Skip to main content
CVE-2026-31431 HIGH POC KEV PATCH THREAT CISA CERT-EU NEWS Act Now

Memory corruption in Linux kernel's algif_aead cryptographic interface allows local authenticated users to achieve arbitrary kernel memory read/write, leading to privilege escalation to root. The vulnerability stems from improper handling of in-place operations introduced in commit 72548b093ee3, affecting kernel versions from 4.14 through 6.19.x. Multiple public exploit codes exist including proof-of-concept demonstrations from security researchers, with EPSS score of 0.01% indicating currently low widespread exploitation likelihood despite POC availability.

Information Disclosure Linux
NVD VulDB GitHub
CVSS 3.1
7.8
EPSS
0.0%
Threat
6.6
CVE-2026-34413 HIGH POC PATCH Act Now

Unauthenticated attackers can execute remote code and read arbitrary files in Xerte Online Toolkits 3.15 and earlier via a missing authentication flaw in the elFinder connector endpoint. The vulnerability stems from a logic error where HTTP redirects for unauthenticated requests fail to terminate PHP execution, allowing full server-side processing of file operations. Attackers can create directories, upload files, rename, duplicate, overwrite, and delete files in project media directories without authentication. When chained with path traversal and extension blocklist bypasses, this enables complete system compromise. VulnCheck identified the flaw, and vendor patches are available via three GitHub commits addressing versions 3.13.0 through 3.15.0.

PHP Path Traversal Authentication Bypass RCE Xerteonlinetoolkits
NVD GitHub
CVSS 4.0
8.8
EPSS
0.3%
CVE-2026-34414 HIGH POC PATCH Act Now

Path traversal in Xerte Online Toolkits' elFinder connector allows authenticated attackers to move files to arbitrary filesystem locations, enabling application file overwrites, stored XSS, or chained remote code execution. Affects versions 3.15 and earlier through unsanitized rename operations at /editor/elfinder/php/connector.php. Vendor patches available via GitHub commits 02661be, 507d55c, and 17e4f94. CVSS 7.1 with low attack complexity and low privileges required. No public exploitation confirmed (SSVC: exploitation=none), but attack is not automatable per CISA framework.

RCE PHP XSS Path Traversal Xerteonlinetoolkits
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.1%
CVE-2026-41651 HIGH POC PATCH This Week

Local privilege escalation in PackageKit 1.0.2-1.3.4 allows unprivileged Linux users to install arbitrary RPM packages as root without authentication via TOCTOU race condition on transaction flags. The vulnerability exploits three synchronized bugs in the transaction state machine: unconditional flag overwrite, silent state-transition rejection that leaves corrupted flags, and late flag validation at dispatch time. Actively exploited in targeted attacks according to vendor advisory. CVSS 8.8 with scope change reflects full system compromise from low-privileged account. Patched in version 1.3.5.

Privilege Escalation Packagekit
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2018-25268 HIGH POC This Week

LanSpy 2.0.1.159 contains a local buffer overflow vulnerability that allows attackers to overwrite the instruction pointer by supplying oversized input to the scan field. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Memory Corruption Buffer Overflow Lanspy
NVD Exploit-DB
CVSS 4.0
8.6
EPSS
0.0%
CVE-2018-25265 HIGH POC This Week

LanSpy 2.0.1.159 contains a local buffer overflow vulnerability in the scan section that allows local attackers to execute arbitrary code by exploiting structured exception handling mechanisms. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Memory Corruption Buffer Overflow Lanspy
NVD Exploit-DB
CVSS 4.0
8.6
EPSS
0.0%
CVE-2018-25261 HIGH POC This Week

Iperius Backup 5.8.1 contains a local buffer overflow vulnerability in the structured exception handling (SEH) mechanism that allows local attackers to execute arbitrary code by supplying a malicious. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Memory Corruption Buffer Overflow Iperius Backup
NVD Exploit-DB
CVSS 4.0
8.6
EPSS
0.0%
CVE-2018-25260 HIGH POC This Week

MAGIX Music Editor 3.1 contains a buffer overflow vulnerability in the FreeDB Proxy Options dialog that allows local attackers to execute arbitrary code by exploiting structured exception handling. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Memory Corruption Buffer Overflow Magix Music Editor
NVD Exploit-DB
CVSS 4.0
8.6
EPSS
0.0%
CVE-2018-25259 HIGH POC This Week

Terminal Services Manager 3.1 contains a stack-based buffer overflow vulnerability in the computer names field that allows local attackers to execute arbitrary code by triggering structured exception. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Authentication Bypass RCE Terminal Services Manager
NVD Exploit-DB
CVSS 4.0
8.6
EPSS
0.0%
CVE-2026-40517 HIGH POC PATCH This Week

Command injection in radare2 PDB parser (versions before 6.1.4) enables arbitrary OS command execution when users analyze malicious PDB files. Publicly available exploit code exists. Attackers craft PDB files with newline characters in symbol names to inject radare2 commands during flag renaming operations, which then execute OS commands via radare2's shell operator when victims run the 'idp' command. CVSS 8.4 reflects local attack vector requiring user interaction, though EPSS data not available. Patch released in version 6.1.4 with detailed technical disclosure at blog.calif.io showing 0-day discovery process.

