Skip to main content
CVE-2026-31511 HIGH PATCH This Week

Use-after-free in Linux kernel Bluetooth MGMT subsystem allows local authenticated users to achieve arbitrary code execution, privilege escalation, or denial of service. The vulnerability stems from improper condition checking in mgmt_add_adv_patterns_monitor_complete(), which can leave dangling pointers after freeing memory without unlinking from the list. Patches available across multiple kernel versions (6.12.80, 6.17, 6.18.21, 6.19.11, 7.0). No evidence of active exploitation (not in CISA KEV), low EPSS score (0.02%, 5th percentile) suggests limited attacker interest despite high CVSS severity.

Information Disclosure Linux Use After Free Memory Corruption
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-31506 HIGH PATCH This Week

Double-free memory corruption in Linux kernel bcmasp network driver allows local authenticated attackers with low privileges to achieve arbitrary code execution, privilege escalation, or system crash. The vulnerability affects kernel versions 6.6 through early 7.0 release candidates. Vendor patches available across stable branches (6.12.80, 6.18.21, 6.19.11, 7.0). EPSS score of 0.02% (5th percentile) indicates very low real-world exploitation probability, and no active exploitation or public POC has been identified. This represents a low-priority issue for most environments despite the 7.8 CVSS score, as it requires local authenticated access and affects only systems using the specific bcmasp Broadcom network driver.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-31505 HIGH PATCH This Week

Out-of-bounds memory write in Linux kernel iavf (Intel Adaptive Virtual Function) driver allows local authenticated attackers with low privileges to achieve high confidentiality, integrity, and availability impact via race condition during concurrent ethtool operations. The vulnerability stems from inconsistent use of queue counters (real_num_tx_queues vs num_active_queues vs num_tx_queues) across ethtool statistics functions, enabling memory corruption when changing network channels via 'ethtool -L' while simultaneously querying statistics with 'ethtool -S'. Patches available for kernel versions 6.12.80, 6.18.21, 6.19.11, and 7.0. EPSS exploitation probability is low (0.02%, 5th percentile) with no public exploit or active exploitation identified at time of analysis.

Buffer Overflow Debian Linux Memory Corruption Red Hat +1
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-31502 HIGH PATCH This Week

Type confusion in Linux kernel team driver allows local authenticated users to trigger memory corruption and potential privilege escalation. The team_setup_by_port() function incorrectly copies header_ops from non-Ethernet lower devices (such as GRE interfaces) without proper context validation, causing callbacks like dev_hard_header() to interpret netdev_priv() as the wrong structure type when processing stacked network topologies (e.g., gre → bond → team). While CVSS rates this 7.8 (High), EPSS probability is very low at 0.02% (5th percentile), and no active exploitation or public POC has been identified. Vendor patches are available across multiple stable kernel branches (6.12.80, 6.18.21, 6.19.11, 7.0).

Denial Of Service Linux Memory Corruption Red Hat Suse
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-31500 HIGH PATCH This Week

Use-after-free in Linux kernel Bluetooth Intel driver enables local privilege escalation to kernel code execution. Affects Linux kernel 4.3 through 7.0-rc5, with patches available in versions 6.6.131, 6.12.80, 6.18.21, 6.19.11, and 7.0. Exploitation requires local authenticated access with low privileges (CVSS PR:L). EPSS score of 0.02% (5th percentile) indicates low probability of widespread exploitation. No public exploit code or active exploitation confirmed at time of analysis, though technical details in CVE description provide implementation roadmap.

Use After Free Linux Memory Corruption Intel Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-31490 HIGH PATCH This Week

Use-after-free in Linux kernel's xe GPU driver allows local authenticated users to execute arbitrary code with kernel privileges. The vulnerability occurs in the SR-IOV physical function migration restore path when error handling fails to nullify a freed data pointer, enabling subsequent write operations to reference deallocated memory. With CVSS 7.8 (High) and very low EPSS (0.02%), this represents typical kernel memory corruption risk requiring local access and low privileges. Vendor patches are available for affected 6.19 and 7.0-rc versions.

Information Disclosure Linux Memory Corruption Use After Free Red Hat +1
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-31489 HIGH PATCH This Week

Use-after-free in Linux kernel meson-spicc SPI driver allows local authenticated attackers to escalate privileges or crash the system. The vulnerability stems from a double-put reference counting error during driver removal - devm_spi_register_controller() already handles cleanup automatically, but meson_spicc_remove() explicitly calls spi_controller_put() again, releasing the same memory twice. EPSS probability is low (0.02%, 5th percentile), no active exploitation confirmed, and vendor patches are available across multiple kernel versions (6.12.80, 6.18.21, 6.19.11, 7.0). This targets systems using Amlogic Meson SoC SPI controllers, requiring local authenticated access to exploit.

Information Disclosure Linux
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-31488 HIGH PATCH This Week

Use-after-free in Linux kernel AMD display driver allows local authenticated users to execute arbitrary code, corrupt memory, or cause denial of service. Affects systems with AMD graphics using Display Stream Compression (DSC) and multi-stream transport (MST), particularly laptops with integrated displays and external DP-MST monitors. The vulnerability arises when mode changes occur simultaneously with DSC reconfigurations, causing improper stream lifecycle management. Vendor patch available across multiple kernel versions (6.12.80, 6.18.21, 6.19.11, 7.0). EPSS score of 0.02% indicates low exploitation probability in the wild, with no CISA KEV listing or public exploit identified at time of analysis.

Amd Information Disclosure Linux Memory Corruption Use After Free
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-31479 HIGH PATCH This Week

In the Linux kernel, the following vulnerability has been resolved: drm/xe: always keep track of remap prev/next During 3D workload, user is reporting hitting: [ 413.361679] WARNING: drivers/gpu/drm/xe/xe_vm.c:1217 at vm_bind_ioctl_ops_unwind+0x1e2/0x2e0 [xe], CPU#7: vkd3d_queue/9925 [ 413.361944] CPU: 7 UID: 1000 PID: 9925 Comm: vkd3d_queue Kdump: loaded Not tainted 7.0.0-070000rc3-generic #202603090038 PREEMPT(lazy) [ 413.361949] RIP: 0010:vm_bind_ioctl_ops_unwind+0x1e2/0x2e0 [xe] [ 413.362074] RSP: 0018:ffffd4c25c3df930 EFLAGS: 00010282 [ 413.362077] RAX: 0000000000000000 RBX: ffff8f3ee817ed10 RCX: 0000000000000000 [ 413.362078] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 413.362079] RBP: ffffd4c25c3df980 R08: 0000000000000000 R09: 0000000000000000 [ 413.362081] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8f41fbf99380 [ 413.362082] R13: ffff8f3ee817e968 R14: 00000000ffffffef R15: ffff8f43d00bd380 [ 413.362083] FS: 00000001040ff6c0(0000) GS:ffff8f4696d89000(0000) knlGS:00000000330b0000 [ 413.362085] CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 [ 413.362086] CR2: 00007ddfc4747000 CR3: 00000002e6262005 CR4: 0000000000f72ef0 [ 413.362088] PKRU: 55555554 [ 413.362089] Call Trace: [ 413.362092] <TASK> [ 413.362096] xe_vm_bind_ioctl+0xa9a/0xc60 [xe] Which seems to hint that the vma we are re-inserting for the ops unwind is either invalid or overlapping with something already inserted in the vm. It shouldn't be invalid since this is a re-insertion, so must have worked before. Leaving the likely culprit as something already placed where we want to insert the vma. Following from that, for the case where we do something like a rebind in the middle of a vma, and one or both mapped ends are already compatible, we skip doing the rebind of those vma and set next/prev to NULL. As well as then adjust the original unmap va range, to avoid unmapping the ends. However, if we trigger the unwind path, we end up with three va, with the two ends never being removed and the original va range in the middle still being the shrunken size. If this occurs, one failure mode is when another unwind op needs to interact with that range, which can happen with a vector of binds. For example, if we need to re-insert something in place of the original va. In this case the va is still the shrunken version, so when removing it and then doing a re-insert it can overlap with the ends, which were never removed, triggering a warning like above, plus leaving the vm in a bad state. With that, we need two things here: 1) Stop nuking the prev/next tracking for the skip cases. Instead relying on checking for skip prev/next, where needed. That way on the unwind path, we now correctly remove both ends. 2) Undo the unmap va shrinkage, on the unwind path. With the two ends now removed the unmap va should expand back to the original size again, before re-insertion. v2: - Update the explanation in the commit message, based on an actual IGT of triggering this issue, rather than conjecture. - Also undo the unmap shrinkage, for the skip case. With the two ends now removed, the original unmap va range should expand back to the original range. v3: - Track the old start/range separately. vma_size/start() uses the va info directly. (cherry picked from commit aec6969f75afbf4e01fd5fb5850ed3e9c27043ac)

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-31474 HIGH PATCH This Week

Use-after-free in Linux kernel ISO-TP CAN protocol driver allows local authenticated users to read freed memory, corrupt kernel state, or execute arbitrary code with kernel privileges. Affects kernels from commit 96d1c81e to 6.6.131, 6.12.80, 6.18.21, and 6.19.11. Vendor-released patches available across stable kernel branches. EPSS score 0.02% (5th percentile) indicates low probability of mass exploitation, and no public exploit identified at time of analysis, though CVSS 7.8 reflects high local privilege escalation potential if successfully exploited.

Information Disclosure Linux Memory Corruption Use After Free
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-31468 HIGH PATCH This Week

Memory corruption in the Linux kernel VFIO PCI subsystem allows local authenticated users to trigger double-free conditions and potentially execute arbitrary code with kernel privileges. The vulnerability stems from an incorrect error-handling path in the dma-buf export feature that calls dma_buf_put() before dma_buf_export() succeeds, leading to unbalanced reference counts and memory corruption during file descriptor exhaustion scenarios. Exploitation probability remains very low (EPSS 0.02%, 5th percentile) with no public exploit code or evidence of active exploitation. Patches are available in stable kernel versions 6.19.11 and 7.0.

Information Disclosure Linux
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-31449 HIGH PATCH This Week

Buffer overflow in Linux kernel ext4 filesystem allows local attackers with user interaction to achieve arbitrary code execution via crafted extent tree metadata. The ext4_ext_correct_indexes() function fails to validate index pointer bounds when walking up the extent tree, enabling slab-out-of-bounds memory reads when processing malicious filesystem images. With CVSS 7.8 (high severity) but only 0.02% EPSS (5th percentile), this represents elevated theoretical risk with minimal observed real-world exploitation. Vendor patches available across multiple stable kernel branches (6.12.80, 6.18.21, 6.19.11, 7.0), and no public exploit code or active exploitation confirmed at time of analysis.

Buffer Overflow Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-31493 HIGH PATCH This Week

Use-after-free in Linux kernel RDMA/EFA driver allows local authenticated users with low privileges to execute arbitrary code with high confidentiality, integrity, and availability impact. The vulnerability affects the admin queue completion handling where completion context data is accessed after being freed, creating a window for memory corruption exploitation. Affects kernel versions from 5.12 through 7.0-rc7, with vendor patches available for stable branches 6.18.21, 6.19.11, and 7.0. EPSS score of 0.02% (4th percentile) indicates low observed exploitation probability, and no public exploit code or CISA KEV listing identified at time of analysis.

Memory Corruption Use After Free Information Disclosure Linux Red Hat +1
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-31475 HIGH PATCH This Week

Memory corruption in the Linux kernel sma1307 ASoC driver allows local authenticated users to trigger a double-free condition leading to potential privilege escalation, denial of service, or information disclosure. The vulnerability stems from improper cleanup of device-managed memory allocations in error paths within the sma1307_setting_loaded() function, where devm_kzalloc()-allocated resources are incorrectly freed with kfree(), causing devres to later release the same memory a second time. Vendor patches are available across multiple stable kernel branches (6.18.21, 6.19.11, 7.0). EPSS score of 0.02% (4th percentile) indicates low observed exploitation probability, and no active exploitation or public POC has been identified.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-31471 HIGH PATCH This Week

Use-after-free in Linux kernel XFRM IPTFS subsystem allows local authenticated attackers to trigger high-severity memory corruption through failed state cloning operations. The vulnerability stems from premature publication of mode_data pointer before allocation completion, enabling arbitrary code execution, privilege escalation, or denial of service when IPsec IP-TFS (IP Traffic Flow Security) mode cloning fails. Vendor patches available for kernel versions 6.18.21, 6.19.11, and 7.0. EPSS score of 0.02% (4th percentile) indicates very low observed exploitation probability despite CVSS 7.8 rating, likely due to the specific IPTFS configuration prerequisite and local access requirement.

Information Disclosure Linux
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-31442 HIGH PATCH This Week

Use-after-free in Linux kernel idxd DMA engine driver allows local authenticated attackers to execute arbitrary code, disclose sensitive memory, or crash the system when Function Level Reset operations fail to allocate scratch memory. The vulnerability affects Linux kernels from commit 98d187a98903 through versions 6.14, 6.18.x before 6.18.21, and 6.19.x before 6.19.11. Vendor patches are available across stable branches with EPSS indicating 0.02% exploitation probability (4th percentile), suggesting limited active targeting despite the high CVSS 7.8 score. No CISA KEV listing or public exploit code identified at time of analysis.

Information Disclosure Linux Buffer Overflow
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-35368 HIGH GHSA This Week

Privilege escalation to root in uutils coreutils chroot utility allows low-privileged local attackers with write access to the chroot target directory to execute arbitrary code via malicious NSS module injection. The vulnerability triggers when --userspec option causes getpwnam() to load attacker-controlled shared libraries from the new root before dropping privileges, enabling container escape or full system compromise on glibc-based systems. CVSS 7.8 with Scope Changed indicates host compromise from containerized environments. SSVC framework confirms POC availability and total technical impact, though exploitation requires specific configuration (writable NEWROOT) and is not automatable.

Privilege Escalation RCE Coreutils
NVD GitHub
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-6846 HIGH PATCH This Week

Heap buffer overflow in GNU Binutils XCOFF linker allows arbitrary code execution when a local user processes a malicious object file. Red Hat Enterprise Linux versions 6 through 10 are confirmed affected via CPE data. CVSS 7.8 reflects local attack vector requiring user interaction (opening/linking the crafted file). No active exploitation confirmed (not in CISA KEV), and no public proof-of-concept identified at time of analysis. Real-world risk depends heavily on whether development workflows involve linking untrusted XCOFF files, which is uncommon outside AIX/PowerPC cross-compilation scenarios.

Heap Overflow Denial Of Service Buffer Overflow RCE Red Hat Enterprise Linux 10 +6
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-5750 HIGH PATCH This Week

Insecure direct object reference in Fullstep V5 allows authenticated users to enumerate and modify other users' supplier registration data via predictable API endpoints. Authenticated attackers with low privileges can exploit vulnerable GET and POST endpoints to list sensitive user information (/api/suppliers/v1/suppliers/) and update arbitrary user profiles including personal details and documents (/#/supplier-registration/supplier-registration/). CVSS 7.6 reflects high confidentiality and integrity impact with low attack complexity. No public exploit code identified at time of analysis, but the IDOR pattern is trivial to exploit once authenticated. INCIBE-CERT advisory confirms patch availability from vendor.

Authentication Bypass Fullstep
NVD
CVSS 4.0
7.6
EPSS
0.0%
CVE-2026-6857 HIGH PATCH GHSA This Week

Remote code execution in Red Hat Apache Camel Infinispan component allows low-privileged attackers to execute arbitrary code via unsafe deserialization in ProtoStream remote aggregation repository. Exploiting this vulnerability requires network access and low-privilege credentials but grants full system compromise affecting confidentiality, integrity, and availability. The attack complexity is rated high (AC:H), suggesting specific configuration or timing requirements. No active exploitation confirmed at time of analysis (not in CISA KEV), and public exploit code status is unknown.

Deserialization RCE Red Hat Build Of Apache Camel 4 For Quarkus 3 Red Hat Build Of Apache Camel For Spring Boot 4 Red Hat Fuse 7 +2
NVD
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-3621 HIGH PATCH This Week

Identity spoofing in IBM WebSphere Application Server Liberty 17.0.0.3 through 26.0.0.4 allows authenticated attackers with low privileges to impersonate other users and escalate privileges when applications are deployed without proper authentication and authorization controls. The vulnerability requires high attack complexity and low-privilege credentials, but enables complete compromise of confidentiality, integrity, and availability within the application scope. CVSS 7.5 (High) reflects the significant impact once exploitation conditions are met. No public exploit identified at time of analysis, and vendor patch is available per IBM advisory.

IBM Privilege Escalation
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-22753 HIGH PATCH GHSA This Week

Path matching bypass in Spring Security 7.0.0-7.0.4 allows unauthenticated remote attackers to evade authentication, authorization, and other security controls when applications use securityMatchers(String) with a PathPatternRequestMatcher.Builder bean to prepend servlet paths. Improper matcher configuration causes filter chains to silently fail, leaving protected endpoints exposed without intended security controls. No active exploitation confirmed, but CVSS 7.5 with network attack vector (AV:N/AC:L/PR:N) indicates readily exploitable if applications use the specific configuration pattern. VMware-reported vulnerability requires immediate patching for affected Spring Security 7.x deployments.

Information Disclosure Java Red Hat
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-34063 HIGH PATCH This Week

Remote unauthenticated denial of service crashes Nimiq blockchain nodes by exploiting a protocol state machine flaw. Attackers can force panic conditions in the libp2p discovery handler by opening duplicate protocol substreams, immediately taking peer-to-peer networking offline until manual restart. Vendor-released patch available in version 1.3.0 with no workarounds for unpatched systems, creating urgent upgrade requirement for blockchain node operators.

Denial Of Service Network Libp2P
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-34065 HIGH PATCH GHSA This Week

Denial of service in nimiq-primitives (Nimiq blockchain core library) allows remote unauthenticated attackers to crash nodes via malformed peer-to-peer messages. Attackers announce election macro blocks containing invalid compressed BLS voting keys, triggering an unwrap() panic during header hash validation. Affects all versions prior to 1.3.0. CVSS 7.5 (High) with network attack vector and no complexity. No public exploit identified at time of analysis, but attack is trivial to execute given the network-accessible attack surface and lack of authentication requirements.

Information Disclosure
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-41135 HIGH PATCH GHSA This Week

Unauthenticated remote attackers can crash free5GC Policy Control Function (PCF) versions before 1.4.3 via repeated HTTP requests to the OAM endpoint over the Service-Based Interface. Each request leaks memory by registering duplicate CORS middleware in the Gin router handler chain, causing progressive memory exhaustion that prevents all User Equipment from establishing 5G sessions. Patched in version 1.4.3 via commit 599803b. EPSS data unavailable; not listed in CISA KEV. CVSS 7.5 High severity reflects network-accessible unauthenticated attack with high availability impact.

Denial Of Service Free5gc Pcf
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-6022 HIGH PATCH This Week

Uncontrolled resource consumption in Progress Telerik UI for AJAX RadAsyncUpload component allows remote unauthenticated attackers to exhaust disk space by uploading files exceeding configured size limits through chunked upload bypass. The vulnerability arises from missing cumulative size validation during chunk reassembly, enabling attackers to circumvent intended upload restrictions. No authentication required (CVSS:3.1/AV:N/AC:L/PR:N/UI:N), making this exploitable against any internet-facing application using affected versions. Patch available in version 2026.1.421. No CISA KEV listing or public exploit code identified at time of analysis, but low attack complexity and no authentication barrier indicate straightforward exploitation potential.

Denial Of Service Telerik Ui For Asp Net Ajax
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-22754 HIGH PATCH GHSA This Week

Authorization bypass in Spring Security 7.0.0-7.0.4 allows unauthenticated remote attackers to circumvent access controls when applications use servlet-path-based intercept-url configurations. The framework fails to include the servlet path when computing pattern matches for authorization rules, causing protected endpoints to become accessible without proper authorization checks. No public exploit code identified at time of analysis, but the straightforward bypass condition (misconfigured servlet-path directives) and network attack vector (CVSS AV:N/AC:L/PR:N) make this readily exploitable in affected deployments.

Authentication Bypass Java Spring Security
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-31477 HIGH PATCH This Week

Memory exhaustion and kernel crash in Linux kernel's ksmbd SMB server allows remote unauthenticated denial of service via crafted lock requests. The smb2_lock() function contains three critical error-handling defects: memory leaks when vfs_lock_file() returns unexpected errors, stale error propagation in UNLOCK operations, and NULL pointer dereference during rollback when smb_flock_init() allocation fails. CVSS vector indicates network-accessible, low-complexity exploitation requiring no authentication. EPSS score of 0.02% (7th percentile) suggests minimal observed scanning activity, and no KEV listing confirms no widespread exploitation detected. However, the network attack vector (AV:N) and high availability impact (A:H) make this a realistic DoS risk for systems running ksmbd. Vendor patches available across stable kernel series 5.15-6.19.

Denial Of Service Linux Null Pointer Dereference Red Hat Suse
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-31467 HIGH PATCH This Week

Deadlock in Linux kernel EROFS filesystem bio completion path enables remote denial of service. When EROFS decompress operations occur in process context (e.g., dm-verity scenarios), vm_map_ram() called with GFP_KERNEL can trigger memory swapping I/O under low memory conditions, causing submit_bio_wait() to deadlock when bio_list is already initialized. CVSS rates this 7.5 High with network attack vector requiring no authentication, yet EPSS scores only 0.02% (7th percentile), suggesting theoretical rather than observed exploitation. Patches available across multiple stable kernel branches (5.15.203, 6.1.168, 6.6.131, 6.12.80, 6.18.21, 6.19.11, 7.0). Not listed in CISA KEV and no public exploit identified at time of analysis.

Information Disclosure Linux
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-33593 HIGH PATCH This Week

Remote denial of service in dnsdist allows unauthenticated attackers to crash the DNS load balancer by sending specially crafted DNSCrypt queries that trigger a divide-by-zero error. The vulnerability requires no authentication, low attack complexity, and directly impacts service availability for all DNS traffic routed through affected dnsdist instances. Organizations using DNSCrypt protocol support in dnsdist face immediate risk of service disruption from remote attackers.

Denial Of Service Suse
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-3254 LOW POC PATCH Monitor

Cross-site scripting (XSS) in GitLab CE/EE 18.11 before 18.11.1 allows authenticated users to inject unauthorized content into other users' browsers through improper input validation in the Mermaid diagram sandbox. An attacker must have valid GitLab credentials and the victim must view a malicious diagram, limiting real-world impact despite the publicly available exploit code. SSVC analysis rates this as non-automatable with partial technical impact, consistent with the low CVSS 3.5 score.

Gitlab XSS
NVD VulDB
CVSS 3.1
3.5
EPSS
0.0%
CVE-2026-33608 HIGH PATCH This Week

Remote attackers can corrupt PowerDNS Authoritative Server configuration via specially crafted DNS NOTIFY requests, causing persistent denial of service requiring manual administrator intervention. The attack adds malformed secondary domains to the bind backend, rendering the configuration invalid and preventing the server from restarting. No active exploitation confirmed at time of analysis, but the network-accessible attack vector and lack of authentication requirements elevate risk for internet-facing authoritative DNS servers.

Code Injection RCE Suse
NVD VulDB
CVSS 3.1
7.4
EPSS
0.0%
CVE-2026-41134 HIGH PATCH GHSA This Week

Code injection in Microsoft Kiota versions prior to 1.31.1 allows attackers who control or tamper with OpenAPI descriptions to inject malicious code into generated HTTP client libraries. Exploitation requires developers to generate clients from untrusted or compromised OpenAPI specifications, then compile and execute the poisoned code. The attack chain culminates in arbitrary code execution within the context of applications using the tainted generated clients. CVSS 7.3 with local attack vector and user interaction required suggests lower immediate urgency, though EPSS data is unavailable. No public exploit code or active exploitation confirmed at time of analysis.

Code Injection Deserialization RCE Kiota
NVD GitHub VulDB
CVSS 4.0
7.3
EPSS
0.1%
CVE-2026-41172 HIGH PATCH This Week

Server-Side Request Forgery in Squidex versions prior to 7.23.0 allows authenticated users with asset upload permissions to force the CMS server to fetch arbitrary URLs, including internal network resources and localhost endpoints, storing the retrieved content as platform assets. This enables reconnaissance of internal infrastructure, exfiltration of cloud metadata endpoints (AWS/Azure credentials), and access to services not exposed to the internet. CVSS 7.3 (High) with CVSS 4.0 E:P (Proof-of-concept exists). Vendor patch available in version 7.23.0 per GitHub security advisory GHSA-x7cq-4f4c-8qcv.

SSRF Squidex
NVD GitHub
CVSS 4.0
7.3
EPSS
0.0%
CVE-2026-41171 HIGH PATCH This Week

Server-Side Request Forgery (SSRF) in Squidex versions before 7.23.0 allows authenticated users with schema editing permissions to force the server to make arbitrary HTTP requests to internal services and cloud metadata endpoints through the Jint scripting engine. The vulnerability can expose cloud provider credentials (e.g., AWS IMDS) and enable lateral movement within internal networks. Exploitation requires only low-privilege authentication (PR:L) and has publicly available exploit code (E:P in CVSS 4.0 vector). Vendor-confirmed patch available in version 7.23.0.

SSRF Squidex
NVD GitHub
CVSS 4.0
7.3
EPSS
0.0%
CVE-2026-40542 HIGH PATCH GHSA This Week

Apache HttpClient 5.6 skips mutual authentication verification in SCRAM-SHA-256 handshakes, allowing network attackers to impersonate legitimate servers without credentials. Affected clients accept unauthenticated server responses, enabling man-in-the-middle attacks that compromise confidentiality and integrity of authenticated sessions. Apache released patched version 5.6.1 addressing the missing authentication check. EPSS score of 0.03% suggests low current exploitation activity, though the network-accessible attack surface (AV:N/AC:L/PR:N) and availability of detailed vendor advisory increase exploitation risk once attackers adapt tooling for SCRAM protocol manipulation.

Information Disclosure Apache Apache Httpclient
NVD VulDB
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-35338 HIGH POC PATCH GHSA This Week

Recursive chmod operations can bypass --preserve-root protection in uutils coreutils versions prior to 0.6.0, allowing local authenticated users to execute destructive permission changes across the entire root filesystem. The vulnerability stems from incomplete path canonicalization that permits path traversal variants (/../) and symbolic links to circumvent safety checks, potentially causing system-wide denial of service. EPSS score of 0.01% indicates minimal exploitation probability in the wild, with no public exploit code identified and vendor patch available in version 0.6.0.

Path Traversal Coreutils
NVD GitHub VulDB
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-4132 HIGH This Week

Arbitrary file write in HTTP Headers plugin for WordPress versions ≤1.19.2 enables authenticated administrators to achieve remote code execution by manipulating htpasswd file path configuration and injecting PHP code via unsanitized username input. Administrators can set a malicious file path (e.g., webroot/shell.php) through 'hh_htpasswd_path' option and inject executable code via the 'hh_www_authenticate_user' field, which is written directly to disk without validation. Wordfence disclosure includes direct source code references showing the vulnerable apache_auth_credentials() and update_auth_credentials() functions. No public exploit code or active exploitation confirmed at time of analysis.

PHP WordPress RCE
NVD
CVSS 3.1
7.2
EPSS
0.3%
CVE-2026-41676 HIGH PATCH GHSA This Week

Memory corruption in rust-openssl's key derivation functions allows heap or stack buffer overflow when applications pass undersized buffers to Deriver::derive or PkeyCtxRef::derive on OpenSSL 1.1.x. The vulnerability affects X25519, X448, DH, and HKDF-extract operations where OpenSSL ignores the caller-specified buffer length and unconditionally writes the full shared secret, causing safe Rust code to trigger memory corruption. Vendor patch available in v0.10.78; OpenSSL 3.x deployments are not affected as newer providers correctly validate buffer lengths.

Buffer Overflow OpenSSL
NVD GitHub VulDB
CVSS 4.0
7.2
EPSS
0.0%
CVE-2026-41678 HIGH PATCH GHSA This Week

Out-of-bounds memory write in rust-openssl's AES key unwrap function allows attackers who control buffer sizes to corrupt memory via safe API misuse. The aes::unwrap_key() function contains an inverted bounds assertion that accepts undersized output buffers and rejects correctly sized ones, causing the function to write beyond allocated memory by in_.len() - 8 - out.len() bytes. Vendor patch available via GitHub PR #2604 and commit 718d07ff, released in openssl-v0.10.78. No evidence of active exploitation (not in CISA KEV) or public proof-of-concept at time of analysis, but the logic flaw is clearly documented in vendor advisory GHSA-8c75-8mhr-p7r9.

Buffer Overflow Memory Corruption
NVD GitHub VulDB
CVSS 4.0
7.2
EPSS
0.0%
CVE-2026-41170 HIGH PATCH This Week

Server-Side Request Forgery in Squidex's backup restoration endpoint allows authenticated administrators to probe internal network services and access cloud metadata endpoints. The RestoreController.PostRestoreJob endpoint accepts arbitrary URLs without SSRF protection, enabling internal reconnaissance through the application's HTTP client. Exploitation requires high privileges (admin authentication) but grants access to confidential internal resources and sensitive cloud service metadata. Version 7.23.0 patches this vulnerability. EPSS exploitation probability and active exploitation status are not reported in available intelligence.

SSRF Squidex
NVD GitHub
CVSS 4.0
7.2
EPSS
0.0%
CVE-2026-6834 HIGH This Week

Missing authorization in a+HRD API allows authenticated low-privilege remote attackers to read arbitrary database contents. The vulnerability exists in a specific API method that fails to properly verify user permissions, enabling lateral privilege escalation to access sensitive data beyond the attacker's authorization scope. The CVSS 4.0 score of 7.1 reflects high confidentiality impact with network attack vector and low attack complexity, though exploitation requires valid user credentials.

Authentication Bypass A Hrd
NVD VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-6833 HIGH This Week

SQL injection in aEnrich a+HRD allows authenticated remote attackers to read database contents through malicious SQL command injection. The vulnerability requires low-privilege authentication but enables complete confidentiality breach of database information. No active exploitation confirmed via CISA KEV, and EPSS data not available, but the low attack complexity (AC:L) and network attack vector (AV:N) make this exploitable by any authenticated user with basic SQL injection knowledge.

SQLi A Hrd
NVD VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-31484 HIGH PATCH This Week

In the Linux kernel, the following vulnerability has been resolved: io_uring/fdinfo: fix OOB read in SQE_MIXED wrap check __io_uring_show_fdinfo() iterates over pending SQEs and, for 128-byte SQEs on an IORING_SETUP_SQE_MIXED ring, needs to detect when the second half of the SQE would be past the end of the sq_sqes array. The current check tests (++sq_head & sq_mask) == 0, but sq_head is only incremented when a 128-byte SQE is encountered, not on every iteration. The actual array index is sq_idx = (i + sq_head) & sq_mask, which can be sq_mask (the last slot) while the wrap check passes. Fix by checking sq_idx directly. Keep the sq_head increment so the loop still skips the second half of the 128-byte SQE on the next iteration.

Information Disclosure Linux Buffer Overflow Red Hat Suse
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-31470 HIGH PATCH This Week

A buffer validation flaw in Linux kernel's TDX guest driver (versions 6.7+) allows local authenticated attackers to leak kernel memory beyond allocated quote buffers into userspace, potentially crossing container isolation boundaries in multi-tenant TDX environments. The vulnerability stems from insufficient validation of host-controlled quote_buf->out_len values during remote attestation operations. Patches available for stable branches 6.12.80, 6.18.21, 6.19.11, and mainline 7.0. EPSS score of 0.02% (5th percentile) indicates low exploitation probability in the wild, with no public exploit code or active exploitation confirmed at time of analysis.

Linux Memory Corruption Buffer Overflow
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-31486 HIGH PATCH This Week

In the Linux kernel, the following vulnerability has been resolved: hwmon: (pmbus/core) Protect regulator operations with mutex The regulator operations pmbus_regulator_get_voltage(), pmbus_regulator_set_voltage(), and pmbus_regulator_list_voltage() access PMBus registers and shared data but were not protected by the update_lock mutex. This could lead to race conditions. However, adding mutex protection directly to these functions causes a deadlock because pmbus_regulator_notify() (which calls regulator_notifier_call_chain()) is often called with the mutex already held (e.g., from pmbus_fault_handler()). If a regulator callback then calls one of the now-protected voltage functions, it will attempt to acquire the same mutex. Rework pmbus_regulator_notify() to utilize a worker function to send notifications outside of the mutex protection. Events are stored as atomics in a per-page bitmask and processed by the worker. Initialize the worker and its associated data during regulator registration, and ensure it is cancelled on device removal using devm_add_action_or_reset(). While at it, remove the unnecessary include of linux/of.h.

Information Disclosure Linux
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-6855 HIGH GHSA This Week

Path traversal in InstructLab's chat session handler enables local authenticated attackers to write files to arbitrary filesystem locations by manipulating the logs_dir parameter. Red Hat Enterprise Linux AI 3 deployments are confirmed affected. CVSS 7.1 (High) reflects significant confidentiality and integrity impact, though exploitation requires local access and low-level privileges. No active exploitation (CISA KEV) or public proof-of-concept identified at time of analysis. EPSS data not available, suggesting limited immediate widespread exploitation risk despite high severity rating.

Path Traversal Red Hat Enterprise Linux Ai Rhel Ai 3
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-35341 HIGH POC PATCH GHSA This Week

Local privilege escalation in uutils coreutils mkfifo allows authenticated users to downgrade permissions on arbitrary files to world-readable mode. When mkfifo attempts to create a FIFO at a path where a file already exists, it erroneously continues execution and calls set_permissions on the existing file, changing its mode to default (typically 644 after umask). This can expose sensitive files like SSH private keys (~/.ssh/id_rsa) or application secrets to unauthorized local users. CISA SSVC confirms proof-of-concept code exists with total technical impact, though EPSS data is not available and the vulnerability is not yet in CISA KEV, indicating exploitation remains theoretical rather than widespread.

Information Disclosure Coreutils
NVD GitHub VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-41166 HIGH PATCH GHSA This Week

OpenRemote Manager allows privilege escalation to Keycloak master realm administrator through improper authorization in the Manager API. Users with write:admin permission in any non-master realm can manipulate realm role assignments in other realms, including master, by exploiting missing authorization checks in the updateUserRealmRoles endpoint. An attacker controlling any user in the master realm can grant themselves admin privileges, achieving full Keycloak administrator access. Vendor-released patch version 1.22.1 addresses this vulnerability. No public exploit code identified at time of analysis, though a detailed proof-of-concept is documented in the advisory.

Java Authentication Bypass Privilege Escalation
NVD GitHub
CVSS 3.1
7.0
EPSS
0.0%
CVE-2026-35352 HIGH GHSA This Week

Privilege escalation in uutils coreutils mkfifo utility allows local attackers with low privileges to manipulate file permissions on arbitrary system files. A TOCTOU race condition between FIFO creation and permission setting enables symlink swapping attacks, redirecting chmod operations to unintended targets. SSVC framework indicates proof-of-concept exists with total technical impact. While CVSS rates this 7.0 (High), exploitation requires high attack complexity (race condition timing), low privileges, and write access to the parent directory where mkfifo is executed - most impactful when the utility runs with elevated privileges in automated scripts or system processes. No active exploitation confirmed (not in CISA KEV); EPSS data not available.

Privilege Escalation Coreutils
NVD GitHub
CVSS 3.1
7.0
EPSS
0.0%
Prev Page 3 of 8 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy