the HistoryTreeProof::verify function to panic. The vulnerability requires high attack complexity and user interaction, limiting real-world impact despite network accessibility.
Denial Of Service
-
CVE-2026-33599
LOW
CVSS 3.1
dnsdist's Discovery of Designated Resolvers (DDR) upgrade mechanism allows a rogue backend to send a crafted SVCB response that causes a denial of service via availability impact when DDR is explicitly enabled through the autoUpgrade (Lua) or auto_upgrade (YAML) configuration options. The vulnerability requires adjacent network access and high complexity exploitation conditions, affecting only deployments that have manually enabled DDR functionality-a non-default configuration.
Buffer Overflow
Information Disclosure
-
CVE-2026-33597
LOW
CVSS 3.7
Denial of service in dnsdist via crafted PRSD (PowerDNS Response Detection) queries causes assertion failure and service disruption on remote DNS resolvers. The vulnerability requires specific network conditions and crafted packet construction (AC:H) but affects default configurations without authentication. CVSS 3.7 reflects low availability impact with non-trivial exploitation complexity.
Denial Of Service
-
CVE-2026-33596
LOW
CVSS 3.1
dnsdist can experience a denial-of-service condition through query-response mismatching when a client sends precisely timed floods of queries routed to TCP-only or DNS over TLS backends. An adjacent network attacker with high timing precision can cause limited availability impact by desynchronizing the query-response correlation on affected backends, though exploitation requires favorable network conditions and careful query timing. This issue carries a low CVSS score (3.1) reflecting the high attack complexity and adjacency requirement.
Information Disclosure
Integer Overflow
-
CVE-2026-22746
LOW
CVSS 3.7
Spring Security's DaoAuthenticationProvider can leak timing information about user account status when applications rely on UserDetails#isEnabled, #isAccountNonExpired, or #isAccountNonLocked attributes for user validation. This allows remote attackers to enumerate disabled, expired, or locked accounts through timing analysis of authentication responses across affected versions 5.7.0-5.7.22, 5.8.0-5.8.24, 6.3.0-6.3.15, 6.5.0-6.5.9, and 7.0.0-7.0.4. No public exploit code or active exploitation has been identified at this time.
Authentication Bypass
Java
-
CVE-2026-6842
LOW
CVSS 2.5
Nano text editor creates ~/.local directory with overly permissive 0777 permissions instead of 0700 in environments with permissive umask settings, allowing local authenticated users to inject malicious .desktop launcher files that could lead to information disclosure or unintended actions when processed. CVSS score 2.5 reflects local attack vector and low integrity impact, with active exploitation status unknown and no public exploit code identified at time of analysis.
Information Disclosure
-
CVE-2026-6416
LOW
CVSS 2.7
Uncontrolled resource consumption in Tanium Interact allows authenticated high-privilege administrators to trigger a denial of service condition through network-accessible endpoints. The vulnerability requires high-level administrative privileges (PR:H) and produces only availability impact with no confidentiality or integrity compromise. CVSS base score of 2.7 reflects the severe privilege barrier and limited impact scope.
Denial Of Service
-
CVE-2026-6408
LOW
CVSS 2.7
Tanium Server allows high-privileged authenticated users to disclose sensitive information through an unspecified network-accessible mechanism. The vulnerability requires administrative or equivalent privileges and carries a low CVSS score (2.7) reflecting limited impact to confidentiality with no integrity or availability consequences. No active exploitation or public proof-of-concept has been identified.
Information Disclosure
-
CVE-2026-6392
LOW
CVSS 2.7
Information disclosure vulnerability in Tanium Threat Response allows high-privileged authenticated users to access sensitive data via network requests. The vulnerability affects all versions of Threat Response and requires administrator-level privileges to exploit, resulting in confidentiality impact with no integrity or availability compromise. No active exploitation has been publicly identified.
Information Disclosure
-
CVE-2026-6019
LOW
CVSS 2.1
CPython's http.cookies.Morsel.js_output() method generates inline script snippets that fail to neutralize the HTML parser-sensitive sequence </script>, allowing attackers with high privilege levels to inject arbitrary JavaScript by crafting malicious cookie values. While the method escapes double quotes for JavaScript string context, it does not prevent premature termination of the script element through </script> injection, resulting in limited information disclosure. The vendor has released patches addressing this inadequate escaping mechanism through base64-encoding of cookie values.
Information Disclosure
-
CVE-2026-3254
LOW
CVSS 3.5
Cross-site scripting (XSS) in GitLab CE/EE 18.11 before 18.11.1 allows authenticated users to inject unauthorized content into other users' browsers through improper input validation in the Mermaid diagram sandbox. An attacker must have valid GitLab credentials and the victim must view a malicious diagram, limiting real-world impact despite the publicly available exploit code. SSVC analysis rates this as non-automatable with partial technical impact, consistent with the low CVSS 3.5 score.
XSS
Gitlab
-
CVE-2025-9957
LOW
CVSS 2.7
Authenticated project owners in GitLab CE/EE versions 11.2-18.9.5, 18.10-18.10.3, and 18.11-18.11.0 can bypass group fork prevention settings due to improper authorization checks, allowing them to create forks when they should be restricted. The vulnerability requires authentication and high-privilege access (project owner role), resulting in low severity (CVSS 2.7). Publicly available exploit code exists and patch versions have been released by the vendor.
Authentication Bypass
Gitlab