Command Injection Suse
NVD GitHub
CVSS 4.0
8.4
EPSS
0.0%
CVE-2026-41640 HIGH POC PATCH GHSA This Week

SQL injection in NocoBase's @nocobase/database package allows authenticated users with record-creation privileges to execute arbitrary SQL queries and extract database credentials. The vulnerability exists in the queryParentSQL() function, which constructs recursive Common Table Expression (CTE) queries using string concatenation instead of parameterized queries when processing tree collections with string primary keys. An attacker can inject malicious SQL by creating records with crafted primary key values, triggering the vulnerability when recursive eager loading occurs. Successful exploitation leads to full database compromise, with confirmed extraction of administrator credentials (emails and password hashes) in testing against PostgreSQL. On databases where the service account has elevated privileges, attackers can achieve operating system command execution via PostgreSQL's COPY...TO PROGRAM feature. Vendor patch available via GitHub PR #9133.

Command Injection Debian SQLi PostgreSQL
NVD GitHub
CVSS 3.1
7.5
EPSS
4.2%
CVE-2026-4922 HIGH POC PATCH This Week

Cross-Site Request Forgery (CSRF) in GitLab CE/EE allows remote unauthenticated attackers to execute GraphQL mutations as authenticated victims through crafted web pages. Affects all versions from 17.0 through 18.11.0, with publicly available exploit code (HackerOne report 3627285). Despite high CVSS 8.1, exploitation requires user interaction (phishing/social engineering) and is not automatable per CISA SSVC framework. No evidence of active exploitation in CISA KEV at time of analysis. Vendor patches released: 18.9.6, 18.10.4, and 18.11.1.

CSRF Gitlab
NVD VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-5262 HIGH POC PATCH This Week

Cross-site scripting vulnerability in GitLab's Storybook development environment allows remote unauthenticated attackers to steal access tokens via crafted user interaction. Affects GitLab CE/EE versions 16.1.0 through 18.9.5, 18.10 through 18.10.3, and 18.11.0. Publicly available exploit code exists (HackerOne report 3574642), though CISA SSVC indicates no confirmed active exploitation at time of analysis. CVSS 8.0 reflects high confidentiality and integrity impact with scope change, but CVSS vector AC:H (high complexity) and UI:R (user interaction required) indicate exploitation requires targeted social engineering rather than automated mass exploitation.

Gitlab XSS
NVD
CVSS 3.1
8.0
EPSS
0.0%
CVE-2026-5816 HIGH POC PATCH This Week

Cross-site scripting (XSS) in GitLab CE/EE versions 18.10.0-18.10.3 and 18.11.0 enables unauthenticated attackers to execute arbitrary JavaScript in victim browser sessions via improper path validation. GitLab disclosed this vulnerability with publicly available exploit code (HackerOne report 3572231), though CISA SSVC indicates no active exploitation confirmed at time of analysis. CVSS 8.0 reflects the changed scope (S:C) allowing impact beyond the vulnerable component, though High attack complexity (AC:H) and required user interaction (UI:R) limit ease of exploitation. Patched in versions 18.10.4 and 18.11.1.

Information Disclosure Gitlab
NVD
CVSS 3.1
8.0
EPSS
0.0%
CVE-2026-41641 HIGH POC PATCH GHSA This Week

SQL injection in NocoBase plugin-collection-sql allows authenticated users with collection management permissions to bypass validation controls and execute arbitrary SQL queries. The checkSQL() function blocks dangerous keywords on collection creation and execution but is completely absent from the update endpoint, enabling attackers to create benign SQL collections then modify them with malicious queries to exfiltrate sensitive data including user credentials. Vendor patch available via GitHub PR #9134 and commit 851aee5. CVSS 7.2 reflects high privileges required (PR:H), but real-world impact is severe for environments where collection managers are not fully trusted administrators.

SQLi PostgreSQL Privilege Escalation
NVD GitHub
CVSS 3.1
7.2
EPSS
0.2%
CVE-2026-33733 HIGH POC PATCH This Week

Path traversal in EspoCRM admin template management allows authenticated administrators to read, create, overwrite, or delete arbitrary files on the server filesystem. The vulnerability affects all versions prior to 9.3.4 and stems from unsanitized `name` and `scope` parameters in template path construction. Publicly available exploit code exists (GitHub security advisory GHSA-44c3-xjfp-3jrh), though no CISA KEV listing or confirmed active exploitation. CVSS 7.2 reflects high impact across confidentiality, integrity, and availability, but exploitation requires high-privilege (admin) access, significantly limiting real-world exposure to insider threats or compromised admin credentials.

Information Disclosure Espocrm
NVD GitHub
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-40344 HIGH GHSA This Week

Authentication bypass in MinIO RELEASE.2023-05-18T00-05-36Z through RELEASE.2026-04-11T03-20-12Z allows remote unauthenticated attackers to write arbitrary objects to any bucket by exploiting an unvalidated auth type in the Snowball auto-extract handler. Attackers need only a valid access key (including the default 'minioadmin') and can fabricate signatures without knowing the secret key. CVSS 8.8 reflects network-accessible, low-complexity exploitation with no authentication required (CVSS:4.0 PR:N). No public exploit identified at time of analysis, but exploitation requires only basic S3 API knowledge. Patched in RELEASE.2026-04-11T03-20-12Z per vendor advisory GHSA-9c4q-hq6p-c237.

Authentication Bypass Minio
NVD GitHub VulDB
CVSS 4.0
8.8
EPSS
0.2%
CVE-2026-6859 HIGH GHSA This Week

Remote code execution in InstructLab affects Red Hat Enterprise Linux AI 3 when users download or train models from HuggingFace Hub. The linux_train.py script hardcodes trust_remote_code=True, allowing attackers to execute arbitrary Python code by hosting malicious models on HuggingFace and convincing users to run ilab train, download, or generate commands. This configuration weakness enables complete system compromise through social engineering attacks. CVSS 8.8 with network vector but requires user interaction, reducing automatic exploitation risk. No active exploitation (CISA KEV) or public POC identified at time of analysis.

RCE Python Red Hat Enterprise Linux Ai Rhel Ai 3
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-41145 HIGH GHSA This Week

Authentication bypass in MinIO object storage allows remote attackers to write arbitrary objects to any bucket using only a valid access key, without the corresponding secret key or cryptographic signature. The vulnerability affects MinIO RELEASE.2023-05-18T00-05-36Z through RELEASE.2026-04-11T03-20-12Z. Attackers can impersonate any user with WRITE permissions by exploiting a logic flaw in the STREAMING-UNSIGNED-PAYLOAD-TRAILER code path that incorrectly validates credentials from query parameters while bypassing signature verification. Vendor-released patch available in RELEASE.2026-04-11T03-20-12Z (GitHub commit 76913a9f). No public exploit identified at time of analysis, but exploitation requires only knowledge of a valid access key and target bucket name.

Authentication Bypass Minio
NVD GitHub
CVSS 4.0
8.8
EPSS
0.1%
CVE-2026-41133 HIGH GHSA This Week

Session fixation in pyLoad 0.5.0b3.dev97 and earlier allows authenticated users to retain revoked administrative privileges until logout. After an administrator demotes a user's role or revokes permissions, the affected user's active session continues to operate with the old cached privileges, enabling unauthorized administrative actions. Publicly available exploit code exists via GitHub commit e95804fb0d06cbb07d2ba380fc494d9ff89b68c1. With CVSS 8.8 (High) but requiring low-privilege authentication (PR:L), this represents an elevation-of-privilege vector in multi-user pyLoad deployments where role changes are expected to take immediate effect.

Information Disclosure Python
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-31450 HIGH PATCH This Week

Race condition in Linux kernel ext4 filesystem allows denial of service through kernel panic when fast commit feature processes incompletely initialized journal inodes. Affects Linux kernel versions from 3.11 through multiple stable branches (5.10.x, 5.15.x, 6.1.x, 6.6.x, 6.12.x, 6.18.x, 6.19.x) prior to patched versions released in early 2025. Vendor patches available across all affected stable branches. EPSS score of 0.02% (7th percentile) indicates low observed exploitation probability. Not listed in CISA KEV, and no public exploit code identified at time of analysis. CVSS 8.8 reflects authenticated network attack vector, though real-world risk limited to systems where attackers have filesystem write access and ext4 fast commit is enabled.

Denial Of Service Linux Null Pointer Dereference
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-31435 HIGH PATCH This Week

Read retry logic in the Linux kernel's netfs subsystem can incorrectly abandon all remaining subrequests due to an uninitialized or invalid pointer, potentially exposing unintended memory contents or causing denial of service through kernel crashes. Affects Linux kernel 6.12 through early 6.19 and 7.0 development branches. Vendor patches available for 6.18.21, 6.19.11, and mainline 7.0. EPSS score of 0.02% (4th percentile) indicates low real-world exploitation probability. Not listed in CISA KEV. CVSS 8.8 reflects network attack vector with user interaction required.

Information Disclosure Linux Buffer Overflow
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-31433 HIGH PATCH This Week

Out-of-bounds write in Linux kernel ksmbd allows authenticated remote attackers to cause memory corruption via crafted SMB2 compound requests combining QUERY_DIRECTORY and QUERY_INFO commands. The vulnerability arises when get_file_all_info() fails to validate OutputBufferLength against available buffer space before converting filenames to UTF-16, enabling buffer overflow beyond response buffer boundaries. With CVSS 8.8 (High) and network attack vector requiring only low privileges, this presents significant risk to systems running ksmbd SMB server. Vendor patches available across multiple kernel versions (5.15.203, 6.1.168, 6.6.131, 6.12.80, 6.18.21, 6.19.11, 7.0). EPSS exploitation probability remains low at 0.01% (2nd percentile), and no public exploit or CISA KEV listing identified at time of analysis.

Buffer Overflow Linux Red Hat Suse
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-31432 HIGH PATCH This Week

Out-of-bounds write in Linux kernel's ksmbd server allows authenticated remote attackers with low-privilege SMB access to corrupt memory and potentially execute arbitrary code or crash the system. The vulnerability triggers when processing compound SMB2 requests (e.g., READ + QUERY_INFO for security descriptors) where the first command consumes most of the response buffer, causing ksmbd to write beyond allocated memory when building security descriptors from POSIX ACLs. Vendor patches are available for kernel versions 6.12.81, 6.18.22, 6.19.12, and 7.0. EPSS score of 0.01% suggests low observed exploitation probability, and no public exploit code or active exploitation has been identified at time of analysis.

Linux Buffer Overflow Memory Corruption
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-41673 HIGH PATCH GHSA This Week

Denial of service in @xmldom/xmldom Node.js XML library allows remote attackers to crash applications via deeply nested XML documents. Seven DOM traversal methods (normalize, serializeToString, getElementsByTagName, cloneNode, importNode, textContent getter, isEqualNode) implement unbounded recursion consuming call stack frames until RangeError exception terminates the process. Exploitation requires no authentication - attackers send a single valid XML payload nested ~5,000-10,000 levels deep to trigger stack exhaustion in any subsequent DOM operation. Browser implementations of identical DOM methods use iterative C++ code and are unaffected. CVSS 8.7 High severity reflects network attack vector with no complexity barriers. Vendor-released patches (0.8.13, 0.9.10) replace all recursive traversals with iterative 'walkDOM' utility consuming heap instead of stack. Legacy unscoped 'xmldom' package (≤0.6.0) remains unfixed.

Node.js Google Denial Of Service
NVD GitHub
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-41672 HIGH PATCH GHSA This Week

XML node injection in the @xmldom/xmldom npm package allows remote attackers to inject arbitrary XML elements via maliciously crafted comment content containing the sequence '-->' which prematurely terminates comments during serialization. Applications processing untrusted input through createComment() or manipulating comment node data can emit structurally altered XML that downstream consumers parse as attacker-controlled elements. Public exploit code exists (GitHub PR #987). CVSS:4.0 rates this 8.7 (High) with network vector, low complexity, and no privileges required. Vendor-released patches require opt-in protection flag { requireWellFormed: true } to maintain backward compatibility with W3C spec defaults; existing code remains vulnerable unless explicitly migrated.

Information Disclosure Apple Google Mozilla
NVD GitHub
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-5749 HIGH PATCH This Week

Authentication bypass in Fullstep V5 registration process enables unauthenticated remote attackers to obtain valid JWT tokens for accessing protected API resources without credentials. CVSS v4.0 score of 8.7 reflects the severity of network-accessible authentication bypass with high confidentiality impact. Vendor patch is available through INCIBE coordination. No evidence of active exploitation (not in CISA KEV) or public exploit code at time of analysis, though the vulnerability's low complexity (AC:L) and lack of required authentication (PR:N) make it readily exploitable once discovered.

Authentication Bypass Fullstep
NVD
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-41674 HIGH PATCH GHSA This Week

XML injection in @xmldom/xmldom XMLSerializer allows remote attackers to inject arbitrary markup into serialized DOCTYPE declarations by crafting malicious DocumentType node properties (internalSubset, publicId, systemId). When applications programmatically create DocumentType nodes with attacker-controlled data via createDocumentType() and serialize the result, the serializer emits these fields verbatim without escaping or validation. Three distinct injection vectors exist: internalSubset containing ']>' terminates the DOCTYPE early; publicId containing quoted strings injects fake SYSTEM entities; systemId containing '>' breaks the declaration boundary. Downstream XML parsers re-parsing the serialized output may expand injected entities, enabling XXE attacks. No public exploit identified at time of analysis. EPSS data not provided. Vendor-released patch requires opt-in: applications must explicitly pass {requireWellFormed: true} to serializeToString() to enable validation guards; default behavior remains vulnerable to preserve backward compatibility with DOM Parsing spec.

XXE
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-41675 HIGH PATCH GHSA This Week

XML node injection in @xmldom/xmldom allows remote unauthenticated attackers to inject arbitrary XML elements by embedding the processing instruction closing delimiter `?>` in PI data. The serializer emits attacker-controlled data verbatim without escaping or validation, causing the remainder of the payload to be interpreted as active XML markup. Publicly available exploit code exists (GitHub PoC from April 2026). EPSS data not provided; CVSS 8.7 reflects high integrity impact (VI:H) with network vector and no authentication required. Patch available in versions 0.8.13+ and 0.9.10+ but requires opt-in `requireWellFormed: true` flag - default behavior remains vulnerable for backward compatibility.

Apple Google Mozilla RCE
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-41146 HIGH PATCH GHSA This Week

Remote unauthenticated denial of service affects facil.io (all versions prior to commit 5128747) and iodine (all versions before 0.7.59) through malformed JSON input triggering infinite CPU loop. Attackers can send crafted JSON payloads as small as two bytes ('[i') to the `fio_json_parse` function, causing the process to consume 100% of a CPU core indefinitely without crashing or returning an error. This vulnerability allows trivial resource exhaustion against any web service using these frameworks to parse untrusted JSON. EPSS data not available; no confirmed active exploitation (CISA KEV absent), but the attack requires only network access with no authentication and minimal complexity (CVSS AV:N/AC:L/PR:N), making exploitation straightforward once discovered.

Denial Of Service Facil Io Iodine
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-41454 HIGH PATCH This Week

Privilege escalation in WeKan (versions prior to 8.35) allows authenticated board members with low privileges to perform administrative integration management without authorization checks. Attackers can enumerate webhook URLs and secrets, create/modify/delete integrations, and manipulate integration activities through unprotected REST API endpoints. CVSS 8.7 reflects high confidentiality and integrity impact with network attack vector and low complexity. VulnCheck reported this vulnerability with vendor patch available in version 8.35 and commit 2cd702f. EPSS data not available; no confirmed active exploitation or POC identified at time of analysis.

Authentication Bypass Wekan
NVD GitHub
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-41683 HIGH PATCH GHSA This Week

HTTP response splitting and denial-of-service in i18next-http-middleware < 3.9.3 allows remote unauthenticated attackers to inject arbitrary HTTP headers or crash Node.js processes via CRLF sequences in the lng parameter. On Node.js < 14.6.0, attackers achieve response splitting enabling session fixation, cache poisoning, and reflected XSS. On Node.js ≥ 14.6.0, malformed headers trigger unhandled ERR_INVALID_CHAR exceptions, returning 500 errors to all concurrent users sharing the affected process. Vendor-released patch available in version 3.9.3. No public exploit identified at time of analysis, though exploitation is trivial given the attack vector (simple query parameter manipulation).

Node.js XSS Denial Of Service
NVD GitHub
CVSS 3.1
8.6
EPSS
0.0%
CVE-2026-35548 HIGH This Week

Server-Side Request Forgery in guardsix (formerly Logpoint) ODBC Enrichment Plugins allows authenticated Operator users to redirect stored database credentials to arbitrary internal systems by modifying connection endpoints without clearing cached credentials. The vulnerability affects versions before 5.2.1 and enables credential misuse against unintended internal databases despite Changed Scope (CVSS S:C) indicating potential cross-boundary impact. EPSS and exploitation data not available; SSVC indicates no known exploitation, non-automatable attack requiring low-privilege authentication, with partial technical impact to confidentiality and integrity.

SSRF
NVD VulDB
CVSS 3.1
8.5
EPSS
0.0%
CVE-2026-0539 HIGH This Week

Local privilege escalation in pcvisit Remote Host Modul on Windows allows low-privileged users to gain NT AUTHORITY\SYSTEM by overwriting the service binary with malicious code that executes automatically at boot. All versions after 22.6.22.1329 through 25.12.3.1745 are affected due to weak file permissions (CWE-276). Vendor patched in version 25.12.3.1745 per advisory. EPSS and KEV status unknown, but vulnerability is trivial to exploit (CVSS AV:L/AC:L/PR:L) with maximum local impact (8.5 High).

Microsoft Privilege Escalation
NVD
CVSS 4.0
8.5
EPSS
0.0%
CVE-2026-5398 HIGH This Week

Local privilege escalation in FreeBSD 13.5 through 15.0 allows unprivileged processes to gain root privileges by exploiting a use-after-free condition in the TIOCNOTTY ioctl implementation. When a process detaches from its controlling terminal and exits, a dangling pointer in the terminal structure references freed session memory, which attackers can manipulate to escalate privileges. This vulnerability affects multiple stable and release branches with CVSS 8.4 (High) but low EPSS probability (0.02%, 5th percentile), indicating theoretical severity without observed widespread exploitation. Not listed in CISA KEV, suggesting no confirmed active exploitation at time of analysis.

Use After Free Information Disclosure Memory Corruption Freebsd
NVD VulDB
CVSS 3.1
8.4
EPSS
0.0%
CVE-2026-40937 HIGH PATCH GHSA This Week

# Missing Admin Auth on Notification Target Endpoints in RustFS ### Finding Summary All four notification target admin API endpoints in `rustfs/src/admin/handlers/event.rs` use a `check_permissions` helper that validates authentication only (access key + session token), without performing any admin-action authorization via `validate_admin_request`. Every other admin handler in the codebase correctly calls `validate_admin_request` with a specific `AdminAction`. This is the only admin handler file that skips authorization. A non-admin user can overwrite a shared admin-defined notification target by name, causing subsequent bucket events to be delivered to an attacker-controlled endpoint. This enables cross-user event interception and audit evasion. ### What Was Proven Live 1. **Authorization bypass on all four endpoints** (03_readonly_user_bypass.py) - PUT, GET list, GET arns, DELETE all return 200 for readonly-user - Control routes (list-users, kms/status) correctly return 403 - Unauthenticated requests correctly rejected (403 Signature required) 2. **SSRF via health probe** (04_ssrf_listener_landing.py) - HEAD request from rustfs container to attacker-controlled listener - No host validation: only scheme check (http/https) 3. **Target hijacking and event exfiltration** (05_target_hijacking.py, 06_full_event_exfil.py) - Readonly-user overwrites admin-configured target URL by name - Subsequent S3 events delivered to attacker-controlled endpoint - Captured event body includes object keys, bucket names, user identities, and request metadata 4. **Audit evasion** (05_target_hijacking.py) - Readonly-user can delete unbound targets - Readonly-user can overwrite bound targets (silently redirecting events) ### Escalation Vectors Tested But Not Viable 1. **Self-referencing webhook to admin API** (13_self_referencing_test.py) - Webhook sends unsigned POST with event JSON body - Admin endpoints require SigV4 auth -- unsigned request rejected - "Confused deputy" via self-referencing does NOT work 2. **Protocol smuggling via non-HTTP targets** - Only 2 target types implemented: webhook and MQTT (`event.rs:613` enforces this) - No Redis, Kafka, AMQP, or other protocol targets exist - CRLF injection in webhook config fields sanitized by reqwest - MQTT uses rumqttc (pure Rust binary protocol client), no raw TCP injection 3. **MQTT target for RCE** - No unsafe code in MQTT handler - rumqttc 0.29.0 has no known public CVEs - No Command::new, template engines, or deserialization of broker responses 4. **Unauth access** - Endpoints correctly reject unauthenticated requests (403) - Endpoints correctly reject invalid credentials (403) ### Prior Art No existing advisory covers notification target endpoints. 11 published GHSAs on rustfs/rustfs cover different handlers. Closest: - CVE-2026-22042 (ImportIam wrong action constant) -- same bug class, different file - CVE-2026-22043 (deny_only short-circuit) -- different bug class ### Recommendation Submit via GitHub PVR. The finding is well-supported with live PoC, code references, and clear root cause. The fix is straightforward (add `validate_admin_request` calls to event.rs handlers). Core submission should reference 2-3 focused PoC scripts (readonly bypass, target hijack, event exfil), not the full set of 13 exploratory scripts. Koda Reef ### Patch This issue has been patched in version https://github.com/rustfs/rustfs/releases/tag/1.0.0-alpha.94.

SSRF Deserialization Authentication Bypass Redis
NVD GitHub
CVSS 3.1
8.3
EPSS
0.1%
CVE-2026-41644 HIGH PATCH GHSA This Week

Server-side request forgery in monetr's Lunch Flow integration allows authenticated users on self-hosted instances to force the server to issue HTTP GET requests to arbitrary URLs, with response bodies from failed requests reflected in API error messages. This enables information disclosure attacks against internal networks, cloud metadata endpoints (AWS EC2 instance metadata without IMDSv2), and RFC1918 private addresses. The vulnerability is compounded by unbounded response buffering that creates a denial-of-service vector via memory exhaustion. Patch available in v1.12.5. The hosted my.monetr.app service is not affected as Lunch Flow is disabled there. Self-hosted instances with default configuration (Lunch Flow enabled, public signup allowed) are at highest risk.

Information Disclosure SSRF
NVD GitHub
CVSS 4.0
8.3
EPSS
0.0%
CVE-2026-41422 HIGH PATCH GHSA This Week

SQL injection in Daptin's `/aggregate/:typename` endpoint allows authenticated low-privilege users to extract arbitrary database content via unsanitized query parameters. The `column` and `group` parameters are passed directly to raw SQL literal expressions without validation, enabling data exfiltration from any table including user credentials, database schema disclosure, and cross-table correlation attacks. Patched in version 0.11.4 which replaces all raw SQL construction with parameterized queries and schema-based validation. No evidence of active exploitation or public POC at time of analysis, though exploitation is straightforward for authenticated users.

SQLi
NVD GitHub
CVSS 3.1
8.3
EPSS
0.0%
CVE-2026-41458 HIGH PATCH This Week

Concurrent DAAP login requests crash OwnTone Server 28.4-29.0 via race condition in session list handling, causing remote denial of service without authentication. Attack complexity is high (CVSS AC:H) but requires no privileges, enabling unauthenticated attackers to flood the /login endpoint and trigger crashes through unsynchronized global state access. Vendor patch available via GitHub commit dca94641; no active exploitation confirmed at time of analysis.

Denial Of Service Race Condition Owntone Server
NVD GitHub VulDB
CVSS 4.0
8.2
EPSS
0.3%
CVE-2026-31476 HIGH PATCH This Week

Remote unauthenticated denial-of-service in Linux kernel's ksmbd SMB server allows attackers to terminate arbitrary active user sessions by sending crafted multichannel binding requests with invalid credentials. The flaw affects ksmbd (kernel-mode SMB server) across multiple stable kernel branches (6.1.x through 7.0). Vendor patches available for all affected versions. EPSS score of 0.08% (23rd percentile) indicates low observed exploitation likelihood, with no CISA KEV listing or public POC identified at time of analysis. The CVSS 8.2 rating reflects network-accessible attack surface with high availability impact, though actual exploitation requires specific SMB multichannel configuration.

Information Disclosure Linux
NVD VulDB
CVSS 3.1
8.2
EPSS
0.1%
CVE-2026-6023 HIGH PATCH This Week

Remote code execution in Progress Telerik UI for ASP.NET AJAX via insecure deserialization in the RadFilter control allows unauthenticated remote attackers to execute arbitrary code on the server by tampering with exposed client-side filter state. Affected versions span 2024.4.1114 through 2026.1.421. EPSS data not available; no public exploit or CISA KEV listing identified at time of analysis. The CVSS 8.1 (High) reflects network accessibility but 'High' attack complexity (AC:H), indicating successful exploitation requires specific conditions beyond simple network access.

Deserialization RCE Telerik Ui For Asp Net Ajax
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-41175 HIGH PATCH GHSA This Week

Mass deletion of content, assets, and user accounts in Statamic CMS versions prior to 5.73.20 and 6.13.0 occurs via query parameter manipulation on Control Panel endpoints (requiring minimal authentication like 'view entries' permission) or unauthenticated exploitation through REST/GraphQL APIs if explicitly enabled without authentication. Authenticated attackers with low-privilege viewer roles can escalate to delete resources they should only read. Unauthenticated attackers can exploit misconfigured API endpoints (non-default configuration) to achieve the same destructive impact. CVSS 8.1 (High) reflects network-accessible attack with low complexity, though exploitation conditions vary significantly by deployment configuration. No active exploitation confirmed (not in CISA KEV), EPSS data not provided.

Information Disclosure Cms
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-26354 HIGH PATCH This Week

Stack-based buffer overflow in Dell PowerProtect Data Domain DD OS allows remote unauthenticated attackers to execute arbitrary commands on vulnerable appliances. Affects Feature Release versions 7.7.1.0-8.6, LTS2025 (8.3.1.0-8.3.1.10), and LTS2024 (7.13.1.0-7.13.1.60). Despite network-accessible attack vector (AV:N/PR:N), high attack complexity (AC:H) indicates specialized exploit conditions. CISA SSVC framework rates exploitation as 'none' and automatable as 'no', suggesting manual, targeted exploitation rather than mass scanning. No active exploitation confirmed at time of analysis. Dell has released patches across all affected release tracks (DSA-2026-060).

Buffer Overflow Stack Overflow Dell
NVD VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-41681 HIGH PATCH GHSA This Week

Stack-based buffer overflow in rust-openssl's MdCtxRef::digest_final() allows safe Rust code to corrupt memory when EVP_DigestFinal() writes beyond the provided output buffer boundary. The vulnerability occurs when the output buffer is smaller than EVP_MD_CTX_size(ctx), causing EVP_DigestFinal() to write past the buffer end and corrupt stack memory. Vendor-released patch available in version 0.10.78 via GitHub commit 826c3888. No public exploit identified at time of analysis, but exploitable from memory-safe Rust code paths, violating Rust's safety guarantees.

Buffer Overflow Stack Overflow
NVD GitHub VulDB
CVSS 4.0
8.1
EPSS
0.0%
CVE-2026-31464 HIGH PATCH This Week

Out-of-bounds memory access in Linux kernel's IBM Virtual Fibre Channel (ibmvfc) driver allows adjacent network attackers to leak kernel memory contents. A compromised or malicious VIO server can supply a crafted num_written value exceeding max_targets in discover targets MAD responses, causing unbounded indexing into disc_buf[] and embedding out-of-bounds kernel data in subsequent PLOGI and Implicit Logout MADs sent back to the attacker. Vendor patches available across all maintained kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.131, 6.12.80, 6.18.21, 6.19.11, 7.0). EPSS score of 0.02% (7th percentile) indicates low observed exploitation probability. No public exploit code or CISA KEV listing identified at time of analysis.

Information Disclosure Linux Buffer Overflow
NVD VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-31513 HIGH PATCH This Week

Buffer over-read in Linux kernel Bluetooth L2CAP allows adjacent network attackers to disclose sensitive kernel memory and crash systems via malformed Enhanced Credit Based Connection Requests. Affects multiple stable kernel versions (6.12.x, 6.18.x, 6.19.x). Vendor patches available for all affected branches. EPSS score of 0.02% indicates low observed exploitation probability despite the network-adjacent attack vector and lack of required authentication. No public exploit identified at time of analysis.

Buffer Overflow Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-22747 HIGH PATCH This Week

Authentication bypass via user impersonation affects Spring Security 7.0.0 through 7.0.4, where the SubjectX500PrincipalExtractor mishandles malformed CN values in X.509 client certificates and extracts the wrong username. Authenticated attackers presenting a carefully crafted certificate can be authenticated as a different (potentially higher-privileged) user. No public exploit identified at time of analysis; EPSS is very low (0.02%) and CISA SSVC marks exploitation as none.

Information Disclosure Java Spring Security
NVD VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-31494 HIGH PATCH This Week

Out-of-bounds write in the Linux kernel macb Ethernet driver allows local authenticated users with low privileges to corrupt kernel memory, potentially leading to privilege escalation, denial of service, or information disclosure. The vulnerability affects the ethtool statistics collection path where gem_get_ethtool_stats() writes statistics for MACB_MAX_QUEUES regardless of the actual number of active queues, causing a 760-byte buffer overflow when fewer queues are configured. KASAN validation confirms heap corruption with a write beyond allocated vmalloc region boundaries. No active exploitation confirmed (not in CISA KEV), and EPSS score is low (0.03%, 10th percentile), indicating minimal observed exploitation activity. Patches available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.131, 6.12.80, 6.18.21, 6.19.11, 7.0).

Buffer Overflow Linux Memory Corruption
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-31508 HIGH PATCH This Week

Use-after-free in Linux kernel Open vSwitch module causes system crash when deleting network interfaces on PREEMPT_RT kernels. The vulnerability is confirmed patched in multiple stable kernel versions (5.10.253, 5.15.203, 6.1.168, 6.6.131, 6.12.80, 6.18.21, 6.19.11, 7.0) with upstream fixes available via kernel.org commits. EPSS score of 0.02% (7th percentile) indicates very low exploitation likelihood. No active exploitation confirmed (not in CISA KEV). Local authenticated access required (CVSS AV:L/PR:L) with high impact (CVSS 7.8), but exploitation depends on PREEMPT_RT kernel configuration and specific Open vSwitch teardown race conditions.

Canonical Information Disclosure Linux Dell
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-31507 HIGH PATCH This Week

Double-free vulnerability in Linux kernel SMC (Shared Memory Communications) splice handling allows local authenticated attackers to trigger use-after-free conditions and kernel panic. The flaw occurs when tee(2) duplicates an SMC pipe buffer: both the original and cloned pipe_buffer share the same smc_spd_priv pointer, causing smc_rx_pipe_buf_release() to free the same memory twice on pipe cleanup. This escalates from KASAN-detected slab-use-after-free to NULL pointer dereference in smc_rx_update_consumer(), resulting in denial of service via kernel crash. Vendor patches available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.131, 6.12.80, 6.18.21, 6.19.11, 7.0). EPSS exploitation probability is low (0.02%, 7th percentile) with no public exploit or CISA KEV listing at time of analysis.

Denial Of Service Linux
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
Page 1 of 3 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy