279 CVEs tracked today. 31 Critical, 113 High, 125 Medium, 6 Low.
-
CVE-2026-40630
CRITICAL
CVSS 9.3
Remote unauthenticated attackers can bypass authentication and access sensitive configuration endpoints in SenseLive X3050's web management interface. The vulnerability enables complete device compromise without credentials due to improper access control enforcement (CWE-288). Reported by ICS-CERT and published in CISA advisory ICSA-26-111-12, this affects operational technology environments where the X3050 is deployed. With CVSS 9.3 (Critical) and network attack vector requiring no privileges or user interaction (AV:N/AC:L/PR:N/UI:N), this presents immediate risk to internet-exposed or network-accessible devices.
Authentication Bypass
-
CVE-2026-40620
CRITICAL
CVSS 9.3
SenseLive X3050's embedded management service grants full administrative control to unauthenticated remote attackers. The CVSS 4.0 score of 9.3 with network attack vector (AV:N), low complexity (AC:L), and no required privileges (PR:N) confirms this allows complete device compromise from any network-reachable host. CISA ICS Advisory ICSA-26-111-12 documents this vulnerability affecting industrial control system components, indicating potential operational technology (OT) environments are exposed. No authentication or authorization mechanisms protect the management interface, allowing arbitrary configuration changes, operational mode manipulation, and device state control through vendor or compatible clients.
Authentication Bypass
-
CVE-2026-25775
CRITICAL
CVSS 9.3
Unauthenticated remote attackers can retrieve and replace firmware on SenseLive X3050 industrial control devices via the remote management service, which performs no authentication, authorization, or integrity validation. This allows complete device takeover by uploading malicious firmware images. CISA has published an ICS advisory (ICSA-26-111-12), indicating industrial/OT sector relevance, though no CISA KEV listing or public exploit code has been identified at time of analysis.
Authentication Bypass
-
CVE-2026-41501
CRITICAL
CVSS 9.8
Remote code execution in electerm's npm install script allows unauthenticated attackers to execute arbitrary system commands on Linux systems during package installation. The install.js script unsafely concatenates attacker-controlled version strings from the project's update server directly into an 'rm -rf' command, enabling command injection. This critically affects users installing electerm via 'npm install -g electerm' on Linux, as a compromised update server or man-in-the-middle attacker could inject malicious commands during the installation process. The vulnerability has been patched in commit 59708b38c8, and the fixed version is already published to npm.
Command Injection
Node.js
-
CVE-2026-41492
CRITICAL
CVSS 9.8
Unauthenticated attackers can steal admin tokens from Dgraph Alpha v25.3.2 and earlier via the exposed /debug/vars endpoint, enabling complete authentication bypass to administrative functions. The vulnerability exists because Dgraph incompletely fixed a previous cmdline exposure issue-blocking only /debug/pprof/cmdline while still serving Go's expvar handler at /debug/vars, which publishes the full command-line arguments including --security token= flags. Attackers can retrieve the token remotely without authentication (CVSS AV:N/PR:N) and replay it in X-Dgraph-AuthToken headers to access admin-only endpoints. Vendor patch released in v25.3.3 per GitHub advisory GHSA-vvf7-6rmr-m29q. No public exploit identified at time of analysis, but detailed proof-of-concept steps are published in the advisory.
Authentication Bypass
Information Disclosure
Docker
-
CVE-2026-41478
CRITICAL
CVSS 9.9
Saltcorn is an extensible, open source, no-code database application builder. Prior to 1.4.6, 1.5.6, and 1.6.0-beta.5, a SQL injection vulnerability in Saltcorn’s mobile-sync routes allows any authenticated low-privilege user with read access to at least one table to inject arbitrary SQL through syn...
SQLi
-
CVE-2026-41428
CRITICAL
CVSS 9.1
Authentication bypass in Budibase low-code platform (versions prior to 3.35.4) allows remote unauthenticated attackers to access any protected API endpoint by appending a public endpoint path as a query parameter. The vulnerability stems from unanchored regular expressions in authentication middleware that match against the full request URL including query strings, enabling attackers to craft requests like 'POST /api/global/users/search?x=/api/system/status' to bypass all authentication checks. CVSS score of 9.1 (Critical) reflects network-based remote exploitation with no authentication or user interaction required, resulting in high confidentiality impact and high availability impact. No public exploit code or active exploitation has been identified at time of analysis.
Authentication Bypass
-
CVE-2026-41328
CRITICAL
CVSS 9.1
Pre-authentication NoSQL injection in Dgraph allows remote unauthenticated attackers to exfiltrate entire databases and modify schemas via crafted JSON mutation keys. The vulnerability exploits unsanitized language tag fields in the addQueryIfUnique function, enabling DQL query injection through specially crafted HTTP POST requests to port 8080. Attackers can extract all database contents including credentials, secrets, and AWS keys with two HTTP requests against default configurations where ACL is disabled. CVSS 9.1 (Critical) with network vector, no authentication required, and low attack complexity. No public exploit code confirmed outside the GitHub advisory, though a complete proof-of-concept with video demonstration exists in the advisory. EPSS data not available for this recent CVE.
Authentication Bypass
Denial Of Service
Python
Docker
Apple
-
CVE-2026-41327
CRITICAL
CVSS 9.1
Remote unauthenticated attackers can exfiltrate all data from Dgraph databases via DQL injection in the /mutate endpoint's cond parameter. Default configurations with ACL disabled allow single HTTP POST requests to bypass authentication and execute arbitrary read queries, returning complete database contents including credentials, PII, and secrets. The vulnerability exploits unsanitized string concatenation in buildUpsertQuery() where user-supplied cond values are written directly into DQL queries without escaping or validation. Proof-of-concept demonstrates extraction of AWS credentials, GCP service account keys, and user secrets in a single request. No public exploitation confirmed at time of analysis, but POC code publicly available via GitHub advisory. EPSS data not available; CVSS 9.1 indicates critical severity with network vector and no authentication required.
Authentication Bypass
Denial Of Service
Python
Docker
Apple
-
CVE-2026-41248
CRITICAL
CVSS 9.1
Clerk JavaScript is the official JavaScript repository for Clerk authentication. createRouteMatcher in @clerk/nextjs, @clerk/nuxt, and @clerk/astro can be bypassed by certain crafted requests, allowing them to skip middleware gating and reach downstream handlers. This vulnerability is fixed in @cler...
Authentication Bypass
-
CVE-2026-39920
CRITICAL
CVSS 9.3
Remote code execution in BridgeHead FileStore pre-24A via Apache Axis2 default credentials allows unauthenticated attackers to deploy malicious web services and execute arbitrary OS commands. The vulnerability exploits exposed Axis2 admin console with unchanged default credentials, enabling full system compromise over the network with no authentication required. Publicly available exploit code exists (GitHub Gist), and CVSS 9.8 reflects critical risk with network vector, low complexity, and no privileges required. EPSS data not provided but exploitation prerequisites are minimal given default credential exposure.
Apache
Java
Information Disclosure
-
CVE-2026-35064
HIGH
CVSS 8.7
Unauthenticated network discovery in SenseLive X3050 management ecosystem exposes device presence, identifiers, and management interfaces to attackers on the same network segment. The vendor's management protocol fails to authenticate discovery functions (CWE-306), allowing rapid enumeration of all deployed X3050 units without credentials. CISA ICS-CERT has issued an advisory (ICSA-26-111-12), indicating awareness in industrial control system environments. CVSS 8.7 reflects high confidentiality impact from network-based, low-complexity attacks requiring no privileges or user interaction.
Authentication Bypass
-
CVE-2026-31669
CRITICAL
CVSS 9.8
In the Linux kernel, the following vulnerability has been resolved:
mptcp: fix slab-use-after-free in __inet_lookup_established
The ehash table lookups are lockless and rely on
SLAB_TYPESAFE_BY_RCU to guarantee socket memory stability
during RCU read-side critical sections. Both tcp_prot and
tcpv6...
Information Disclosure
Linux
Use After Free
Memory Corruption
Red Hat
-
CVE-2026-31668
CRITICAL
CVSS 9.8
In the Linux kernel, the following vulnerability has been resolved:
seg6: separate dst_cache for input and output paths in seg6 lwtunnel
The seg6 lwtunnel uses a single dst_cache per encap route, shared
between seg6_input_core() and seg6_output_core(). These two paths
can perform the post-encap SI...
Authentication Bypass
Linux
Red Hat
Suse
-
CVE-2026-31659
CRITICAL
CVSS 9.8
In the Linux kernel, the following vulnerability has been resolved:
batman-adv: reject oversized global TT response buffers
batadv_tt_prepare_tvlv_global_data() builds the allocation length for a
global TT response in 16-bit temporaries. When a remote originator
advertises a large enough global TT...
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31657
CRITICAL
CVSS 9.8
Use-after-free in Linux kernel batman-adv (B.A.T.M.A.N. Advanced mesh networking) allows remote network attackers to trigger memory corruption and potentially execute arbitrary code. The batadv_bla_add_claim() function can prematurely drop a gateway reference while readers still access the pointer, causing netlink dump and claim-check paths to dereference freed memory. Despite CVSS 9.8 critical rating, exploitation probability is low (EPSS 2%, 7th percentile), no active exploitation confirmed, and patches available across kernel stable branches 6.1.169, 6.6.135, 6.12.82, 6.18.23, 6.19.13, and mainline 7.0.
Denial Of Service
Linux
Null Pointer Dereference
Red Hat
Suse
-
CVE-2026-31649
CRITICAL
CVSS 9.8
Integer underflow in Linux kernel stmmac network driver allows kernel memory disclosure and potential corruption via crafted network packets. The flaw occurs in chain mode jumbo frame handling when packets have small linear data but large total length from page fragments, causing buffer offset calculations to wrap to ~0xFFFFxxxx. This triggers massive loop iterations that DMA-map arbitrary kernel memory to the network hardware. On typical stmmac deployments (IOMMU-less embedded SoCs), attackers can remotely read kernel memory contents and potentially corrupt memory through hardware DMA operations. EPSS exploitation probability is low (0.02%) with no confirmed active exploitation, but CVSS 9.8 reflects the theoretical remote unauthenticated attack surface. Vendor patches available across all supported stable kernel branches (5.10.253, 5.15.203, 6.1.169, 6.6.135, 6.12.82, 6.18.23, 6.19.13, 7.0).
Buffer Overflow
Linux
Integer Overflow
Red Hat
Suse
-
CVE-2026-31637
CRITICAL
CVSS 9.8
Unauthenticated remote attackers can exploit a cryptographic validation bypass in the Linux kernel's RxRPC rxkad authentication handler to potentially execute arbitrary code or cause denial of service. The rxkad_decrypt_ticket() function fails to verify that RXKAD response ticket decryption succeeded before parsing the buffer contents, allowing malformed RESPONSE packets with non-block-aligned ticket lengths to drive the ticket parser with attacker-controlled ciphertext bytes. Despite the critical 9.8 CVSS score indicating network-exploitable attack with high impact across confidentiality, integrity, and availability, EPSS exploitation probability is low (0.02%, 5th percentile) and no active exploitation or public POC has been identified. Patches are available across multiple stable kernel versions (6.6.135, 6.12.82, 6.18.23, 6.19.13, 7.0).
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31636
CRITICAL
CVSS 9.1
Out-of-bounds read in Linux kernel's rxrpc rxgk authentication handler allows remote unauthenticated attackers to trigger information disclosure and denial of service via malformed RESPONSE authenticator packets. The vulnerability stems from incorrect pointer arithmetic in rxgk_verify_authenticator() that inflates the parser boundary check by a factor of four, allowing reads beyond kmalloc() buffer boundaries. Vendor patches available for kernel versions 6.18.23, 6.19.13, and 7.0. EPSS score of 0.02% (4th percentile) suggests low observed exploitation probability despite network attack vector, though KASAN reports confirm reproducibility.
Buffer Overflow
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31633
CRITICAL
CVSS 9.8
Integer overflow in Linux kernel's rxrpc rxgk_verify_response() function allows remote unauthenticated attackers to bypass length validation checks and potentially achieve arbitrary code execution. The vulnerability exists in the rxrpc protocol implementation where token_len rounding occurs before validation, enabling buffer overflow conditions. With CVSS 9.8 (critical severity) and network attack vector requiring no authentication, this represents a significant exposure despite low EPSS score (0.02%, 4th percentile), suggesting limited real-world exploitation observed to date. Vendor patches are available across multiple stable kernel versions (6.18.23, 6.19.13, 7.0).
Buffer Overflow
Linux
Integer Overflow
Red Hat
Suse
-
CVE-2026-31609
CRITICAL
CVSS 9.8
Double-free memory corruption in the Linux kernel SMB client (smbd) allows remote unauthenticated attackers to achieve arbitrary code execution, confidentiality breach, and denial of service. The vulnerability occurs when smbd_free_send_io() is erroneously called twice after smbd_send_batch_flush() operations, creating use-after-free conditions. Exploitation probability is low (EPSS 0.02%, 4th percentile) with no confirmed active exploitation or public POC, but the critical CVSS 9.8 score reflects the severe potential impact if network-accessible SMB client operations are triggered. Vendor patches available for kernel versions 6.18.24, 6.19.14, and 7.0.1.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31608
CRITICAL
CVSS 9.8
A double-free vulnerability in the Linux kernel's SMB Direct (RDMA transport) server implementation allows remote unauthenticated attackers to trigger memory corruption with high CVSS 9.8 severity. The flaw occurs when smb_direct_free_sendmsg() is called twice on the same memory region after smb_direct_flush_send_list() moves messages to a batch list. Vendor patches available across kernel versions 6.18.24, 6.19.14, and 7.0.1, with upstream commits confirmed in stable branches. Despite critical CVSS scoring, EPSS probability remains very low at 0.02% (4th percentile) and no active exploitation or public POC identified, suggesting limited real-world targeting of this SMB Direct RDMA feature.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31607
CRITICAL
CVSS 9.8
Heap buffer overflow in Linux kernel USB/IP client allows malicious USB/IP servers to execute arbitrary code with kernel privileges via crafted RET_SUBMIT responses. A rogue server can specify a larger number_of_packets value than originally submitted, causing out-of-bounds writes when processing isochronous USB transfers. Patched in kernel versions 6.12.83, 6.18.24, 6.19.14, and 7.0.1. EPSS score of 0.02% (5th percentile) suggests low probability of widespread exploitation despite CVSS 9.8 criticality, indicating this is primarily a risk in environments using USB/IP with untrusted servers rather than a general internet-facing threat.
Buffer Overflow
Linux
Memory Corruption
Red Hat
Suse
-
CVE-2026-31589
CRITICAL
CVSS 9.8
Use-after-free in Linux kernel memory management allows remote code execution when the folio_unmap_invalidate() function incorrectly accesses freed mapping structures. Kernel versions between 1da177e4c3f4 and patches 6.19.14/7.0.1 are affected. Exploitation probability is low (EPSS 2%, percentile 5%), with no confirmed active exploitation or public POC at time of analysis. Despite the critical CVSS 9.8 score indicating network-based unauthenticated attack, the description suggests this is a kernel memory corruption bug requiring local kernel code paths to trigger, not direct remote network exploitation - CVSS vector conflicts with technical nature and should be validated against vendor guidance.
Information Disclosure
Linux
Use After Free
Memory Corruption
-
CVE-2026-31536
CRITICAL
CVSS 9.8
Use-after-free in Linux kernel SMB server (ksmbd) RDMA handling allows remote unauthenticated attackers to execute arbitrary code, escalate privileges, or crash the system via crafted SMB Direct connections. The vulnerability arises when batched RDMA send operations without IB_SEND_SIGNALED flags are prematurely freed during connection failures, causing memory corruption. Vendor patches are available for kernel versions 6.18.11, 6.19.1, and 7.0. EPSS score of 0.02% suggests low observed exploitation probability, and no active exploitation or public POC is confirmed at time of analysis, though the critical CVSS score (9.8) reflects severe potential impact if the SMB Direct feature is enabled.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-27841
HIGH
CVSS 8.4
Cross-Site Request Forgery in SenseLive X3050's web management interface enables authenticated attackers to force victims into executing unauthorized configuration changes and potentially disruptive operations. A remote attacker with low privileges can craft malicious web pages that, when visited by an authenticated administrator, trigger state-changing requests without the victim's knowledge, leading to high integrity and availability impact on the device. CISA ICS-CERT has issued an advisory (ICSA-26-111-12) for this industrial control system component, indicating coordination with the vendor and awareness within the critical infrastructure community.
CSRF
-
CVE-2026-25660
CRITICAL
CVSS 9.3
Authentication bypass in CodeChecker allows remote unauthenticated attackers to assign arbitrary permissions to any user through specially crafted URLs. All versions through 6.27.3 are affected, exposing static analysis infrastructure to complete compromise. CVSS 9.3 (Critical) with SSVC framework confirming total technical impact and automated exploitation potential. Proof-of-concept code exists (CVSS vector E:P), though CISA KEV does not currently list active exploitation. EPSS data unavailable but attack prerequisites are minimal (AV:N/AC:L/PR:N), making this a high-priority remediation target for organizations using CodeChecker in their development pipelines.
Authentication Bypass
-
CVE-2026-6911
CRITICAL
CVSS 9.3
Missing JWT signature verification in AWS Ops Wheel enables remote unauthenticated attackers to forge administrative tokens and gain complete control over all application data and Cognito user accounts across all tenants. This critical authentication bypass (CVSS 9.8) has a vendor-released patch available via GitHub PR #164. EPSS data not available, but the combination of zero authentication requirements, network attack vector, and multi-tenant data exposure creates immediate exploitation risk for all deployments.
Information Disclosure
Jwt Attack
-
CVE-2026-1952
CRITICAL
CVSS 9.8
Remote unauthenticated attackers can trigger denial of service in Delta Electronics AS320T industrial automation devices by invoking an undocumented subfunction. The vulnerability allows network-accessible exploitation without credentials against default configurations, potentially disrupting critical industrial control operations. Delta Electronics confirmed the flaw in PCSA-2026-00006, grouped with three other CVEs affecting the same product line.
Denial Of Service
-
CVE-2026-1951
CRITICAL
CVSS 9.8
Unchecked directory name buffer in Delta Electronics AS320T enables remote code execution without authentication. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms this is a remotely exploitable stack buffer overflow (CWE-121) requiring no user interaction or credentials. Delta Electronics disclosed this vulnerability in security advisory PCSA-2026-00006, affecting an industrial automation product. No EPSS score or KEV status available at time of analysis, but the trivial exploitation requirements (network accessible, no authentication, low complexity) present immediate risk to exposed AS320T devices.
Buffer Overflow
Stack Overflow
-
CVE-2026-1950
CRITICAL
CVSS 9.8
Remote code execution in Delta Electronics AS320T allows unauthenticated network attackers to exploit an unchecked buffer overflow in filename processing to execute arbitrary code with high impact to confidentiality, integrity, and availability. The CVSS 9.8 critical score reflects network-accessible attack surface with no authentication or user interaction required. No EPSS or KEV data available at time of analysis, but vendor advisory confirms multiple related vulnerabilities affecting the same product line.
Buffer Overflow
Stack Overflow
-
CVE-2026-1949
CRITICAL
CVSS 9.8
Remote code execution in Delta Electronics AS320T industrial automation server allows unauthenticated network attackers to trigger memory corruption via malformed GET/PUT requests to the web service. The incorrect buffer size calculation (CWE-131) enables stack-based overflow attacks against network-exposed management interfaces. With CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) indicating trivial exploitation conditions and CRITICAL severity, this vulnerability represents an immediate risk to industrial control systems deploying this Delta OT product, though no public exploit or active exploitation confirmed at time of analysis.
Information Disclosure
-
CVE-2026-21515
CRITICAL
CVSS 9.9
Privilege escalation in Azure IoT Central enables authenticated attackers to gain unauthorized access to sensitive information and elevate their permissions across tenant boundaries. An attacker with low-privilege credentials can exploit exposed sensitive data over the network to compromise confidentiality, integrity, and availability of other tenant resources. Microsoft has published security guidance, but no independent confirmation of patch availability exists at time of analysis.
Information Disclosure
Microsoft
-
CVE-2026-42171
HIGH
CVSS 7.8
NSIS (Nullsoft Scriptable Install System) 3.06.1 before 3.12 sometimes uses the Low IL temp directory when executing as SYSTEM, allowing local attackers to gain privileges (if they can cause my_GetTempFileName to return 0, as shown in the references).
Information Disclosure
-
CVE-2026-42043
HIGH
CVSS 7.2
HTTP request smuggling in Axios HTTP client library allows remote attackers to bypass NO_PROXY protection and route requests through 127.0.0.0/8 addresses other than 127.0.0.1. Attackers who control target URLs in applications using Axios prior to versions 1.15.1 and 0.31.1 can bypass proxy restrictions and potentially access internal resources with changed scope (CVSS S:C). This is an incomplete fix regression of CVE-2025-62718, indicating the original patch failed to cover the full 127.0.0.0/8 loopback range. No public exploit identified at time of analysis, EPSS data not provided.
Authentication Bypass
Node.js
Red Hat
-
CVE-2026-42035
HIGH
CVSS 7.4
Prototype pollution in Axios 1.x (prior to 1.15.1) and 0.x (prior to 0.31.1) enables HTTP header injection attacks when any dependency in the application pollutes Object.prototype with specific properties (getHeaders, append, pipe, on, once, Symbol.toStringTag). Attackers exploit the HTTP adapter's duck-type checking to inject arbitrary headers into outbound HTTP requests, potentially leading to authentication bypass, session hijacking, or cache poisoning. EPSS data unavailable; no confirmed active exploitation (CISA KEV) at time of analysis. Publicly available exploit code exists per vendor advisory GHSA-6chq-wfr3-2hj9.
RCE
Node.js
Red Hat
-
CVE-2026-42033
HIGH
CVSS 7.4
Prototype pollution in Axios HTTP client versions before 1.15.1 and 0.31.1 enables silent interception and modification of all JSON responses or complete HTTP transport hijacking when the JavaScript Object.prototype has been polluted by a co-dependency. This vulnerability requires a separate prototype pollution source within the same Node.js process but requires no authentication once that precondition exists. An attacker can then access credentials, headers, and request bodies across the application. EPSS data not available; no public exploit identified at time of analysis.
Information Disclosure
Node.js
Red Hat
Prototype Pollution
-
CVE-2026-41907
HIGH
CVSS 8.1
Buffer overwrite vulnerability in uuid JavaScript library versions prior to 14.0.0 enables remote attackers to corrupt memory and potentially disclose sensitive information through out-of-range writes when applications use v3, v5, or v6 UUID generation functions with caller-provided output buffers. The library fails to validate buffer boundaries, allowing partial writes beyond allocated memory regions. Vendor patch available in version 14.0.0 per GitHub security advisory GHSA-w5hq-g745-h8pq. No confirmed active exploitation (not in CISA KEV), and CVSS 4.0 Environmental Score suggests exploitation status is unproven (E:U).
Information Disclosure
Memory Corruption
Red Hat
-
CVE-2026-41898
HIGH
CVSS 8.3
Buffer overflow in rust-openssl 0.9.24 through 0.10.77 allows remote unauthenticated attackers to trigger memory corruption via crafted PSK (Pre-Shared Key) or cookie callback responses. The FFI trampolines in SslContextBuilder fail to validate closure-returned buffer sizes against allocated memory regions before passing values to OpenSSL, enabling out-of-bounds writes. Patch released in version 0.10.78. SSVC framework indicates no active exploitation detected, non-automatable attack requiring precise timing conditions (CVSS AT:P), with partial technical impact limited to confidentiality breach and minor availability disruption.
Buffer Overflow
OpenSSL
-
CVE-2026-41894
HIGH
CVSS 7.1
Directory traversal in SiYuan personal knowledge management system allows authenticated attackers to read arbitrary workspace files via double URL encoding bypass. The vulnerability stems from an incomplete fix for CVE-2026-30869 that added only denylist validation without removing a redundant url.PathUnescape() call in serveExport(). Attackers can use %252e%252e encoding to access sensitive files including the complete SQLite database (siyuan.db), kernel logs, and all user documents. EPSS data not available for this recent CVE; publicly available exploit code exists (GitHub commit demonstrates exploitation technique).
Path Traversal
-
CVE-2026-41680
HIGH
CVSS 8.7
Unauthenticated remote attackers can crash Node.js applications using marked versions 18.0.0-18.0.1 by sending a specially crafted 3-byte sequence (tab, vertical tab, newline). The infinite recursion loop exhausts memory and triggers an out-of-memory crash, enabling complete denial of service against any exposed markdown parsing endpoint. Vendor-released patch fixes the vulnerability in version 18.0.2. No public exploit identified at time of analysis, though the attack input is trivially simple and reproducible. CVSS v4.0 8.7 reflects high availability impact with network reachability and no authentication barriers.
Denial Of Service
Node.js
Red Hat
-
CVE-2026-41503
HIGH
CVSS 8.7
Remote attackers can crash BACnet Stack-powered embedded devices (versions prior to 1.4.3) by sending malformed ReadPropertyMultiple (RPM) requests containing a 1-byte property payload with an extended tag marker (0xF9). The vulnerability triggers an out-of-bounds read in the RPM service decoder, causing denial-of-service on industrial building automation systems that use this open-source C library. Affects default configurations where ReadPropertyMultiple service is enabled. EPSS data and KEV status not available; no public exploit confirmed at time of analysis, though GitHub security advisory provides technical details that could facilitate reproduction.
Buffer Overflow
Information Disclosure
-
CVE-2026-41502
HIGH
CVSS 8.7
Remote denial of service in BACnet Stack library versions before 1.4.3 allows unauthenticated attackers to crash embedded building automation devices by sending a malformed ReadPropertyMultiple request with a truncated object identifier. The off-by-one buffer read vulnerability triggers crashes on resource-constrained BACnet devices running the default-enabled RPM service handler. CVSS v4.0 scores this 8.7 (High) based on network attack vector and high availability impact, though no public exploit code or active exploitation has been identified at time of analysis.
Buffer Overflow
Information Disclosure
-
CVE-2026-41486
HIGH
CVSS 8.9
Remote code execution in Ray Data 2.49.0-2.54.0 allows attackers to execute arbitrary Python code by crafting malicious Parquet files containing Ray tensor extension types. When Ray Data reads these files, it deserializes untrusted metadata using cloudpickle.loads() without validation, triggering code execution during schema parsing before any data is read. The vulnerability requires only that a victim read a crafted Parquet file from any source (cloud storage, HuggingFace datasets, shared filesystems)-no cluster access or authentication needed. This reintroduces a vulnerability class previously fixed in May 2024, making it a regression introduced in July 2025 (PR #54831). Working proof-of-concept exists demonstrating exploitation via HuggingFace datasets following Ray's own documentation. EPSS data not available, not currently in CISA KEV.
RCE
Python
Deserialization
Code Injection
-
CVE-2026-41485
HIGH
CVSS 7.7
A type assertion bug in Kyverno's forEach mutation handler crashes the cluster-wide background controller into CrashLoopBackOff and blocks admission controller operations, causing denial of service for policy-matched resources. Any authenticated user with Policy or ClusterPolicy creation permissions can trigger the crash by creating a malformed policy. The vulnerability affects Kyverno versions prior to 1.17.2 and 1.16.4, is limited to the legacy policy engine (CEL-based policies unaffected), and persists until the malicious policy is deleted. Vendor-released patches available with confirmed fix commits on GitHub.
Denial Of Service
Suse
-
CVE-2026-41477
HIGH
CVSS 7.8
Local privilege escalation in Deskflow (all versions up to 1.20.0 stable and 1.26.0.134 continuous) allows any low-privilege Windows user to execute arbitrary commands as SYSTEM by accessing an unauthenticated IPC named pipe. The daemon runs with SYSTEM privileges and processes commands without validating caller identity due to WorldAccessOption configuration. No public exploit identified at time of analysis, but the attack vector is straightforward for local users with basic Windows IPC knowledge.
Authentication Bypass
Suse
-
CVE-2026-41476
HIGH
CVSS 7.4
Out-of-bounds memory read in Deskflow's clipboard deserialization allows authenticated remote peers to crash the application or potentially leak memory contents. The vulnerability affects versions prior to 1.26.0.138 and stems from insufficient validation of clipboard data structure during network transfer between connected machines. A malicious peer on the shared keyboard/mouse network can exploit this by sending specially crafted clipboard updates. CVSS 7.4 reflects network-based attack with low complexity requiring authenticated peer connection. No public exploit identified at time of analysis, though proof-of-concept code exists (CVSS E:P).
Buffer Overflow
Deserialization
Suse
-
CVE-2026-41475
HIGH
CVSS 8.7
Out-of-bounds read in BACnet Stack library versions before 1.4.3 allows unauthenticated remote attackers to crash embedded BACnet devices or disclose memory contents by sending malformed WritePropertyMultiple (WPM) service requests over BACnet/IP. The flaw affects building automation and industrial control systems using the vulnerable C library. No public exploit identified at time of analysis, though the CVSS v4.0 score of 8.7 reflects high availability impact and network-accessible attack surface with low complexity.
Buffer Overflow
Information Disclosure
-
CVE-2026-41473
HIGH
CVSS 8.8
CyberPanel versions prior to 2.4.4 contain an authentication bypass vulnerability in the AI Scanner worker API endpoints that allows unauthenticated remote attackers to write arbitrary data to the database by sending requests to the /api/ai-scanner/status-webhook and /api/ai-scanner/callback endpoin...
Authentication Bypass
Denial Of Service
-
CVE-2026-41433
HIGH
CVSS 8.4
OpenTelemetry eBPF Instrumentation versions 0.4.0 through 0.7.x allow local attackers controlling a Java workload to overwrite arbitrary host files via path traversal when Java injection is enabled and the agent runs with elevated privileges. The vulnerability exploits unsafe file creation in the Java agent injection path, where the injector trusts the target process's TMPDIR environment variable and lacks boundary checks, enabling symlink-based file clobbering and filesystem escape. Vendor-released patch available in version 0.8.0. No public exploit identified at time of analysis, but CVSS 8.4 reflects high integrity and availability impact with scope change from container to host.
Java
Path Traversal
-
CVE-2026-41432
HIGH
CVSS 7.1
Attackers can forge Stripe webhook events to obtain unlimited API quota without payment in QuantumNous new-api (Go package github.com/QuantumNous/new-api). The vulnerability exploits an empty default webhook secret that allows HMAC signature forgery, missing payment status validation, and cross-gateway order fulfillment logic that permits completing orders created through any payment provider (Epay, Creem, Waffo) via fabricated Stripe callbacks. Virtually all deployments with any payment method enabled are vulnerable in default configuration. Fixed in version 0.12.10. No public exploit code identified at time of analysis, but the detailed advisory includes a proof-of-concept pseudocode demonstrating the attack chain. CVSS 7.1 (High) with low attack complexity and low privileges required indicates practical exploitation risk for deployed instances.
RCE
Python
Google
Nginx
-
CVE-2026-41429
HIGH
CVSS 8.8
Memory corruption in arduino-esp32's NBNS packet handler allows adjacent network attackers to achieve remote code execution on ESP32-family microcontrollers without authentication. Affects all versions prior to 3.3.8 when NetBIOS is explicitly enabled via NBNS.begin(). The parser trusts attacker-controlled name_len field from UDP port 137 traffic, writing unbounded data to fixed-size buffers. EPSS data not available, no CISA KEV listing, but GitHub security advisory confirms the vulnerability with patch released in version 3.3.8.
Buffer Overflow
Stack Overflow
-
CVE-2026-41427
HIGH
CVSS 7.1
Better Auth is an authentication and authorization library for TypeScript. Prior to 1.6.5, the clientPrivileges option documents a create action, but the OAuth client creation endpoints did not invoke the hook before persisting new clients. Deployments that configured clientPrivileges to restrict cl...
Authentication Bypass
-
CVE-2026-41421
HIGH
CVSS 8.8
Authenticated local users can execute arbitrary code on Windows, macOS, and Linux via HTML injection in SiYuan desktop notification messages through version 3.6.4. The Electron-based desktop application mishandles notification rendering with unsafe settings (nodeIntegration enabled, contextIsolation disabled, webSecurity disabled), escalating XSS to full system compromise. Vendor-released patch available in version 3.6.5. No evidence of active exploitation (not in CISA KEV) or public exploit code at time of analysis.
XSS
RCE
Command Injection
Microsoft
-
CVE-2026-41419
HIGH
CVSS 7.6
Path traversal in 4ga Boards before 3.3.5 allows authenticated users with board import privileges to force the server to read and expose arbitrary local files as board attachments during BOARDS archive import. Attackers can then download sensitive host files (configuration files, credentials, application source code) through the normal download interface. CVSS score of 7.6 reflects high confidentiality impact with low integrity/availability impact. No public exploit code or active exploitation confirmed at time of analysis, though the attack technique is straightforward for authenticated insiders.
Path Traversal
-
CVE-2026-41416
HIGH
CVSS 8.1
Integer overflow in PJSIP 2.16 and earlier enables remote unauthenticated attackers to trigger memory corruption or application crashes via malicious SDP packets with asymmetric ptime values. The vulnerability causes undersized buffer allocation during media stream processing, creating conditions for memory corruption with potential code execution or denial of service. Fixed in version 2.17 with no public exploit identified at time of analysis, though CVSS 8.1 and network attack vector indicate significant risk for internet-facing VoIP/multimedia applications.
Buffer Overflow
Integer Overflow
-
CVE-2026-41414
HIGH
CVSS 7.4
GitHub Actions workflow injection in Skim's CI pipeline allows remote code execution with elevated privileges when any GitHub user opens a pull request from a fork. The vulnerable generate-files job automatically checks out and executes attacker-controlled Rust code (via cargo run) with access to SKIM_RS_BOT_PRIVATE_KEY secret and GITHUB_TOKEN with contents:write permissions, enabling repository compromise. User interaction (maintainer reviewing the PR) is required for context, though the exploit executes automatically on PR creation. Patch available via commit bf63404, no active exploitation confirmed at time of analysis.
RCE
Code Injection
-
CVE-2026-41326
HIGH
CVSS 8.2
Arbitrary file write in Kata Containers v3.4.0 to v3.28.0 allows untrusted hosts to overwrite binaries and exfiltrate data from guest workloads, including those in confidential VMs (CVMs). The vulnerability stems from inadequate validation in the CopyFile policy, permitting host-initiated writes to arbitrary paths inside guest images. This enables binary replacement for code execution or data theft across the trust boundary. Patched in v3.29.0. EPSS data not available; no active exploitation confirmed at time of analysis.
Information Disclosure
-
CVE-2026-41325
HIGH
CVSS 7.1
Authenticated users in Kirby CMS can bypass permission controls to create unauthorized pages, files, and users by injecting malicious blueprint configuration during model creation. Versions prior to 4.9.0 and 5.4.0 fail to sanitize the 'blueprint' property in creation requests, allowing attackers with low-privilege accounts to override developer-defined authorization policies by setting 'create' => true in dynamic options. Patches are available in Kirby 4.9.0 and 5.4.0, which implement filtering of blueprint properties during normalization.
Authentication Bypass
-
CVE-2026-41324
HIGH
CVSS 7.5
Denial of service in basic-ftp for Node.js allows remote malicious FTP servers to crash client applications via unbounded memory consumption during directory listing operations. Attackers controlling or compromising an FTP server can send infinite or extremely large listing responses to Client.list() calls, exhausting client memory until process termination. Unauthenticated network attack with low complexity (CVSS:3.1 AV:N/AC:L/PR:N). No public exploit identified at time of analysis, though attack concept is straightforward for anyone operating a malicious FTP server.
Denial Of Service
Node.js
Red Hat
-
CVE-2026-41323
HIGH
CVSS 8.1
Kyverno's apiCall feature automatically attaches the admission controller's ServiceAccount token to HTTP requests without validating the destination URL, enabling authenticated attackers to exfiltrate tokens to attacker-controlled servers and achieve full cluster compromise through webhook configuration tampering. Affects Kyverno versions prior to 1.18.0-rc1, 1.17.2-rc1, and 1.16.4. Vendor-released patches available across all three affected version branches. EPSS data not provided, but the vulnerability enables privilege escalation from low-privilege Kubernetes user to cluster admin via token theft, representing critical risk in multi-tenant environments.
Information Disclosure
Suse
-
CVE-2026-41316
HIGH
CVSS 8.1
Remote code execution in Ruby ERB library via unsafe deserialization allows unauthenticated attackers to execute arbitrary code by exploiting incomplete protection in Marshal.load workflows. While ERB 2.2.0+ added guards to prevent code execution during deserialization in result() and run() methods, the def_module(), def_method(), and def_class() methods remained unprotected, enabling attackers to bypass the @_init safeguard. Exploitation requires high complexity (AV:N/AC:H) as applications must deserialize untrusted Marshal data with ERB loaded. No EPSS or KEV data available; exploitation likelihood depends on prevalence of unsafe Marshal.load patterns in Ruby codebases.
RCE
Deserialization
-
CVE-2026-41311
HIGH
CVSS 7.5
Infinite recursion in LiquidJS template engine crashes Node.js processes via out-of-memory condition when attackers submit templates with circular block references. Unauthenticated remote attackers can consume ~4GB RAM and terminate any application accepting user-provided Liquid templates by nesting identically-named blocks within `{% layout %}` / `{% block %}` tags. Vendor patch available via GitHub commit e2311df. CVSS 7.5 (High) reflects network-accessible, low-complexity attack requiring no privileges or user interaction, causing complete availability loss.
Denial Of Service
Node.js
-
CVE-2026-41309
HIGH
CVSS 8.2
Resource exhaustion in Open Source Social Network (OSSN) versions prior to 9.0 allows remote unauthenticated attackers to trigger Denial of Service by uploading specially crafted images with extreme pixel dimensions (e.g., 10000×10000). While the compressed file size appears small, server-side decompression and resizing allocates excessive memory and CPU, crashing or degrading service. EPSS exploitation probability data not available, but the attack vector is straightforward (AV:N/AC:L/PR:N) with publicly documented technical details and fix commit available on GitHub. CVSS 8.2 reflects the easy remote exploitation path despite limited confidentiality impact.
Denial Of Service
-
CVE-2026-41068
HIGH
CVSS 7.7
Cross-namespace privilege escalation in Kyverno 1.17.x allows authenticated namespace administrators to bypass RBAC controls and read ConfigMaps from any Kubernetes namespace. The vulnerability exploits unvalidated `configMap.namespace` field in Kyverno's ConfigMap context loader, enabling attackers to leverage Kyverno's privileged service account permissions. This is a regression following incomplete fix for CVE-2026-22039, which addressed the same issue in `apiCall` context but missed the ConfigMap loader. Patch available in version 1.17.2. CVSS 7.7 with Changed Scope indicates significant multi-tenant cluster risk; EPSS data not available but the regression nature and RBAC bypass impact warrant immediate patching in multi-tenant environments.
Authentication Bypass
Privilege Escalation
Kubernetes
Suse
-
CVE-2026-41044
HIGH
CVSS 8.8
Remote code execution in Apache ActiveMQ allows authenticated attackers with admin console access to inject malicious Spring XML contexts that execute arbitrary code on the broker's JVM. Attackers exploit improper broker name validation to embed xbean bindings, then trigger VM transport creation via DestinationView mbean to load remote Spring XML files containing malicious bean factory methods like Runtime.exec(). EPSS score of 0.06% (19th percentile) indicates low observed exploitation probability despite CVSS 8.8, with CISA SSVC confirming no active exploitation and non-automatable attack chain. Vendor patches available: versions 5.19.6 and 6.2.5 address the vulnerability.
RCE
Apache
Java
Red Hat
-
CVE-2026-40912
HIGH
CVSS 7.8
Authentication bypass in Traefik's StripPrefixRegex middleware allows unauthenticated remote attackers to access protected resources when combined with ForwardAuth, BasicAuth, or DigestAuth. By inserting a percent-encoded dot (%2e) in the URL prefix, attackers exploit a length mismatch between decoded path matching and encoded path slicing, causing ForwardAuth to receive a dot-segment path (/./admin/secret) that bypasses protection rules while backend servers normalize it to the protected path (/admin/secret). Confirmed with working proof-of-concept against Traefik v3.6.11. Patches released for v2.11.43, v3.6.14, and v3.7.0-rc.2. No CVSS score assigned yet, but meets criteria for high severity given complete authentication bypass with network attack vector requiring no privileges or user interaction.
Authentication Bypass
Java
Docker
Red Hat
Suse
-
CVE-2026-40466
HIGH
CVSS 8.8
Remote code execution in Apache ActiveMQ 5.x (before 5.19.6) and 6.x (before 6.2.5) allows authenticated attackers to bypass prior security fixes (CVE-2026-34197) by injecting malicious Spring XML configurations through HTTP Discovery transport connectors via Jolokia. Attackers leverage a VM transport loophole to invoke arbitrary bean factory methods like Runtime.exec() during Spring context initialization. EPSS score is low (0.06%, 19th percentile) with no confirmed active exploitation (not in CISA KEV), suggesting limited widespread targeting despite high CVSS 8.8 score. Exploitation requires authenticated Jolokia access and presence of activemq-http module on classpath.
RCE
Apache
Java
Red Hat
-
CVE-2026-40068
HIGH
CVSS 7.7
Claude Code's trust bypass vulnerability allows execution of malicious hooks through manipulated git worktree configuration files. Attackers who can trick victims into cloning a crafted repository can bypass the folder trust dialog by pointing the `commondir` file to a previously-trusted path, enabling immediate execution of arbitrary code via `.claude/settings.json` hooks. The attack requires the attacker to know or correctly guess a path the victim has already trusted, limiting exploitation to targeted scenarios. Auto-update users have already received the patch; manual installation users should upgrade immediately.
Authentication Bypass
-
CVE-2026-39858
HIGH
CVSS 7.8
Authentication bypass in Traefik Proxy's ForwardAuth and snippet-based authentication middleware allows remote unauthenticated attackers to access protected routes by exploiting incomplete header sanitization. Traefik sanitizes canonical forwarded headers (X-Forwarded-Proto) but fails to strip underscore-based aliases (X_Forwarded_Proto). When authentication backends normalize these header variants equivalently, attackers can inject spoofed trust context through alias headers to satisfy authentication checks without valid credentials. Patches released for versions 2.11.43, 3.6.14, and 3.7.0-rc.2. No public exploit identified at time of analysis, though the detailed technical disclosure in the GitHub advisory provides sufficient implementation details for reproduction.
Authentication Bypass
Red Hat
Canonical
Suse
-
CVE-2026-39816
HIGH
CVSS 7.5
Apache NiFi TinkerpopClientService allows authenticated high-privilege users to execute arbitrary code without proper permission validation. The service fails to enforce required Execute Code permissions, enabling privilege escalation within the NiFi environment. While CVSS scores this at 7.5 (High), real-world risk requires authenticated high-privilege access (PR:H), significantly limiting the attack surface to compromised admin accounts or malicious insiders. No public exploit code has been identified, and CISA KEV does not list this vulnerability, suggesting no confirmed active exploitation at time of disclosure.
Authentication Bypass
Apache
Deserialization
-
CVE-2026-35051
HIGH
CVSS 7.8
Authentication bypass in Traefik's ForwardAuth middleware allows remote attackers to spoof the X-Forwarded-Prefix header and gain unauthorized access to protected backend routes when deployed behind trusted upstream proxies. Despite trustForwardHeader=false configuration, Traefik fails to sanitize attacker-controlled X-Forwarded-Prefix values in authentication subrequests, enabling attackers to impersonate trusted path prefixes (e.g., /admin) and bypass authorization checks in the authentication service. The vulnerability affects Traefik v2.x and v3.x series and is confirmed patched in versions 2.11.43, 3.6.14, and 3.7.0-rc.2. No KEV listing or EPSS data available at time of analysis, but a detailed proof-of-concept with complete Docker reproduction environment is publicly available in the GitHub advisory, significantly lowering exploitation complexity for attackers.
Authentication Bypass
Python
Docker
Nginx
Red Hat
-
CVE-2026-33666
HIGH
CVSS 7.5
Integer overflow in Zserio serialization framework versions before 2.18.1 enables remote denial of service via network-accessible deserialization endpoints. Attackers can send crafted serialized data that triggers arithmetic overflow in BitStreamReader's setBitPosition() bounds check, causing the parser to read 512 MB from a buffer only a few bytes long and crash the process with segmentation fault. EPSS data not available, no active exploitation confirmed, but remote unauthenticated attack vector (CVSS AV:N/PR:N) makes this immediately exploitable against any application accepting untrusted Zserio-serialized input over network interfaces.
Buffer Overflow
Integer Overflow
-
CVE-2026-33662
HIGH
CVSS 7.5
Integer overflow in OP-TEE OS RSA signature encoding crashes the Trusted Execution Environment on platforms with RSA hardware acceleration. Affects versions 3.8.0 through 4.10 when attackers supply cryptographic operations with deliberately undersized RSA moduli, causing memset() to overwrite memory until the TEE crashes. This denial-of-service attack requires no authentication and can be triggered remotely (CVSS AV:N/PR:N), completely disabling the secure-world environment that protects cryptographic keys, biometric data, and DRM operations on affected Arm TrustZone systems. EPSS data not available; no active exploitation confirmed at time of analysis.
Denial Of Service
Linux
Integer Overflow
-
CVE-2026-33524
HIGH
CVSS 7.5
Unbounded memory allocation in Eclipse zserio serialization framework allows remote attackers to trigger system crashes via crafted payloads as small as 4-5 bytes, forcing allocations up to 16 GB and causing out-of-memory errors. Affects both C++ and Java runtimes used in Navigation Data Standard (NDS) implementations deployed across millions of vehicles from Toyota, BMW, Volkswagen, Mercedes-Benz, and 39 other automotive manufacturers. Vendor-released patch available in zserio v2.18.1, addressing unchecked length parameters in Array.h, BitStreamReader.h, and Java runtime equivalents. CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) indicates trivial remote exploitation without authentication.
Denial Of Service
Java
Docker
-
CVE-2026-33317
HIGH
CVSS 8.7
Out-of-bounds read and write in OP-TEE OS PKCS#11 Trusted Application (versions 3.13.0-4.10.0) allows authenticated local attackers with low privileges to read up to 7 bytes beyond heap boundaries and write arbitrary attribute values outside allocated buffers, potentially compromising the integrity and confidentiality of the Trusted Execution Environment. The vulnerability affects Arm TrustZone-based TEE implementations running alongside Linux kernels on Cortex-A cores. Patches available in three upstream commits targeting version 4.11.0. EPSS data not provided; no CISA KEV status indicating targeted rather than widespread exploitation. CVSS 8.7 reflects high confidentiality/integrity impact with scope change, representing potential TEE compromise from the normal world.
Buffer Overflow
Information Disclosure
Linux
-
CVE-2026-33208
HIGH
CVSS 7.4
Command injection in Roxy-WI versions prior to 8.2.6.4 enables authenticated attackers to execute arbitrary OS commands with sudo privileges on managed servers. The vulnerability stems from unsanitized input in the /config/<service>/find-in-config endpoint that breaks out of grep command context during remote SSH execution. A proof-of-concept exploit exists (CVSS E:P), and the CVSS 4.0 score of 7.4 reflects network-based attack with low complexity requiring only low-privilege authentication. Vendor-released patch 8.2.6.4 available via GitHub commit 02f147d.
RCE
Apache
Command Injection
Nginx
-
CVE-2026-33078
HIGH
CVSS 8.9
SQL injection in Roxy-WI versions before 8.2.6.4 allows remote unauthenticated attackers to execute arbitrary SQL commands via the server_ip parameter in the haproxy_section_save function. The vulnerability stems from unsanitized URL path parameters being directly interpolated into SQL queries using Python string formatting. Proof-of-concept code exists (CVSS E:P), and the CVSS 4.0 score of 8.9 with network vector (AV:N), low complexity (AC:L), and no authentication (PR:N) indicates a critical, easily exploitable vulnerability. Vendor-released patch available in version 8.2.6.4.
Python
Apache
SQLi
Nginx
-
CVE-2026-33077
HIGH
CVSS 7.7
Arbitrary file read in Roxy-WI versions before 8.2.6.4 allows unauthenticated remote attackers to access sensitive files on the server via path traversal in the oldconfig parameter of the haproxy_section_save interface. This CVSS:4.0 vector indicates zero attack complexity and no prerequisites, enabling trivial exploitation to exfiltrate configuration files, credentials, or private keys. GitHub Security Advisory confirms the vulnerability with proof-of-concept exploitation status (E:P), representing immediate risk for exposed Roxy-WI management interfaces.
Apache
Path Traversal
Nginx
-
CVE-2026-33076
HIGH
CVSS 8.9
Remote code execution in Roxy-WI versions before 8.2.6.4 allows unauthenticated attackers to write malicious code into scheduled tasks via path traversal in the haproxy_section_save interface. The vulnerability chains CWE-22 path traversal with cron job manipulation, enabling arbitrary command execution on servers managing HAProxy, Nginx, Apache, and Keepalived infrastructure. CVSS 8.9 with network attack vector and no privileges required indicates critical risk, though EPSS data and KEV status are unavailable to confirm active exploitation.
RCE
Apache
Path Traversal
Nginx
-
CVE-2026-31952
HIGH
CVSS 7.6
SQL injection in Xibo CMS versions 1.7 through 4.4.0 allows authenticated users with DataSet or Layout access privileges to extract and modify arbitrary database contents via crafted API filter parameters. The vulnerability affects a widely-deployed open source digital signage platform and has been addressed in version 4.4.1, with patches retroactively provided for out-of-support versions (3.3, 2.3, 1.8) indicating vendor awareness of active deployments on legacy versions. EPSS data not available, but the low attack complexity (AC:L) and network vector (AV:N) combined with the broad version range (nearly 7 years of releases) suggest significant exposure across installations.
SQLi
Microsoft
-
CVE-2026-31667
HIGH
CVSS 7.8
In the Linux kernel, the following vulnerability has been resolved:
Input: uinput - fix circular locking dependency with ff-core
A lockdep circular locking dependency warning can be triggered
reproducibly when using a force-feedback gamepad with uinput (for
example, playing ELDEN RING under Wine w...
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31666
HIGH
CVSS 7.8
In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix incorrect return value after changing leaf in lookup_extent_data_ref()
After commit 1618aa3c2e01 ("btrfs: simplify return variables in
lookup_extent_data_ref()"), the err and ret variables were merged into
a single ret ...
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31665
HIGH
CVSS 7.8
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nft_ct: fix use-after-free in timeout object destroy
nft_ct_timeout_obj_destroy() frees the timeout object with kfree()
immediately after nf_ct_untimeout(), without waiting for an RCU grace
period. Concurrent packet pro...
Information Disclosure
Linux
Use After Free
Memory Corruption
Red Hat
-
CVE-2026-31663
HIGH
CVSS 7.8
In the Linux kernel, the following vulnerability has been resolved:
xfrm: hold dev ref until after transport_finish NF_HOOK
After async crypto completes, xfrm_input_resume() calls dev_put()
immediately on re-entry before the skb reaches transport_finish.
The skb->dev pointer is then used inside NF...
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31662
HIGH
CVSS 7.5
In the Linux kernel, the following vulnerability has been resolved:
tipc: fix bc_ackers underflow on duplicate GRP_ACK_MSG
The GRP_ACK_MSG handler in tipc_group_proto_rcv() currently decrements
bc_ackers on every inbound group ACK, even when the same member has
already acknowledged the current bro...
Information Disclosure
Linux
Integer Overflow
Red Hat
Suse
-
CVE-2026-31656
HIGH
CVSS 7.8
Local privilege escalation in the Linux kernel's i915 graphics driver allows authenticated users to trigger a use-after-free condition via a race between the heartbeat worker and intel_engine_park_heartbeat() function when releasing engine heartbeat requests. The vulnerability stems from a non-atomic pointer read-and-clear operation that permits double-free of the same request object, causing refcount underflow and potential arbitrary code execution with elevated privileges. Patches are available across multiple stable kernel branches (5.15.203, 6.1.169, 6.6.135, 6.12.82, 6.18.23, 6.19.13, 7.0). EPSS exploitation probability is low (0.02%, 7th percentile), and no public exploit or active exploitation has been identified at time of analysis.
Information Disclosure
Linux
Integer Overflow
Red Hat
Suse
-
CVE-2026-31652
HIGH
CVSS 7.8
In the Linux kernel, the following vulnerability has been resolved:
mm/damon/stat: deallocate damon_call() failure leaking damon_ctx
damon_stat_start() always allocates the module's damon_ctx object
(damon_stat_context). Meanwhile, if damon_call() in the function fails,
the damon_ctx object is no...
Information Disclosure
Linux
Use After Free
Memory Corruption
Red Hat
-
CVE-2026-31650
HIGH
CVSS 7.8
In the Linux kernel, the following vulnerability has been resolved:
mmc: vub300: fix use-after-free on disconnect
The vub300 driver maintains an explicit reference count for the
controller and its driver data and the last reference can in theory be
dropped after the driver has been unbound.
This ...
Information Disclosure
Linux
Use After Free
Memory Corruption
Red Hat
-
CVE-2026-31648
HIGH
CVSS 7.8
Race condition in Linux kernel memory management allows local attackers with low privileges to corrupt kernel page state, potentially achieving high-impact denial of service, data corruption, or privilege escalation. The vulnerability affects kernel versions 6.6.x through 7.0-rc3, with patches confirmed released for stable branches 6.6.135, 6.12.82, 6.18.23, 6.19.13, and mainline 7.0. EPSS exploitation probability is low (0.02%, 5th percentile), and no public exploit code or active exploitation has been identified at time of analysis. The CVSS vector (AV:L/AC:L/PR:L/UI:N) indicates local access with low attack complexity, while the specific race condition requires precise timing between file mapping and inode size modification operations.
Denial Of Service
Linux
Integer Overflow
Red Hat
Suse
-
CVE-2026-31644
HIGH
CVSS 7.8
Use-after-free in Linux kernel's lan966x network driver allows local authenticated attackers to achieve arbitrary code execution with high impact to confidentiality, integrity, and availability. The flaw occurs in lan966x_fdma_reload() when RX buffer allocation fails - freed pages remain referenced by active DMA descriptors, causing hardware to write into memory now controlled by other kernel subsystems. Vendor patches available for stable branches 6.12.82, 6.18.23, 6.19.13, and mainline 7.0. EPSS score of 0.02% (5th percentile) indicates low probability of widespread exploitation. No CISA KEV listing or public exploit identified at time of analysis, but successful exploitation grants kernel-level privileges to local attackers.
Information Disclosure
Linux
Use After Free
Memory Corruption
Red Hat
-
CVE-2026-31641
HIGH
CVSS 7.8
Heap buffer overflow in Linux kernel rxrpc subsystem allows local authenticated users to trigger memory corruption via crafted RxGK tokens. Exploitable through unprivileged add_key() system call when raw key/ticket lengths >= 0xfffffffd cause integer wraparound in round_up(), bypassing bounds checks while memcpy() copies up to 4 GiB into zero-sized heap allocation. Vendor patches available for stable branches 6.18.23, 6.19.13, and mainline 7.0. EPSS score of 0.02% (4th percentile) indicates low observed exploitation probability despite local privilege escalation potential with CVSS 7.8.
Buffer Overflow
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31640
HIGH
CVSS 7.5
Linux kernel rxrpc subsystem allows remote denial of service via malformed RESP challenge packets due to incorrect serial number comparison logic. The rxrpc_post_response() function compares challenge serial numbers from the wrong packet structure, causing response queue corruption that can crash the kernel networking stack. This affects Linux kernel versions containing commit 5800b1cf3fd8 through the 6.16-6.19 and 7.0 series. Patches are available from kernel.org for affected stable branches. EPSS exploitation probability is very low (0.02%, 4th percentile) and no public exploits or active exploitation have been identified, suggesting limited real-world risk despite the network-accessible attack vector.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31638
HIGH
CVSS 7.5
Null pointer dereference in Linux kernel rxrpc subsystem allows remote network attackers to crash the system by sending malformed packets to a client-side connection after a call has been torn down. The flaw affects Linux kernel versions 6.2 onward where the rxrpc client code unconditionally releases a call reference that was never acquired, converting a protocol error into a kernel panic. Vendor patches are available across stable branches (6.6.135, 6.12.82, 6.18.23, 6.19.13, 7.0). EPSS exploitation probability is low (0.02%, 5th percentile) and no public exploit has been identified at time of analysis.
Denial Of Service
Linux
Null Pointer Dereference
Red Hat
Suse
-
CVE-2026-31635
HIGH
CVSS 7.5
Remote denial of service in Linux kernel rxrpc subsystem allows unauthenticated network attackers to trigger kernel crash via malformed rxgk RESPONSE packets. An inverted length check in rxgk_verify_response() accepts oversized authenticators, causing skb_to_sgvec() to hit BUG_ON() and panic the kernel. EPSS exploitation probability is very low (0.02%, 4th percentile), no active exploitation confirmed, and patches are available across stable kernel branches 6.18.23, 6.19.13, and 7.0.
Information Disclosure
Linux
-
CVE-2026-31631
HIGH
CVSS 8.2
Buffer overread in Linux kernel's rxgk_do_verify_authenticator() function allows remote unauthenticated attackers to trigger information disclosure and high-availability denial of service through network-accessible RxGK authentication handling. The vulnerability stems from improper buffer size validation before nonce verification in the RxRPC subsystem. Patches are available from the Linux kernel stable tree (versions 6.19.13, 6.18.23, and 7.0). EPSS score of 0.02% (4th percentile) indicates very low observed exploitation probability, and no active exploitation or public POC has been identified. Despite the high CVSS base score of 8.2, real-world risk appears limited to environments using RxRPC with RxGK authentication.
Buffer Overflow
Linux
Memory Corruption
Red Hat
Suse
-
CVE-2026-31630
HIGH
CVSS 7.8
Buffer overflow in Linux kernel's AF_RXRPC procfs address formatting allows local authenticated users to corrupt memory and potentially escalate privileges. The vulnerability affects rxrpc proc handlers that write IPv6 socket addresses into 50-byte stack buffers, but ISATAP-format IPv6 addresses with ports can require 51 bytes, causing single-byte overflow. EPSS exploitation probability is low (0.02%, 4th percentile), and patches are available from kernel.org for versions 6.18.23, 6.19.13, and mainline 7.0. No active exploitation confirmed (not in CISA KEV), and CVSS 7.8 reflects local-only attack vector requiring authenticated access.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31629
HIGH
CVSS 8.8
Use-after-free in Linux kernel NFC LLCP implementation allows adjacent-network attackers to execute arbitrary code with kernel privileges. The flaw occurs when socket state is LLCP_CLOSED in nfc_llcp_recv_hdlc() and nfc_llcp_recv_disc(), where missing return statements cause double release_sock() and refcount underflow, leading to memory corruption. Vendor-released patches available for stable kernels 6.12.83, 6.18.24, 6.19.14, and 7.0.1. EPSS score of 0.02% (5th percentile) indicates low observed exploitation probability, and no active exploitation or public POC confirmed at time of analysis.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31627
HIGH
CVSS 7.8
Buffer overflow in Linux kernel's s3c24xx I2C driver allows local authenticated attackers to achieve arbitrary code execution with high privileges through malformed SMBUS block read messages. The driver fails to validate message length against I2C_SMBUS_BLOCK_MAX before processing, enabling out-of-bounds memory access. Vendor patches available for kernel versions 6.12.83, 6.18.24, 6.19.14, and 7.0.1. EPSS score of 0.02% suggests low observed exploitation activity, with no CISA KEV listing indicating targeted rather than widespread attacks. Attack requires local access and low-level user privileges (CVSS AV:L/PR:L), limiting practical exploitability compared to the high CVSS 7.8 base score.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31626
HIGH
CVSS 7.1
Uninitialized memory read in Linux kernel's rtl8723bs Wi-Fi driver allows adjacent network attackers to cause denial of service or potentially corrupt integrity through malformed BIP (Broadcast/Multicast Integrity Protocol) frames. The vulnerability affects the staging rtl8723bs driver where only 6 bytes are copied into an 8-byte variable during BIP verification, leaving 2 bytes uninitialized. Patches available across multiple stable kernel versions (6.12.83, 6.18.24, 6.19.14, 7.0.1). EPSS score of 0.02% (5th percentile) indicates low observed exploitation probability. Not listed in CISA KEV, and no public exploit identified at time of analysis.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31622
HIGH
CVSS 8.8
Heap buffer overflow in Linux kernel NFC-A digital target driver allows adjacent-network attackers to corrupt memory and potentially execute code. A malicious NFC peer device can trigger unbounded cascade loops during anti-collision protocol, writing beyond the 10-byte nfcid1 buffer with each iteration. EPSS score of 0.02% (5th percentile) indicates low likelihood of mass exploitation, but the adjacent attack vector (AV:A) limits exposure to proximity-based attacks. Vendor patches available across multiple stable kernel branches (6.12.83, 6.18.24, 6.19.14, 7.0.1). No active exploitation confirmed (not in CISA KEV); no public exploit identified at time of analysis.
Buffer Overflow
Linux
Red Hat
Suse
-
CVE-2026-31614
HIGH
CVSS 7.1
In the Linux kernel, the following vulnerability has been resolved:
smb: client: fix off-by-8 bounds check in check_wsl_eas()
The bounds check uses (u8 *)ea + nlen + 1 + vlen as the end of the EA
name and value, but ea_data sits at offset sizeof(struct
smb2_file_full_ea_info) = 8 from ea, not at o...
Buffer Overflow
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31613
HIGH
CVSS 8.1
Out-of-bounds heap read in Linux kernel SMB client allows malicious SMB servers to leak kernel memory to userspace via crafted symlink error responses. When processing STATUS_STOPPED_ON_SYMLINK errors in SMB 3.1.1, inadequate bounds checking in smb2_check_message() and symlink_data() allows server-controlled ErrorDataLength values to trigger reads beyond buffer boundaries. The leaked heap bytes are UTF-16-decoded into the symlink target and exposed through readlink(2) syscalls (confidentiality impact), with potential for denial-of-service through memory corruption (availability impact). CVSS 8.1 (High) requires user interaction. EPSS score is very low at 0.02% (5th percentile), indicating minimal observed exploitation activity. Patches available in kernel versions 6.18.24, 6.19.14, and 7.0.1.
Buffer Overflow
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31612
HIGH
CVSS 7.5
Information disclosure in Linux kernel's ksmbd SMB server allows remote unauthenticated attackers to leak uninitialized heap memory via malformed SMB2 requests. The vulnerability exists in smb2_get_ea() which fails to validate EaNameLength from client requests before using it in strncmp(), enabling heap content extraction. With EPSS score of 0.02% and no KEV listing, exploitation likelihood remains low despite CVSS 7.5 rating. Patches available across kernel versions 6.12.83, 6.18.24, 6.19.14, and 7.0.1.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31611
HIGH
CVSS 8.6
Out-of-bounds read in Linux kernel's ksmbd SMB server allows remote unauthenticated attackers to manipulate file permissions by crafting malicious ACE SIDs with insufficient sub-authorities, triggering parse_dacl() to read 4 bytes past the ACL buffer boundary and apply those arbitrary bytes as POSIX file mode bits. EPSS exploitation probability is very low (0.02%, 5th percentile) with no public exploit identified at time of analysis. Vendor-released patches available across stable kernel branches (6.12.83, 6.18.24, 6.19.14, 7.0.1).
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31602
HIGH
CVSS 7.8
Memory access violation in Linux kernel ALSA ctxfi driver allows local authenticated users to trigger kernel page faults and potential privilege escalation. The flaw affects CT20K2 audio hardware drivers (snd_ctxfi module) where virtual memory mapping logic incorrectly accesses beyond allocated page table pages when aggregate memory allocations exceed 2MB on AMD64 systems. EPSS exploitation probability is very low (0.02%, 5th percentile) and no public exploit or active exploitation is confirmed. Vendor-released patches available across multiple stable kernel branches (6.12.83, 6.18.24, 6.19.14, 7.0.1).
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31600
HIGH
CVSS 7.5
Kernel panic in Linux arm64 memory management causes system crash when handling invalid large leaf page table mappings during DMA bounce buffer operations. ARM64 systems running Linux 7.0-rc4 and earlier (specifically kernels with commit a166563e7ec37 that introduced large block mapping support) crash with translation faults when components like SWIOTLB, secretmem, kfence, or realm DMA attempt to invalidate large leaf mappings. Exploitation requires no special privileges as this is triggered by normal kernel operations during boot or DMA activity. Vendor patches available across stable branches (6.18.24, 6.19.14, 7.0.1). EPSS score is 1st percentile (0.01%) indicating extremely low observed exploitation probability, consistent with this being an availability issue requiring specific ARM64 hardware configurations rather than a remotely exploitable vulnerability.
Denial Of Service
Linux
Null Pointer Dereference
Red Hat
Suse
-
CVE-2026-31598
HIGH
CVSS 7.5
Kernel deadlock in Linux OCFS2 filesystem allows remote denial of service through lock ordering violation between unlink and direct I/O operations. OCFS2's orphan directory locking in ocfs2_unlink and ocfs2_dio_end_io_write acquire ip_alloc_sem and inode_lock in opposite orders (ABBA pattern), enabling concurrent operations to deadlock the system. Affects mainline Linux kernel through 6.19.14 with patches available in 6.12.83, 6.18.24, 7.0.1, and 6.19.14. EPSS score of 0.02% suggests minimal real-world exploitation likelihood despite CVSS 7.5 score, and no active exploitation or public POC identified.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31597
HIGH
CVSS 7.8
Use-after-free in Linux kernel OCFS2 filesystem enables local attackers with low privileges to achieve arbitrary code execution, privilege escalation, or denial of service. The vulnerability occurs when filemap_fault() drops mmap_lock before returning VM_FAULT_RETRY, allowing concurrent munmap() to free the vm_area_struct while ocfs2_fault() still holds a dangling pointer. Vendor patches available for kernel versions 6.12.83, 6.18.24, 6.19.14, and 7.0.1. EPSS exploitation probability is very low (0.02%, 5th percentile) with no public exploit identified at time of analysis.
Information Disclosure
Linux
Use After Free
Memory Corruption
Red Hat
-
CVE-2026-31588
HIGH
CVSS 8.8
Use-after-free in Linux kernel KVM x86 MMIO emulation allows local authenticated users with low privileges to potentially execute arbitrary code, escalate privileges, or cause denial of service. The flaw occurs when KVM's emulator initiates MMIO writes using on-stack variables that cross page boundaries between two MMIO pages, creating dangling pointers when fragments are processed across separate KVM_RUN calls, especially when different tasks handle subsequent runs. EPSS exploitation probability is very low (0.02%, 5th percentile), and vendor patches are available for kernel versions 6.12.83, 6.18.24, 6.19.14, and 7.0.1. No active exploitation or public POC identified at time of analysis.
Information Disclosure
Linux
Use After Free
Memory Corruption
Red Hat
-
CVE-2026-31587
HIGH
CVSS 7.8
Use-after-free in Linux kernel q6apm audio driver allows local authenticated attackers with low privileges to achieve arbitrary code execution, denial of service, or information disclosure with high impact to confidentiality, integrity, and availability. The flaw affects Qualcomm ASoC q6apm component registration code used in devices like Lenovo 21N2ZC5PUS laptops. Vendor-released patches are available across multiple kernel version branches (6.12.83, 6.18.24, 6.19.14, 7.0.1). EPSS score of 0.02% (5th percentile) indicates low probability of mass exploitation despite high CVSS 7.8, with no confirmed active exploitation or public POC identified at time of analysis.
Information Disclosure
Linux
Use After Free
Memory Corruption
Red Hat
-
CVE-2026-31586
HIGH
CVSS 7.8
Use-after-free in Linux kernel blk-cgroup subsystem allows local authenticated users to potentially execute arbitrary code, escalate privileges, or crash the system. The vulnerability occurs in cgwb_release_workfn() when releasing cgroup writeback structures, where a CSS reference is dropped before subsequent dereference, creating a race condition. Meta reports sporadic crashes in production across multiple kernel versions. Patches available for stable branches 6.12.83, 6.18.24, 6.19.14, and 7.0.1. EPSS score of 0.02% suggests low widespread exploitation probability, and no active exploitation or public POC identified at time of analysis.
Denial Of Service
Linux
Use After Free
Memory Corruption
Red Hat
-
CVE-2026-31584
HIGH
CVSS 7.8
Use-after-free in Linux kernel MediaTek video encoder allows local authenticated users to corrupt memory and potentially execute arbitrary code. The flaw affects the vcodec driver's encoder release path where ctx memory is freed before canceling scheduled workqueue tasks, enabling race conditions between cleanup and worker threads that may dereference freed memory. KASAN-confirmed exploitation requires local access with low privileges (CVSS AV:L/PR:L). Patches available for kernel versions 6.12.83, 6.18.24, 6.19.14, and 7.0.1. EPSS score of 0.02% (5th percentile) indicates very low probability of automated exploitation, with no public exploit identified at time of analysis.
Information Disclosure
Linux
Use After Free
Memory Corruption
Red Hat
-
CVE-2026-31583
HIGH
CVSS 7.8
In the Linux kernel, the following vulnerability has been resolved:
media: em28xx: fix use-after-free in em28xx_v4l2_open()
em28xx_v4l2_open() reads dev->v4l2 without holding dev->lock,
creating a race with em28xx_v4l2_init()'s error path and
em28xx_v4l2_fini(), both of which free the em28xx_v4l2 ...
Denial Of Service
Linux
Use After Free
Memory Corruption
Red Hat
-
CVE-2026-31582
HIGH
CVSS 7.8
In the Linux kernel, the following vulnerability has been resolved:
hwmon: (powerz) Fix use-after-free on USB disconnect
After powerz_disconnect() frees the URB and releases the mutex, a
subsequent powerz_read() call can acquire the mutex and call
powerz_read_data(), which dereferences the freed U...
Information Disclosure
Linux
Use After Free
Memory Corruption
Red Hat
-
CVE-2026-31581
HIGH
CVSS 7.8
In the Linux kernel, the following vulnerability has been resolved:
ALSA: 6fire: fix use-after-free on disconnect
In usb6fire_chip_abort(), the chip struct is allocated as the card's
private data (via snd_card_new with sizeof(struct sfire_chip)). When
snd_card_free_when_closed() is called and no ...
Information Disclosure
Linux
Use After Free
Memory Corruption
Red Hat
-
CVE-2026-31580
HIGH
CVSS 7.8
In the Linux kernel, the following vulnerability has been resolved:
bcache: fix cached_dev.sb_bio use-after-free and crash
In our production environment, we have received multiple crash reports
regarding libceph, which have caught our attention:
```
[6888366.280350] Call Trace:
[6888366.280452] ...
Denial Of Service
Linux
Use After Free
Memory Corruption
Red Hat
-
CVE-2026-31578
HIGH
CVSS 7.8
In the Linux kernel, the following vulnerability has been resolved:
media: as102: fix to not free memory after the device is registered in as102_usb_probe()
In as102_usb driver, the following race condition occurs:
```
CPU0 CPU1
as102_usb_probe()
kzalloc(); // alloc as102_dev_t
....
u...
Information Disclosure
Linux
Use After Free
Memory Corruption
Red Hat
-
CVE-2026-31576
HIGH
CVSS 7.8
In the Linux kernel, the following vulnerability has been resolved:
media: hackrf: fix to not free memory after the device is registered in hackrf_probe()
In hackrf driver, the following race condition occurs:
```
CPU0 CPU1
hackrf_probe()
kzalloc(); // alloc hackrf_dev
....
v4l2_devic...
Information Disclosure
Linux
Use After Free
Memory Corruption
Red Hat
-
CVE-2026-31570
HIGH
CVSS 8.8
Out-of-bounds heap write in Linux kernel CAN gateway CRC8 checksum processing allows adjacent network attackers to corrupt kernel memory and potentially achieve code execution. The cgw_csum_crc8_rel() function in the CAN gateway subsystem uses raw negative index values instead of bounds-checked variables when accessing canfd_frame data, enabling writes up to 56 bytes before the heap object. Exploitation requires CAP_NET_ADMIN capability to configure CAN gateway CRC8 checksums. EPSS exploitation probability is very low (0.02%, 7th percentile) and no active exploitation has been reported. Vendor patches available across multiple kernel versions (5.10.253, 5.15.203, 6.1.168, 6.6.131, 6.12.80, 6.18.21, 6.19.11, 7.0).
Buffer Overflow
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31569
HIGH
CVSS 7.3
Out-of-bounds memory access in Linux Kernel's KVM subsystem for LoongArch architecture allows local authenticated attackers with low privileges to read limited kernel memory and cause system crashes. The vulnerability stems from improper handling of empty EIOINTC coremap values in eiointc_update_sw_coremap(), resulting in invalid array indexing into kvm_arch::phyid_map::phys_map[]. While CVSS rates this 7.3 HIGH, the EPSS score of 0.02% (4th percentile) indicates minimal real-world exploitation activity. No active exploitation (not in CISA KEV) or public POC has been identified. Vendor patches are available across multiple stable kernel branches (6.18.21, 6.19.11, 7.0, and mainline).
Buffer Overflow
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31568
HIGH
CVSS 7.1
In the Linux kernel, the following vulnerability has been resolved:
s390/mm: Add missing secure storage access fixups for donated memory
There are special cases where secure storage access exceptions happen
in a kernel context for pages that don't have the PG_arch_1 bit
set. That bit is set for no...
Buffer Overflow
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31566
HIGH
CVSS 7.8
Use-after-free in Linux kernel AMD GPU driver allows local authenticated users to potentially execute arbitrary code, escalate privileges, or cause denial of service. The amdgpu_amdkfd_submit_ib() function in the AMD KFD (Kernel Fusion Driver) prematurely releases a DMA fence reference before waiting on it, creating a race condition where the fence memory may be freed before use. Vendor-released patches are available for multiple stable kernel branches (6.1.168, 6.6.131, 6.12.80, 6.18.21, 6.19.11, 7.0). EPSS exploitation probability is very low at 0.02% (7th percentile), and no public exploit or active exploitation has been identified at time of analysis.
Information Disclosure
Linux
Use After Free
Memory Corruption
Red Hat
-
CVE-2026-31563
HIGH
CVSS 7.5
Memory management flaw in Linux kernel's Cadence macb network driver causes kernel warning and potential denial of service. Specifically affects the macb Ethernet driver on ARM64 ZynqMP platforms (kernel versions 6.1+ containing commit 6bc8a5098bf4). The vulnerability stems from calling napi_consume_skb() with IRQs disabled during TX packet cleanup, violating kernel API contracts and potentially causing system instability under network load. EPSS exploitation probability is very low (0.02%, 7th percentile) with vendor-released patches available across all stable kernel branches (6.1.168, 6.6.131, 6.12.80, 6.18.21, 6.19.11, 7.0). No active exploitation or public exploit code identified at time of analysis.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31558
HIGH
CVSS 8.8
Out-of-bounds array access in Linux kernel KVM subsystem on LoongArch allows local authenticated attackers with low privileges to execute arbitrary code, escalate privileges, or cause denial of service by passing negative cpuid values to kvm_get_vcpu_by_cpuid(). The function lacks bounds checking before indexing phyid_map::phys_map[], enabling read/write beyond array boundaries with container escape potential (CVSS scope change). Vendor patches available across multiple stable kernel branches (6.12.80, 6.18.21, 6.19.11). EPSS score of 0.02% indicates low automated exploitation likelihood, with no confirmed active exploitation or public POC at time of analysis.
Buffer Overflow
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31557
HIGH
CVSS 7.5
A workqueue deadlock in Linux kernel NVMe-over-Fabrics target (nvmet) allows remote denial of service via recursive locking during controller disconnect. The nvmet subsystem's async event handler can trigger reentrant workqueue completion when nvmet_ctrl_free() flushes work on the same queue (nvmet-wq) that invoked it, causing a lockdep-detected recursive lock scenario. EPSS score of 0.02% indicates very low probability of exploitation in the wild. Patches available for kernel versions 6.12.80, 6.18.21, 6.19.11, and mainline 7.0 via upstream commits.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31554
HIGH
CVSS 7.8
Use-after-free in Linux kernel futex subsystem allows local authenticated attackers to achieve code execution, privilege escalation, or denial of service via sys_futex_requeue() with mismatched flags. Discovered through automated LLM analysis by Nicholas, this affects kernel versions 6.7 through 6.19.x, with patches available in 6.12.80, 6.18.21, 6.19.11, and 7.0. EPSS score of 0.02% (5th percentile) indicates low observed exploitation probability, and no active exploitation or public POC has been identified. The vulnerability requires local access with low-privilege authenticated user credentials (PR:L), making it a post-compromise escalation vector rather than a remote entry point.
Information Disclosure
Linux
Use After Free
Memory Corruption
Red Hat
-
CVE-2026-31553
HIGH
CVSS 8.8
Address calculation error in Linux kernel KVM on ARM64 allows local authenticated attackers with low privileges to corrupt memory descriptors, potentially enabling container escape or privilege escalation to compromise host integrity and confidentiality. The vulnerability affects KVM's stage-1/stage-2 page table descriptor swapping logic where pointer arithmetic incorrectly multiplies the offset by 8, causing writes to unintended memory locations. Vendor patches available for Linux 6.19.11 and mainline with EPSS exploitation probability at 5th percentile, indicating low observed exploitation despite high CVSS severity.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31552
HIGH
CVSS 7.5
Denial of service via CPU soft lockup in Linux kernel's wlcore Wi-Fi driver (versions 5.10 through 7.0) occurs when memory allocation fails during wireless frame transmission. Incorrect error code return (-EAGAIN instead of -ENOMEM) triggers infinite retry loop while holding critical mutex, causing system unresponsiveness. Vendor-released patches available across all affected stable kernel branches (5.10.253, 5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.20, 6.19.10, 7.0). CVSS 7.5 (High) reflects network attack vector with no authentication required, though EPSS score of 0.02% (7th percentile) indicates low observed exploitation probability. No active exploitation confirmed (not in CISA KEV); no public exploit identified at time of analysis.
Denial Of Service
Linux
Red Hat
Suse
-
CVE-2026-31548
HIGH
CVSS 7.8
Use-after-free race condition in Linux kernel Wi-Fi cfg80211 subsystem allows local authenticated users to trigger kernel crashes or potentially execute code. When a nl80211 socket closes while a peer measurement (PMSR) request is active, concurrent interface teardown can leave a scheduled work item (pmsr_free_wk) that later invokes the driver's abort callback on already-freed interface structures. EPSS score of 0.02% (7th percentile) indicates very low probability of exploitation in the wild. Patches available across all supported kernel branches since commit 9bb7e0f24e7e (introduced in Linux 5.0), with fixes released in stable versions 6.1.167, 6.6.130, 6.12.78, 6.18.20, and 6.19.10.
Denial Of Service
Linux
Red Hat
Suse
-
CVE-2026-31541
HIGH
CVSS 7.8
Use-after-free in Linux kernel tracing subsystem allows local authenticated attackers to achieve arbitrary code execution, privilege escalation, or denial of service. The vulnerability occurs when deleting tracing instances with copy_trace_marker enabled, where improper RCU synchronization leaves freed memory accessible. Exploitation requires local access with low privileges to manipulate kernel tracing facilities. EPSS score of 0.02% (4th percentile) indicates low observed exploitation probability. Vendor patches available across multiple stable kernel versions (6.18.20, 6.19.10, 7.0).
Information Disclosure
Linux
Use After Free
Memory Corruption
Red Hat
-
CVE-2026-31539
HIGH
CVSS 7.5
Race condition in Linux kernel SMB Direct receive credit management allows remote denial of service against SMB3 network storage services. The flaw enables remote unauthenticated attackers to exhaust receive buffer credits through timing exploitation of the gap between hardware packet reception and completion processing, causing service disruption. EPSS exploitation probability is low (0.02%, 4th percentile), and patches are available from kernel.org for versions 6.18.x, 6.19.x, and 7.0. This affects only systems using SMB Direct (RDMA-enabled SMB3), not standard SMB implementations.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31538
HIGH
CVSS 7.5
Denial of service in Linux kernel SMB server (ksmbd) affects versions 6.18 through 7.0-rc via race condition in SMBDirect receive credit management. Remote unauthenticated attackers can trigger resource exhaustion through crafted SMB packets exploiting the window between hardware reception and completion processing. Vendor patches released for stable branches 6.18.11, 6.19.1, and mainline 7.0. Low EPSS score (0.02%) indicates limited exploitation interest despite network attack vector and no authentication requirement.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-23902
HIGH
CVSS 8.1
Tenant authorization bypass in Apache DolphinScheduler versions before 3.4.1 allows authenticated low-privilege users to execute workflows using arbitrary tenant configurations not assigned to their account, exposing high confidentiality and integrity risks. The vulnerability (CWE-863: Incorrect Authorization) enables privilege escalation through tenant context manipulation during workflow execution. Despite a CVSS score of 8.1, EPSS probability is low (0.02%, 4th percentile) with no active exploitation confirmed. Vendor patch is available in version 3.4.1.
Authentication Bypass
Apache
Deserialization
-
CVE-2026-21728
HIGH
CVSS 7.5
Denial of service in Grafana Tempo allows unauthenticated remote attackers to exhaust server memory by sending trace queries with excessively large result limits. The vulnerability causes unbounded memory allocation during query processing, degrading or halting service availability depending on deployment resources. EPSS data not available; no CISA KEV listing or public exploit identified at time of analysis. Mitigation available through configuration change rather than software patch.
Denial Of Service
Red Hat
-
CVE-2026-6968
HIGH
CVSS 7.1
Path traversal vulnerabilities in AWS Tough (a Rust TUF client library) versions prior to 0.22.0 enable authenticated users with delegated signing privileges to write arbitrary files outside intended repository directories, bypassing incomplete fixes from previous security patches. The flaws exist in three distinct code paths: absolute target names in copy_target/link_target operations, symlinked parent directories in save_target, and symlinked metadata filenames in SignedRole::write. AWS has released patches in tough-v0.22.0 and tuftool-v0.15.0 that implement post-resolution path containment verification. No public exploit code or active exploitation confirmed at time of analysis, though CVSS 7.1 HIGH reflects significant integrity impact when exploited.
Path Traversal
-
CVE-2026-6967
HIGH
CVSS 7.1
Metadata integrity bypass in AWS tough (TUF client library) before v0.22.0 allows authenticated users with delegated signing authority to poison local metadata caches by bypassing expiration, hash, and length validation checks. The vulnerability exists because load_delegations skips specification-mandated integrity checks applied to top-level targets metadata, enabling malicious delegated signers to inject invalid metadata. AWS has released patches in tough-v0.22.0 and tuftool-v0.15.0. CVSS 7.1 reflects network vector but high attack complexity (AT:P indicates specialized conditions). No public exploit or active exploitation confirmed at time of analysis, though authentication bypass tag suggests significant trust boundary violation.
Authentication Bypass
-
CVE-2026-6966
HIGH
CVSS 7.0
Signature duplication in AWS Tough TUF client prior to v0.22.0 allows authenticated attackers to bypass threshold signature requirements for delegated role metadata by reusing a single valid signature multiple times. The flaw undermines TUF's multi-signature integrity model, enabling acceptance of forged metadata with reduced cryptographic validation. Vendor patch available (tough-v0.22.0, tuftool-v0.15.0). No public exploit code or active exploitation confirmed at time of analysis, but CVSS 7.0 reflects high integrity impact to both vulnerable and downstream systems.
Authentication Bypass
Jwt Attack
-
CVE-2026-6947
HIGH
CVSS 8.7
Brute-force protection bypass in D-Link DWM-222W USB Wi-Fi Adapter allows remote unauthenticated attackers to perform unlimited authentication attempts against the device's login interface. The vulnerability eliminates rate limiting controls, enabling adversaries to systematically guess credentials until device takeover is achieved. CVSS 8.7 reflects the high integrity impact (VI:H) from potential device compromise, though no public exploit code has been identified and CISA has not flagged active exploitation.
Authentication Bypass
D-Link
-
CVE-2026-6912
HIGH
CVSS 8.7
Authenticated users with low privileges can escalate to deployment admin in AWS Ops Wheel (pre-PR #165) by manipulating the custom:deployment_admin attribute through crafted UpdateUserAttributes API calls to Cognito User Pool. This privilege escalation allows full control over Cognito user account management and deployment administration. Upstream fix available via GitHub PR #165; AWS security bulletin AMZN-2026-018 confirms patch availability. No active exploitation confirmed (not in CISA KEV), but CVSS 8.7 reflects critical impact across confidentiality, integrity, and availability.
Privilege Escalation
-
CVE-2026-6272
HIGH
CVSS 8.5
Eclipse KUKSA Databroker 0.5.0-0.6.0 allows privilege escalation from read-only JWT tokens to signal provider registration. Attackers with valid read-scope tokens can hijack the kuksa.val.v2 OpenProviderStream API to inject forged sensor/telemetry data into the vehicle data bus, poisoning downstream automotive systems and applications. CVSS 8.5 (High) reflects high integrity and availability impact across system and subsequent components. No active exploitation confirmed (not in CISA KEV), but the attack complexity is low and requires only low-privilege authentication.
Authentication Bypass
-
CVE-2026-6043
HIGH
CVSS 8.8
Helix Core Server (P4D) before 2026.1 ships with insecure default configurations allowing remote unauthenticated attackers to create arbitrary user accounts, enumerate users, authenticate without passwords, and access repository contents via the built-in 'remote' user. EPSS score of 0.06% (19th percentile) suggests low observed exploitation attempts despite the high CVSS 8.8 score and SSVC classification as automatable with partial impact. No active exploitation confirmed (not in CISA KEV). Perforce reports this as vendor-disclosed with secure-by-default enforced in version 2026.1.
Authentication Bypass
-
CVE-2026-5367
HIGH
CVSS 8.6
Heap over-read in Open Virtual Network (OVN) DHCPv6 client ID processing allows remote unauthenticated attackers to extract sensitive memory contents across network boundaries. The vulnerability affects OVN's DHCPv6 implementation and carries a CVSS score of 8.6 with scope change, enabling cross-tenant information disclosure in multi-tenant virtualized environments. Public advisory released via oss-security mailing list on 2026-04-20, though no confirmed active exploitation or public POC identified at time of analysis.
Information Disclosure
-
CVE-2026-5364
HIGH
CVSS 8.1
Remote code execution in Drag and Drop File Upload for Contact Form 7 plugin (≤1.1.3) allows unauthenticated attackers to upload arbitrary PHP files via a sanitization bypass vulnerability. The flaw exploits a race condition where file extension validation occurs on unsanitized input while the file saves with a sanitized extension, enabling special characters like '$' to be stripped mid-process. Exploitability is constrained by .htaccess restrictions and filename randomization, reducing real-world risk despite the 8.1 CVSS score. EPSS data not available; no active exploitation or POC publicly confirmed at time of analysis.
PHP
WordPress
RCE
File Upload
-
CVE-2026-42095
MEDIUM
CVSS 4.0
KDE Arianna's bookserver before version 26.04.1 allows local attackers to read arbitrary files over socket connections by guessing URLs without authentication, exploiting missing input validation on the bookserver endpoint. The vulnerability requires local access and does not affect confidentiality of other system components; no public exploit code or active exploitation has been identified.
Authentication Bypass
Suse
-
CVE-2026-42044
MEDIUM
CVSS 6.5
Prototype pollution in Axios JSON parsing allows attackers to manipulate JSON API responses through Object.prototype pollution in the dependency tree, enabling privilege escalation, balance manipulation, and authorization bypass on applications using affected versions 1.0.0 through 1.15.1. The vulnerability exploits the parseReviver callback parameter in the default transformResponse function, which processes every key-value pair in JSON responses without validation, permitting surgical modification of individual response values while remaining invisible to the application logic.
Privilege Escalation
Node.js
Red Hat
-
CVE-2026-42042
MEDIUM
CVSS 5.4
Axios HTTP client versions prior to 1.15.1 and 0.31.1 use loose truthy/falsy comparison instead of strict boolean checks for the withXSRFToken config property, allowing XSRF tokens to be sent to cross-origin servers when the property is set to any truthy non-boolean value through prototype pollution or misconfiguration. This bypasses same-origin validation and enables attackers to exfiltrate XSRF tokens to attacker-controlled domains, compromising CSRF protection across applications using vulnerable versions.
Information Disclosure
Node.js
Red Hat
-
CVE-2026-42041
MEDIUM
CVSS 4.8
Prototype pollution in Axios library versions prior to 1.15.1 and 0.31.1 allows remote attackers to suppress HTTP error responses via pollution of Object.prototype.validateStatus, causing authentication failures and server errors to be silently treated as successful responses. The vulnerability requires high attack complexity (prototype pollution gadget chain) but enables complete bypass of application-level authentication and error handling without user interaction.
Authentication Bypass
Node.js
Red Hat
Suse
-
CVE-2026-42039
MEDIUM
CVSS 6.9
Denial of service in Axios HTTP client before versions 1.15.1 and 0.31.1 allows remote unauthenticated attackers to crash Node.js processes by sending requests with deeply nested object structures that trigger unbounded recursion in the toFormData function. The vulnerability affects both browser and Node.js environments but is exploitable in server-side Node.js deployments where attacker-controlled data is passed to toFormData without depth validation.
Denial Of Service
Node.js
Red Hat
-
CVE-2026-42038
MEDIUM
CVSS 6.8
Axios versions prior to 1.15.1 and 0.31.1 fail to properly bypass proxy configurations when no_proxy=localhost is set, allowing attackers to route requests to loopback addresses (127.0.0.1 and [::1]) through proxy servers instead of bypassing them. This Server-Side Request Forgery (SSRF) vulnerability arises because the shouldBypassProxy() function performs only string matching without resolving IP aliases or loopback equivalents, potentially exposing internal services to proxy interception or manipulation with a CVSS score of 6.8 (high confidentiality impact over changed scope).
SSRF
Node.js
Red Hat
-
CVE-2026-42037
MEDIUM
CVSS 5.3
Axios HTTP client versions 1.0.0 through 1.15.0 allow header injection in multipart form-data bodies through unsanitized CRLF sequences in the Content-Type header of individual parts. An attacker controlling a Blob/File object's .type property (such as via user-uploaded files in a Node.js proxy service) can inject arbitrary MIME headers into the multipart body, bypassing Node.js v18+ built-in header protections. The vulnerability affects network-accessible services and results in integrity compromise through header manipulation.
Authentication Bypass
Node.js
Red Hat
-
CVE-2026-42036
MEDIUM
CVSS 5.3
Axios HTTP client prior to version 1.15.1 (1.x branch) and 0.31.1 (0.x branch) fails to enforce maxContentLength limits when responseType is set to 'stream', allowing attackers to cause denial of service by streaming unbounded response payloads that bypass configured size restrictions. The vulnerability affects both browser and Node.js environments and requires no authentication or user interaction to exploit.
Denial Of Service
Node.js
Red Hat
-
CVE-2026-42034
MEDIUM
CVSS 5.3
Axios versions prior to 1.15.1 and 0.31.1 allow remote attackers to bypass maxBodyLength restrictions on stream request bodies when maxRedirects is set to 0, enabling denial of service through oversized uploads that consume unbounded server resources. The vulnerability affects the native http/https transport path in Node.js environments and enables attackers to send streamed payloads that exceed configured size limits, potentially exhausting memory or bandwidth on the target application.
Denial Of Service
Node.js
Red Hat
-
CVE-2026-41481
MEDIUM
CVSS 6.5
LangChain is a framework for building agents and LLM-powered applications. Prior to langchain-text-splitters
1.1.2, HTMLHeaderTextSplitter.split_text_from_url() validated the initial URL using validate_safe_url() but then performed the fetch with requests.get() with redirects enabled (the default)....
Information Disclosure
SSRF
Red Hat
-
CVE-2026-41472
MEDIUM
CVSS 5.3
CyberPanel versions prior to 2.4.4 contain a stored cross-site scripting vulnerability in the AI Scanner dashboard where the POST /api/ai-scanner/callback endpoint lacks authentication and allows unauthenticated attackers to inject malicious JavaScript by overwriting the findings_json field of ScanH...
XSS
RCE
-
CVE-2026-41426
MEDIUM
CVSS 6.1
Unauthenticated attackers can inject malicious HTML into user-controlled template placeholders in pretalx prior to 2026.1.0, enabling arbitrary HTML-rendered emails to be sent from the conference organizer's legitimate sender address. By registering an account with a crafted display name containing HTML or markdown link syntax and triggering a password reset, an attacker can deliver convincing phishing emails that pass SPF/DKIM/DMARC validation, with user interaction (victim clicking password-reset link) required. This vulnerability is fixed in version 2026.1.0.
XSS
-
CVE-2026-41425
MEDIUM
CVSS 5.4
Cross-site request forgery (CSRF) in Authlib's Starlette OAuth client cache feature (versions prior to 1.6.11) allows unauthenticated remote attackers to forge requests that manipulate cached OAuth state, potentially leading to session hijacking or token theft. The vulnerability requires user interaction (UI:R) and affects confidentiality and integrity. Vendor-released patch: version 1.6.11.
Python
CSRF
Red Hat
Suse
-
CVE-2026-41418
MEDIUM
CVSS 5.3
4ga Boards prior to version 3.3.5 leaks valid usernames and email addresses through response timing analysis on the login endpoint. An unauthenticated attacker can distinguish between invalid credentials (where the username/email does not exist) and valid credentials with an incorrect password by measuring response times, with a ~4.4× timing difference detectable in a single request over the network. This enables user enumeration attacks without brute-force constraints, allowing reconnaissance for subsequent account takeover attempts.
Information Disclosure
-
CVE-2026-41415
MEDIUM
CVSS 6.7
PJSIP is a free and open source multimedia communication library written in C. In 2.16 and earlier, there is an out-of-bounds read when parsing a malformed Content-ID URI in SIP multipart message body. Insufficient length validation can cause reads beyond the intended buffer bounds. This vulnerabili...
Buffer Overflow
Information Disclosure
Red Hat
-
CVE-2026-41411
MEDIUM
CVSS 6.6
Command injection in Vim's tag file processing allows local attackers to execute arbitrary shell commands with user privileges when resolving tags containing backtick syntax. Versions prior to 9.2.0357 are affected. The vulnerability requires user interaction (opening a crafted tags file or navigating to a tag), but once triggered, grants full command execution capability in the context of the Vim process.
Command Injection
Red Hat
Suse
-
CVE-2026-41319
MEDIUM
CVSS 6.5
STARTTLS response injection in MailKit prior to version 4.16.0 allows man-in-the-middle attackers to downgrade SASL authentication mechanisms by injecting malicious protocol responses before TLS negotiation completes. The vulnerability stems from failure to flush the internal read buffer when upgrading from plaintext to encrypted connections, enabling attackers to force weaker authentication (e.g., PLAIN instead of SCRAM-SHA-256) on affected SMTP, IMAP, and POP3 connections. User interaction is required (establishing a mail connection through the client), and exploitation requires network position to intercept and modify STARTTLS exchanges. Vendor-released patch version 4.16.0 addresses the issue.
Code Injection
-
CVE-2026-41318
MEDIUM
CVSS 5.4
Stored DOM-level XSS in AnythingLLM's chart caption rendering allows authenticated users in shared workspaces to inject malicious markdown via indirect prompt injection, affecting all other users who view the compromised conversation. The vulnerability stems from unsafe markdown-to-HTML conversion in the Chartable component that bypasses the application's standard DOMPurify sanitization defense-in-depth. Versions prior to 1.12.1 are affected; patch available.
XSS
-
CVE-2026-41317
MEDIUM
CVSS 6.6
Frappe Press `create_api_secret` endpoint accepts GET requests despite performing database writes, enabling Cross-Site Request Forgery (CSRF)-like attacks where unauthenticated remote attackers can create API secrets by tricking authenticated users into visiting a malicious URL. No public exploit code or active exploitation has been confirmed at the time of analysis.
CSRF
-
CVE-2026-41305
MEDIUM
CVSS 6.1
PostCSS versions prior to 8.5.10 fail to escape `</style>` sequences when stringifying CSS Abstract Syntax Trees, allowing cross-site scripting (XSS) attacks when user-submitted CSS is embedded in HTML `<style>` tags. An attacker can inject CSS containing `</style>` sequences in property values to break out of the style context and execute arbitrary JavaScript in the victim's browser. This requires user interaction (UI:R) and affects applications that parse untrusted CSS and re-stringify it for embedding in HTML documents.
XSS
Red Hat
-
CVE-2026-41263
MEDIUM
CVSS 6.3
Traefik's BasicAuth middleware contains a timing side-channel vulnerability that allows attackers to enumerate valid usernames through response-time analysis. A map key/value confusion in the constant-time comparison fallback causes the `notFoundSecret` variable to always resolve to an empty string, causing authentication checks against non-existent users to complete in microseconds (~0.48ms) instead of performing full bcrypt evaluation (~62ms), creating a 130x timing oracle. Attackers can distinguish existing users from non-existent ones by measuring HTTP response times, enabling account enumeration without credentials.
Python
Information Disclosure
Oracle
Red Hat
Suse
-
CVE-2026-41244
MEDIUM
CVSS 4.7
Mojic prior to version 2.1.4 allows attackers to bypass HMAC-SHA256 file integrity verification through a timing attack against the CipherEngine's comparison function. The vulnerability stems from use of a standard equality operator (!=== in JavaScript) instead of constant-time comparison during decryption, enabling an attacker with local file access to forge or tamper with emoji-encoded files. While CVSS score is moderate (4.7), the attack requires user interaction and local access, limiting real-world exploitability.
Authentication Bypass
-
CVE-2026-41174
MEDIUM
CVSS 4.8
Traefik versions prior to 2.11.43, 3.6.14, and 3.7.0-rc.2 fail to enforce cross-namespace isolation for middleware references nested inside Chain middlewares, allowing actors with permission to create CRDs in their own namespace to bypass the allowCrossNamespace=false restriction and apply middleware from arbitrary namespaces. This authorization bypass affects Kubernetes clusters relying on namespace isolation controls and can enable unauthorized reuse of security-sensitive middleware policies across namespace boundaries.
RCE
Information Disclosure
Kubernetes
Red Hat
Suse
-
CVE-2026-41079
MEDIUM
CVSS 4.3
OpenPrinting CUPS before version 2.4.17 allows network-adjacent attackers to read up to 176 bytes of stack memory via a crafted SNMP response sent to the CUPS SNMP backend, with leaked data visible to authenticated users through IPP Get-Printer-Attributes responses and the web interface. The vulnerability requires adjacency on the network but no authentication, making it a low-severity information disclosure risk in environments where SNMP-enabled printers are accessible from untrusted networks.
Buffer Overflow
Information Disclosure
Red Hat
Suse
-
CVE-2026-41043
MEDIUM
CVSS 6.5
Stored XSS in Apache ActiveMQ and Apache ActiveMQ Web allows authenticated attackers to inject malicious HTML into JMS selector fields, which displays when other users browse queues in the web console. Affects ActiveMQ versions before 5.19.6 and 6.0.0 through 6.2.4; ActiveMQ Web before 5.19.6 and 6.0.0 through 6.2.4. The vulnerability requires valid authentication but no user interaction beyond normal queue browsing, and EPSS indicates very low exploitation probability (0.02%) despite the accessible attack vector.
XSS
Apache
Red Hat
-
CVE-2026-40690
MEDIUM
CVSS 4.3
Apache Airflow versions prior to 3.2.1 allow authenticated users with read access to at least one directed acyclic graph (DAG) to enumerate and discover the names and existence of all other DAGs and assets in the deployment, regardless of their assigned permissions. This information disclosure vulnerability enables privilege escalation reconnaissance by revealing the complete asset topology to users with limited scope authorization. The vulnerability requires valid user credentials but no elevated privileges, and has no known public exploit code at time of analysis.
Information Disclosure
-
CVE-2026-40254
MEDIUM
CVSS 4.2
FreeRDP versions prior to 3.25.0 allow path traversal attacks through an off-by-one error in the drive redirection filter, enabling rogue RDP servers to read, list, or write files one directory above the client's shared folder via RDPDR requests. Exploitation requires the victim to connect with drive redirection enabled and interact with a malicious RDP server, making this a user-interaction-dependent remote attack with moderate CVSS score (4.2) but real-world impact limited by connection and configuration requirements.
Path Traversal
Red Hat
Suse
-
CVE-2026-38743
MEDIUM
CVSS 4.3
Apache Airflow versions prior to 3.2.1 fail to enforce per-DAG access control on the /ui/dags endpoint, allowing authenticated users with read access to at least one DAG to retrieve Human-in-the-Loop prompts and full TaskInstance details for DAGs outside their authorized scope. This information disclosure bypasses the intended per-DAG RBAC boundary, exposing operator parameters and task context data to all authenticated users regardless of their assigned DAG permissions.
Information Disclosure
-
CVE-2026-34956
MEDIUM
CVSS 5.9
Invalid memory access in Open vSwitch conntrack FTP application-level gateway allows remote attackers to trigger a denial of service via crafted FTP traffic, affecting versions prior to a security patch. The vulnerability requires high attack complexity but can be exploited without authentication over the network, resulting in service unavailability rather than data compromise.
Buffer Overflow
Red Hat
Suse
-
CVE-2026-31956
MEDIUM
CVSS 4.3
Xibo CMS before version 4.4.1 allows authenticated users to bypass access controls and view campaigns, regions, and reports belonging to other users by manually constructing preview URLs. The vulnerability affects any authenticated user with Layout Management, Campaign Management, or Report viewing privileges and results in unauthorized information disclosure with no impact on data integrity or availability.
Authentication Bypass
Microsoft
-
CVE-2026-31955
MEDIUM
CVSS 4.9
Server-Side Request Forgery in Xibo CMS prior to version 4.4.1 allows high-privilege authenticated users with DataSet permissions to make arbitrary HTTP requests from the CMS server to internal or external resources, enabling infrastructure reconnaissance, cloud metadata access (e.g., AWS IMDS), and potential data exfiltration. Exploitation requires both 'Add DataSet' privilege and DataSet management capabilities, which are not default non-admin permissions, limiting the attack surface to trusted insiders or compromised administrative accounts.
SSRF
Microsoft
-
CVE-2026-31953
MEDIUM
CVSS 6.4
Stored cross-site scripting in Xibo CMS versions prior to 4.4.1 allows authenticated users with notification creation privileges to inject arbitrary JavaScript into notification bodies that executes automatically in targeted users' browsers upon login without requiring user interaction. This vulnerability affects the notification interrupt feature and requires the attacker to possess both notification centre access and notification creation permissions, which are restricted to administrative roles by default.
XSS
Microsoft
-
CVE-2026-31672
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
wifi: rt2x00usb: fix devres lifetime
USB drivers bind to USB interfaces and any device managed resources
should have their lifetime tied to the interface rather than parent USB
device. This avoids issues like memory leaks when dri...
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31671
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
xfrm_user: fix info leak in build_report()
struct xfrm_user_report is a __u8 proto field followed by a struct
xfrm_selector which means there is three "empty" bytes of padding, but
the padding is never zeroed before copying to use...
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31670
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
net: rfkill: prevent unlimited numbers of rfkill events from being created
Userspace can create an unlimited number of rfkill events if the system
is so configured, while not consuming them from the rfkill file
descriptor, causing...
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31664
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
xfrm: clear trailing padding in build_polexpire()
build_expire() clears the trailing padding bytes of struct
xfrm_user_expire after setting the hard field via memset_after(),
but the analogous function build_polexpire() does not d...
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31661
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
wifi: brcmsmac: Fix dma_free_coherent() size
dma_alloc_consistent() may change the size to align it. The new size is
saved in alloced.
Change the free size to match the allocation size.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31660
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
nfc: pn533: allocate rx skb before consuming bytes
pn532_receive_buf() reports the number of accepted bytes to the serdev
core. The current code consumes bytes into recv_skb and may already hand
a complete frame to pn533_recv_fram...
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31658
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
net: altera-tse: fix skb leak on DMA mapping error in tse_start_xmit()
When dma_map_single() fails in tse_start_xmit(), the function returns
NETDEV_TX_OK without freeing the skb. Since NETDEV_TX_OK tells the
stack the packet was c...
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31655
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
pmdomain: imx8mp-blk-ctrl: Keep the NOC_HDCP clock enabled
Keep the NOC_HDCP clock always enabled to fix the potential hang
caused by the NoC ADB400 port power down handshake.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31654
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
mm/vma: fix memory leak in __mmap_region()
commit 605f6586ecf7 ("mm/vma: do not leak memory when .mmap_prepare
swaps the file") handled the success path by skipping get_file() via
file_doesnt_need_get, but missed the error path.
...
Information Disclosure
Linux
Debian
Ubuntu
Red Hat
-
CVE-2026-31653
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
mm/damon/sysfs: dealloc repeat_call_control if damon_call() fails
damon_call() for repeat_call_control of DAMON_SYSFS could fail if somehow
the kdamond is stopped before the damon_call(). It could happen, for
example, when te dam...
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31651
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
mmc: vub300: fix NULL-deref on disconnect
Make sure to deregister the controller before dropping the reference to
the driver data on disconnect to avoid NULL-pointer dereferences or
use-after-free.
Denial Of Service
Linux
Null Pointer Dereference
Red Hat
Suse
-
CVE-2026-31647
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
idpf: fix PREEMPT_RT raw/bh spinlock nesting for async VC handling
Switch from using the completion's raw spinlock to a local lock in the
idpf_vc_xn struct. The conversion is safe because complete/_all() are
called outside the loc...
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31646
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
net: lan966x: fix page_pool error handling in lan966x_fdma_rx_alloc_page_pool()
page_pool_create() can return an ERR_PTR on failure. The return value
is used unconditionally in the loop that follows, passing the error
pointer thro...
Denial Of Service
Linux
Null Pointer Dereference
Red Hat
Suse
-
CVE-2026-31645
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
net: lan966x: fix page pool leak in error paths
lan966x_fdma_rx_alloc() creates a page pool but does not destroy it if
the subsequent fdma_alloc_coherent() call fails, leaking the pool.
Similarly, lan966x_fdma_init() frees the co...
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31643
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
rxrpc: Fix key parsing memleak
In rxrpc_preparse_xdr_yfs_rxgk(), the memory attached to token->rxgk can be
leaked in a few error paths after it's allocated.
Fix this by freeing it in the "reject_token:" case.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31642
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
rxrpc: Fix call removal to use RCU safe deletion
Fix rxrpc call removal from the rxnet->calls list to use list_del_rcu()
rather than list_del_init() to prevent stuffing up reading
/proc/net/rxrpc/calls from potentially getting int...
Denial Of Service
Linux
Red Hat
Suse
-
CVE-2026-31639
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
rxrpc: Fix key reference count leak from call->key
When creating a client call in rxrpc_alloc_client_call(), the code obtains
a reference to the key. This is never cleaned up and gets leaked when the
call is destroyed.
Fix this ...
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31634
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
rxrpc: fix reference count leak in rxrpc_server_keyring()
This patch fixes a reference count leak in rxrpc_server_keyring()
by checking if rx->securities is already set.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31632
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
rxrpc: Fix leak of rxgk context in rxgk_verify_response()
Fix rxgk_verify_response() to clean up the rxgk context it creates.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31628
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
x86/CPU: Fix FPDSS on Zen1
Zen1's hardware divider can leave, under certain circumstances, partial
results from previous operations. Those results can be leaked by
another, attacker thread.
Fix that with a chicken bit.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31625
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
HID: alps: fix NULL pointer dereference in alps_raw_event()
Commit ecfa6f34492c ("HID: Add HID_CLAIMED_INPUT guards in raw_event
callbacks missing them") attempted to fix up the HID drivers that had
missed the previous fix that wa...
Denial Of Service
Linux
Null Pointer Dereference
Red Hat
Suse
-
CVE-2026-31624
MEDIUM
CVSS 5.5
Shift-out-of-bounds vulnerability in Linux kernel HID core driver allows local authenticated attackers to cause denial of service via crafted HID device report descriptors with oversized fields that trigger undefined bit-shift operations in the s32ton() function. A malicious or malfunctioning HID device can supply a report_size value up to 256, causing shifts on 32-bit integers with exponents exceeding safe limits, crashing the kernel or triggering undefined behavior. CVSS 5.5 reflects local-only attack vector with low complexity and requirement for user/driver privileges to process HID output reports.
Buffer Overflow
Linux
Red Hat
Suse
-
CVE-2026-31623
MEDIUM
CVSS 5.5
Denial of service via skb_shared_info->frags[] buffer overflow in the CDC Phonet USB driver allows local attackers with USB device access to crash the kernel by sending unbounded sequences of full-page bulk transfers. A malicious or compromised USB modem device can trigger this overflow without authentication or user interaction. The vulnerability has a low EPSS score (0.02%) despite moderate CVSS (5.5), indicating exploitation requires specific local USB hardware control.
Buffer Overflow
Linux
Red Hat
Suse
-
CVE-2026-31621
MEDIUM
CVSS 5.5
Null pointer dereference in Linux kernel bnge driver occurs when auxiliary_device_add() fails and the error handling path omits a return statement after auxiliary_device_uninit(), causing subsequent code to dereference a freed and nullified auxr_dev pointer. Local users with limited privileges can trigger kernel panic (denial of service) by inducing auxiliary device initialization failure. EPSS score of 0.02% reflects low real-world exploitation probability despite availability of vendor patches in stable branches 6.19.14 and 7.0.1.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31620
MEDIUM
CVSS 4.6
Null pointer dereference in the ALSA TASCAM US-144MKII USB audio driver allows local attackers with physical access to a malicious USB device to cause a kernel panic and denial of service. The vulnerability exists because the driver fails to validate that USB interface 0 exists before dereferencing it, and attackers can craft a malicious USB configuration that includes only interface 1, triggering the crash when the device is connected.
Denial Of Service
Linux
Null Pointer Dereference
Red Hat
Suse
-
CVE-2026-31619
MEDIUM
CVSS 5.5
Denial of service via out-of-bounds string lookup in Linux kernel ALSA fireworks driver allows local authenticated users to crash the system by supplying an invalid status value from a firewire device. The vulnerability stems from insufficient bounds checking on a 32-bit status field before array indexing into a 17-entry string table, enabling memory access violations when the device reports unexpected values including EFR_STATUS_INCOMPLETE (0x80000000).
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31618
MEDIUM
CVSS 5.5
Divide-by-zero denial of service in Linux kernel framebuffer driver tdfxfb allows local authenticated users to crash the system by issuing a malformed FBIOPUT_VSCREENINFO ioctl with zero pixclock value. The vulnerability affects the framebuffer video mode setting functionality when pixclock is used directly in division operations without validation, triggering a kernel panic.
Denial Of Service
Linux
Red Hat
Suse
-
CVE-2026-31617
MEDIUM
CVSS 5.5
Integer underflow in the Linux kernel's USB NCM gadget driver allows a malicious USB host to bypass buffer boundary checks and copy adjacent kernel memory into network packet buffers. The vulnerability exists in ncm_unwrap_ntb() where block_len values smaller than the NDP size cause unsigned integer underflow in bounds validation, enabling out-of-bounds memory read and potential information disclosure. Affected versions prior to Linux 6.12.83, 6.18.24, 6.19.14, and 7.0.1 require patching; exploitation requires local USB device attachment or administrative USB gadget configuration.
Buffer Overflow
Linux
Red Hat
Suse
-
CVE-2026-31616
MEDIUM
CVSS 5.5
Memory corruption via skb fragment array overflow in the USB Phonet gadget driver allows local attackers with device-level USB host capabilities to cause denial of service. The vulnerability exists in pn_rx_complete() which fails to enforce the MAX_SKB_FRAGS limit when processing unbounded full-page OUT transfers, causing heap memory corruption adjacent to the skb_shared_info structure. A malicious or misconfigured USB host sending continuous PAGE_SIZE byte transfers triggers the flaw in gadgets exposing the Phonet function, confirmed fixed in Linux 6.12.83, 6.18.24, 6.19.14, and 7.0.1.
Buffer Overflow
Linux
Red Hat
Suse
-
CVE-2026-31615
MEDIUM
CVSS 5.5
Null pointer dereference in the Renesas USB3 gadget driver allows local authenticated attackers to trigger a denial of service by sending crafted USB standard requests with invalid endpoint indices that bypass validation in GET_STATUS and SET/CLEAR_FEATURE handlers. The vulnerability affects multiple stable kernel versions and requires local access with user-level privileges, resulting in potential system crash or service disruption.
Denial Of Service
Linux
Null Pointer Dereference
Red Hat
Suse
-
CVE-2026-31610
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: fix mechToken leak when SPNEGO decode fails after token alloc
The kernel ASN.1 BER decoder calls action callbacks incrementally as it
walks the input. When ksmbd_decode_negTokenInit() reaches the mechToken
[2] OCTET STRING...
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31606
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
usb: gadget: f_hid: don't call cdev_init while cdev in use
When calling unbind, then bind again, cdev_init reinitialized the cdev,
even though there may still be references to it. That's the case when
the /dev/hidg* device is stil...
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31605
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
fbdev: udlfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO
Much like commit 19f953e74356 ("fbdev: fb_pm2fb: Avoid potential divide
by zero error"), we also need to prevent that same crash from happening
in the udlfb driver as it us...
Denial Of Service
Linux
Red Hat
Suse
-
CVE-2026-31604
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
wifi: rtw88: fix device leak on probe failure
Driver core holds a reference to the USB interface and its parent USB
device while the interface is bound to a driver and there is no need to
take additional references unless the stru...
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31603
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
staging: sm750fb: fix division by zero in ps_to_hz()
ps_to_hz() is called from hw_sm750_crtc_set_mode() without validating
that pixclock is non-zero. A zero pixclock passed via FBIOPUT_VSCREENINFO
causes a division by zero.
Fix b...
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31601
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
vfio/xe: Reorganize the init to decouple migration from reset
Attempting to issue reset on VF devices that don't support migration
leads to the following:
BUG: unable to handle page fault for address: 00000000000011f8
#PF: su...
Information Disclosure
Linux
Red Hat
Intel
Suse
-
CVE-2026-31599
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
media: vidtv: fix NULL pointer dereference in vidtv_channel_pmt_match_sections
syzbot reported a general protection fault in vidtv_psi_desc_assign [1].
vidtv_psi_pmt_stream_init() can return NULL on memory allocation
failure, but...
Denial Of Service
Linux
Null Pointer Dereference
Red Hat
Canonical
-
CVE-2026-31596
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
ocfs2: handle invalid dinode in ocfs2_group_extend
[BUG]
kernel BUG at fs/ocfs2/resize.c:308!
Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
RIP: 0010:ocfs2_group_extend+0x10aa/0x1ae0 fs/ocfs2/resize.c:308
Code: 8b8520ff ffff83f8...
Denial Of Service
Linux
Red Hat
Suse
-
CVE-2026-31595
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
PCI: endpoint: pci-epf-vntb: Stop cmd_handler work in epf_ntb_epc_cleanup
Disable the delayed work before clearing BAR mappings and doorbells to
avoid running the handler after resources have been torn down.
Unable to handle ke...
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31594
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
PCI: endpoint: pci-epf-vntb: Remove duplicate resource teardown
epf_ntb_epc_destroy() duplicates the teardown that the caller is
supposed to perform later. This leads to an oops when .allow_link fails
or when .drop_link is perform...
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31593
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
KVM: SEV: Reject attempts to sync VMSA of an already-launched/encrypted vCPU
Reject synchronizing vCPU state to its associated VMSA if the vCPU has
already been launched, i.e. if the VMSA has already been encrypted. On a
host wit...
Information Disclosure
Linux
Red Hat
Dell
Suse
-
CVE-2026-31592
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
KVM: SEV: Protect *all* of sev_mem_enc_register_region() with kvm->lock
Take and hold kvm->lock for before checking sev_guest() in
sev_mem_enc_register_region(), as sev_guest() isn't stable unless kvm->lock
is held (or KVM can gua...
Denial Of Service
Linux
Google
Null Pointer Dereference
Red Hat
-
CVE-2026-31591
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
KVM: SEV: Lock all vCPUs when synchronzing VMSAs for SNP launch finish
Lock all vCPUs when synchronizing and encrypting VMSAs for SNP guests, as
allowing userspace to manipulate and/or run a vCPU while its state is being
synchroni...
Denial Of Service
Linux
Red Hat
Suse
-
CVE-2026-31590
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
KVM: SEV: Drop WARN on large size for KVM_MEMORY_ENCRYPT_REG_REGION
Drop the WARN in sev_pin_memory() on npages overflowing an int, as the
WARN is comically trivially to trigger from userspace, e.g. by doing:
struct kvm_enc_reg...
Buffer Overflow
Linux
Red Hat
Suse
-
CVE-2026-31585
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
media: vidtv: fix nfeeds state corruption on start_streaming failure
syzbot reported a memory leak in vidtv_psi_service_desc_init [1].
When vidtv_start_streaming() fails inside vidtv_start_feed(), the
nfeeds counter is left incre...
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31579
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
wireguard: device: use exit_rtnl callback instead of manual rtnl_lock in pre_exit
wg_netns_pre_exit() manually acquires rtnl_lock() inside the
pernet .pre_exit callback. This causes a hung task when another
thread holds rtnl_mute...
Denial Of Service
Linux
Null Pointer Dereference
Red Hat
Suse
-
CVE-2026-31577
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
nilfs2: fix NULL i_assoc_inode dereference in nilfs_mdt_save_to_shadow_map
The DAT inode's btree node cache (i_assoc_inode) is initialized lazily
during btree operations. However, nilfs_mdt_save_to_shadow_map()
assumes i_assoc_ino...
Denial Of Service
Linux
Null Pointer Dereference
Red Hat
Suse
-
CVE-2026-31575
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
mm/userfaultfd: fix hugetlb fault mutex hash calculation
In mfill_atomic_hugetlb(), linear_page_index() is used to calculate the
page index for hugetlb_fault_mutex_hash(). However, linear_page_index()
returns the index in PAGE_SI...
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31574
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
clockevents: Add missing resets of the next_event_forced flag
The prevention mechanism against timer interrupt starvation missed to reset
the next_event_forced flag in a couple of places:
- When the clock event state changes....
Information Disclosure
Linux
-
CVE-2026-31573
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
media: verisilicon: Fix kernel panic due to __initconst misuse
Fix a kernel panic when probing the driver as a module:
Unable to handle kernel paging request at virtual address
ffffd9c18eb05000
of_find_matching_node_and_mat...
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31572
MEDIUM
CVSS 4.7
In the Linux kernel, the following vulnerability has been resolved:
i2c: designware: amdisp: Fix resume-probe race condition issue
Identified resume-probe race condition in kernel v7.0 with the commit
38fa29b01a6a ("i2c: designware: Combine the init functions"),but this
issue existed from the begi...
Information Disclosure
Linux
Race Condition
Red Hat
Suse
-
CVE-2026-31571
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
drm/i915: Unlink NV12 planes earlier
unlink_nv12_plane() will clobber parts of the plane state
potentially already set up by plane_atomic_check(), so we
must make sure not to call the two in the wrong order.
The problem happens wh...
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31567
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
PM: sleep: Drop spurious WARN_ON() from pm_restore_gfp_mask()
Commit 35e4a69b2003f ("PM: sleep: Allow pm_restrict_gfp_mask()
stacking") introduced refcount-based GFP mask management that warns
when pm_restore_gfp_mask() is called ...
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31565
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
RDMA/irdma: Fix deadlock during netdev reset with active connections
Resolve deadlock that occurs when user executes netdev reset while RDMA
applications (e.g., rping) are active. The netdev reset causes ice
driver to remove irdma...
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31564
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
LoongArch: KVM: Fix base address calculation in kvm_eiointc_regs_access()
In function kvm_eiointc_regs_access(), the register base address is
caculated from array base address plus offset, the offset is absolute
value from the bas...
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31562
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
drm/mediatek: dsi: Store driver data before invoking mipi_dsi_host_register
The call to mipi_dsi_host_register triggers a callback to mtk_dsi_bind,
which uses dev_get_drvdata to retrieve the mtk_dsi struct, so this
structure needs...
Denial Of Service
Linux
Null Pointer Dereference
Red Hat
Mediatek
-
CVE-2026-31561
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
x86/cpu: Remove X86_CR4_FRED from the CR4 pinned bits mask
Commit in Fixes added the FRED CR4 bit to the CR4 pinned bits mask so
that whenever something else modifies CR4, that bit remains set. Which
in itself is a perfectly fine ...
Denial Of Service
Linux
Red Hat
Suse
-
CVE-2026-31560
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
spi: spi-dw-dma: fix print error log when wait finish transaction
If an error occurs, the device may not have a current message. In this
case, the system will crash.
In this case, it's better to use dev from the struct ctlr (stru...
Denial Of Service
Linux
Red Hat
Suse
-
CVE-2026-31559
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
LoongArch: Fix missing NULL checks for kstrdup()
1. Replace "of_find_node_by_path("/")" with "of_root" to avoid multiple
calls to "of_node_put()".
2. Fix a potential kernel oops during early boot when memory allocation
fails whil...
Denial Of Service
Linux
Null Pointer Dereference
Red Hat
Suse
-
CVE-2026-31556
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
xfs: scrub: unlock dquot before early return in quota scrub
xchk_quota_item can return early after calling xchk_fblock_process_error.
When that helper returns false, the function returned immediately without
dropping dq->q_qlock, ...
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31555
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
futex: Clear stale exiting pointer in futex_lock_pi() retry path
Fuzzying/stressing futexes triggered:
WARNING: kernel/futex/core.c:825 at wait_for_owner_exiting+0x7a/0x80, CPU#11: futex_lock_pi_s/524
When futex_lock_pi_atom...
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31551
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
wifi: mac80211: Fix static_branch_dec() underflow for aql_disable.
syzbot reported static_branch_dec() underflow in aql_enable_write(). [0]
The problem is that aql_enable_write() does not serialise concurrent
write()s to the debu...
Information Disclosure
Linux
Google
Integer Overflow
Red Hat
-
CVE-2026-31550
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
pmdomain: bcm: bcm2835-power: Increase ASB control timeout
The bcm2835_asb_control() function uses a tight polling loop to wait
for the ASB bridge to acknowledge a request. During intensive workloads,
this handshake intermittently...
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31549
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
i2c: cp2615: fix serial string NULL-deref at probe
The cp2615 driver uses the USB device serial string as the i2c adapter
name but does not make sure that the string exists.
Verify that the device has a serial number before acces...
Denial Of Service
Linux
Null Pointer Dereference
Red Hat
Suse
-
CVE-2026-31547
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
drm/xe: Fix missing runtime PM reference in ccs_mode_store
ccs_mode_store() calls xe_gt_reset() which internally invokes
xe_pm_runtime_get_noresume(). That function requires the caller
to already hold an outer runtime PM reference...
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31546
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
net: bonding: fix NULL deref in bond_debug_rlb_hash_show
rlb_clear_slave intentionally keeps RLB hash-table entries on
the rx_hashtbl_used_head list with slave set to NULL when no
replacement slave is available. However, bond_debu...
Denial Of Service
Linux
Null Pointer Dereference
Red Hat
Suse
-
CVE-2026-31545
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
NFC: nxp-nci: allow GPIOs to sleep
Allow the firmware and enable GPIOs to sleep.
This fixes a `WARN_ON' and allows the driver to operate GPIOs which are
connected to I2C GPIO expanders.
-- >8 --
kernel: WARNING: CPU: 3 PID: 2636...
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31544
MEDIUM
CVSS 5.5
A NULL pointer dereference in the Linux kernel ARM SCMI firmware driver allows local authenticated users to trigger a denial of service by causing the system to crash. The vulnerability exists in the __scmi_event_handler_get_ops helper function, which can return NULL instead of the expected ERR_PTR on failure, causing downstream code to dereference a NULL pointer when handling unsupported SCMI events. The flaw was introduced in commit b5daf93b809d1 and affects multiple stable kernel versions; patches are available in Linux 6.18.20, 6.19.10, and 7.0.
Denial Of Service
Linux
Null Pointer Dereference
Red Hat
Suse
-
CVE-2026-31543
MEDIUM
CVSS 5.5
Debug logging in the Linux kernel's crash_dump module exposes dm-crypt key material when debug logging is enabled, allowing local privileged users to read encryption keys from kernel logs and potentially cause denial of service through availability impact on crash dump functionality. The vulnerability affects Linux kernel versions prior to 6.18.20, 6.19.10, and 7.0, with an EPSS score of 0.02% indicating low exploitation probability despite the information disclosure risk.
Denial Of Service
Linux
Red Hat
Suse
-
CVE-2026-31542
MEDIUM
CVSS 5.5
Denial of service in Linux kernel x86/platform/uv module when sockets are deconfigured, causing kernel panic during UV hub info structure allocation on systems with SGI UV architecture. Affects authenticated local attackers with standard user privileges. Vendor-released patches available for multiple kernel versions (6.6.130, 6.12.78, 6.18.20, 6.19.10 and others). EPSS score of 0.02% indicates exploitation is unlikely in typical environments despite low CVSS score barrier.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31540
MEDIUM
CVSS 5.5
A null pointer dereference in the i915 GPU driver's graphics translation table (GT) submission logic causes kernel panic and denial of service when the i915 firmware binaries are absent and the system attempts to suspend. Local authenticated attackers with normal user privileges can trigger this crash by initiating system suspend on affected Intel graphics systems without required firmware, resulting in denial of service. No public exploit code identified at time of analysis; EPSS score of 0.02% indicates low exploitation probability in practice.
Denial Of Service
Linux
Null Pointer Dereference
Red Hat
Suse
-
CVE-2026-31537
MEDIUM
CVSS 5.5
Denial of service in Linux kernel SMB server implementation allows local authenticated users to crash the system by triggering data stream corruption through improper credit management in smbdirect socket operations. The vulnerability affects kernel versions prior to 6.18.11, 6.19.1, and 7.0, and requires local access with limited privileges to exploit.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31535
MEDIUM
CVSS 4.7
A race condition in the Linux kernel SMB client's recv_io credit management allows local authenticated users to cause a denial of service through timing-sensitive credit accounting between incoming data reception and completion processing. The vulnerability affects SMBDirect socket credit handling where credits may be granted to peers before corresponding recv buffers are actually posted, creating a window where credit accounting becomes inconsistent. Exploitation requires local access and moderate complexity but is not confirmed as actively exploited (not listed in CISA KEV).
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31052
MEDIUM
CVSS 5.3
Denial of service in Hostbill versions 2025-11-24 and 2025-12-01 allows remote unauthenticated attackers to degrade service availability through the Checkout Authentication Flow component via uncontrolled resource consumption (likely improper rate limiting). The vulnerability has a low-to-moderate CVSS score (5.3) reflecting limited impact scope, but exploitation requires no authentication or user interaction and can be triggered over the network.
Denial Of Service
-
CVE-2026-31050
MEDIUM
CVSS 4.9
Cross-site scripting (XSS) vulnerability in Hostbill versions 2025-11-24 and 2025-12-01 allows high-privilege remote attackers to execute arbitrary code in admin and client interface contexts without user interaction. The CVSS score of 4.9 reflects the requirement for authenticated high-privilege access, but the presence of publicly available exploit code and the vulnerability's presence in both admin and client interfaces increase real-world risk beyond the base score. The discrepancy between the CWE-79 classification (XSS) and tags indicating RCE capability suggests stored XSS enabling indirect code execution or privilege escalation within the application.
XSS
RCE
-
CVE-2026-30368
MEDIUM
CVSS 5.4
Lightspeed Classroom v5.1.2.1763770643 contains a client-side authorization flaw that allows unauthenticated remote attackers to impersonate users and bypass integrity checks on client-generated authorization tokens, enabling unauthorized remote control and monitoring of student devices. The vulnerability requires high attack complexity and affects confidentiality and integrity with limited scope impact (CVSS 5.4). Despite a high CVSS score, the EPSS score of 0.03% indicates minimal real-world exploitation probability, suggesting this requires specific technical conditions or targeted attack scenarios rather than widespread automated exploitation.
Authentication Bypass
-
CVE-2026-25720
MEDIUM
CVSS 6.9
Improper session lifetime enforcement in SenseLive X3050's web management interface allows attackers with access to a previously authenticated session to maintain administrative access without re-authentication, potentially enabling unauthorized configuration changes or information disclosure. The vulnerability affects the product's session management mechanism, permitting extended session validity beyond legitimate user activity windows. CVSS 6.9 indicates moderate risk; exploitation requires prior session compromise but no special configuration.
Information Disclosure
-
CVE-2026-6810
MEDIUM
CVSS 5.3
Insecure Direct Object Reference in Booking Calendar Contact Form plugin for WordPress (all versions up to 1.2.63) allows authenticated attackers with Subscriber-level privileges to hijack other users' calendars and access associated user data by exploiting missing validation on user-controlled keys in the dex_bccf_admin_int_calendar_list.inc.php file. The CVSS score of 5.3 reflects network-accessible exploitation without user interaction, though the vulnerability requires valid WordPress authentication at Subscriber level or higher.
PHP
WordPress
Authentication Bypass
-
CVE-2026-6393
MEDIUM
CVSS 4.3
BetterDocs plugin for WordPress versions up to 4.3.11 allows authenticated subscribers and higher to trigger arbitrary OpenAI API calls using the site's configured API key due to missing capability checks in the generate_openai_content_callback() function. An attacker with subscriber-level access can supply arbitrary prompts to exhaust the site owner's paid AI API quota without authorization, resulting in unauthorized financial impact and service degradation. No public exploit code or active exploitation has been identified at time of analysis.
WordPress
Authentication Bypass
-
CVE-2026-5488
MEDIUM
CVSS 5.3
ExactMetrics Google Analytics Dashboard for WordPress versions up to 9.1.2 allow authenticated subscribers to retrieve Google Ads access tokens and reset Google Ads integration settings through missing authorization checks in AJAX handlers. Although a nonce is verified, two AJAX endpoints (get_ads_access_token and reset_experience) lack the capability checks present in similar endpoints, enabling attackers with subscriber-level access to perform administrative actions. The CVSS vector (AV:N/AC:L/PR:N/UI:N) reflects network-accessible unauthenticated exploitation, but the description indicates authenticated subscriber access is required, creating a discrepancy between reported CVSS and actual attack prerequisites.
PHP
WordPress
Authentication Bypass
Google
-
CVE-2026-5428
MEDIUM
CVSS 6.4
Stored cross-site scripting in Royal Elementor Addons plugin for WordPress up to version 1.7.1056 allows authenticated attackers with Author-level access to inject arbitrary JavaScript via image alt attributes in the Image Grid/Slider/Carousel widget. The vulnerability results from insufficient output escaping in the render_post_thumbnail() function, where wp_kses_post() is used instead of esc_attr() for HTML attribute context. Malicious scripts execute in the browsers of any user viewing pages containing the compromised image widget, potentially enabling session hijacking, credential theft, or plugin/theme manipulation.
WordPress
XSS
-
CVE-2026-5347
MEDIUM
CVSS 5.3
Unauthenticated attackers can modify the custom post type slug for the HM Books Gallery plugin in WordPress versions up to 4.8.0 by submitting a crafted POST request to the admin_init hook, bypassing all capability and nonce checks. This vulnerability allows modification of the 'wbg_cpt_slug' option without authentication, changing the URL structure for all book entries, breaking existing links, and degrading SEO rankings. No public exploit code or active exploitation has been identified at the time of analysis.
PHP
WordPress
Authentication Bypass
-
CVE-2026-5265
MEDIUM
CVSS 6.5
Heap over-read in OVN's ICMP error response generation allows remote attackers to leak sensitive memory contents, causing information disclosure and potential denial of service. The vulnerability affects OVN versions prior to the 2026 security update, exploitable over the network without authentication or user interaction via crafted ICMP packets. No public exploit code has been identified, but the attack vector is network-accessible with high complexity requirements.
Information Disclosure
-
CVE-2026-4078
MEDIUM
CVSS 6.4
Stored Cross-Site Scripting in ITERAS WordPress plugin version 1.8.2 and earlier allows authenticated attackers with Contributor-level privileges to inject arbitrary JavaScript code via shortcode attributes (iteras-ordering, iteras-signup, iteras-paywall-login, iteras-selfservice) due to insufficient input sanitization in the combine_attributes() function. When a user accesses a page containing the malicious shortcode, the injected script executes in their browser context, enabling session hijacking, credential theft, or malware distribution. No public exploit code or active exploitation has been identified at time of analysis.
WordPress
XSS
-
CVE-2026-3569
MEDIUM
CVSS 5.3
Liaison Site Prober plugin for WordPress allows unauthenticated attackers to retrieve sensitive audit log data including IP addresses, user IDs, usernames, and login events through an improperly secured REST API endpoint (/wp-json/site-prober/v1/logs) in all versions up to 1.2.1. The vulnerability stems from a permission callback that unconditionally returns true without validating user capabilities, enabling information disclosure with network-level access and no authentication required. No public exploit code or active exploitation has been identified at time of analysis.
WordPress
Authentication Bypass
Information Disclosure
-
CVE-2026-3565
MEDIUM
CVSS 4.3
Cross-Site Request Forgery (CSRF) in Taqnix WordPress plugin versions up to 1.0.3 allows unauthenticated attackers to trick logged-in users into deleting their own accounts via a forged request. The vulnerability stems from a commented-out nonce verification check in the taqnix_delete_my_account() function, making account deletion unprotected against CSRF attacks. No public exploit code or active exploitation has been identified, though the attack requires user interaction (clicking a malicious link or visiting a compromised page).
WordPress
CSRF
-
CVE-2026-2028
MEDIUM
CVSS 5.3
MaxiBlocks Builder plugin for WordPress up to version 2.1.8 allows authenticated attackers with Author-level access to delete arbitrary files in the wp-content/uploads directory via the 'maxi_remove_custom_image_size' AJAX action due to insufficient file ownership validation. This enables deletion of media uploaded by other users and administrators without proper authorization checks, violating file integrity despite the CVSS 5.3 score reflecting limited direct impact.
WordPress
Authentication Bypass
-
CVE-2026-1789
MEDIUM
CVSS 6.9
Information disclosure in Canon production printers and office/small office multifunction printers allows authenticated administrators to access sensitive device information through crafted requests to the browser-based remote management interface. The vulnerability affects multiple printer models and requires high-privilege administrative access; no active exploitation has been confirmed at time of analysis, though the remote network vector and low attack complexity indicate practical exploitability by privileged internal users.
Information Disclosure
Microsoft
-
CVE-2025-67259
MEDIUM
CVSS 6.5
Broken access control in ClassroomIO v0.1.13 allows authenticated low-privileged students to disclose sensitive course information including other students' details, tutor/admin profiles, and internal metadata by modifying API requests from POST to GET against the PostgREST endpoint. The vulnerability requires valid student account credentials but no special privileges, enabling unauthorized horizontal and vertical access escalation within course contexts.
Authentication Bypass
N A
-
CVE-2025-62233
MEDIUM
CVSS 6.3
Unsafe deserialization in Apache DolphinScheduler RPC module (versions 3.2.0 to 3.3.0) allows authenticated network attackers to achieve remote code execution by injecting malicious class types into StandardRpcRequest messages sent to Master or Worker nodes. The vulnerability requires network access and valid credentials but carries moderate CVSS (6.3) with very low EPSS exploitation probability (0.02%), suggesting limited real-world weaponization despite the dangerous vulnerability class.
Apache
Deserialization
-
CVE-2025-61872
MEDIUM
CVSS 6.1
Stored cross-site scripting (XSS) in Mahara before 25.04.2 and 24.04.11 allows unauthenticated remote attackers to inject malicious JavaScript via unsanitized search query parameters in the 'search site' feature when the Elasticsearch7 search plugin is enabled. The vulnerability has a CVSS score of 6.1 (moderate) with network attack vector and user interaction required (clicking a crafted search link), resulting in partial confidentiality and integrity impact. No active exploitation has been confirmed by CISA KEV, and no public exploit code is documented at the time of analysis.
XSS
Elastic
-
CVE-2025-59308
MEDIUM
CVSS 4.7
Institution administrators with Site staff role in Mahara can impersonate institution members in other institutions where they lack administrative privileges, bypassing intended access controls on multi-tenanted deployments. Affects Mahara versions before 24.04.10 and 25.x before 25.04.1. This requires high-privilege authentication (Site staff role) and does not involve network exploitation of unauthenticated services, limiting real-world attack surface to insider threats within organizations running affected versions.
Authentication Bypass
N A
-
CVE-2025-11762
MEDIUM
CVSS 4.3
HubSpot All-In-One Marketing plugin for WordPress (versions up to 11.3.32) exposes sensitive information via the class-adminconstants.php file, allowing authenticated users with Contributor-level access or higher to retrieve a complete list of installed plugins and their versions. This information disclosure enables reconnaissance for follow-on attacks targeting vulnerable plugins, though exploitation requires valid WordPress authentication and contributor-level privileges.
PHP
WordPress
Authentication Bypass
Information Disclosure
-
CVE-2026-42040
LOW
CVSS 3.7
Axios versions prior to 1.15.1 and 0.31.1 contain a character mapping flaw in the AxiosURLSearchParams.encode() function that reverses safe percent-encoding of null bytes, converting %00 back to raw null bytes. While the standard axios request flow remains unaffected, this vulnerability could enable integrity compromise in edge-case scenarios where encoded parameters are processed by downstream systems expecting percent-encoded values. No public exploit code or active exploitation has been identified.
Information Disclosure
Node.js
-
CVE-2026-41498
LOW
CVSS 3.3
Kimai's Team API endpoints fail to validate entity-level ownership due to incorrect Symfony IsGranted attribute syntax, allowing users with the edit_team permission to modify any team regardless of membership. The vulnerability arises because API endpoints use #[IsGranted('edit_team')] instead of #[IsGranted('edit', 'team')], causing the TeamVoter to abstain and fall back to role-only permission checks. In default configurations this is unexploitable since only admins hold edit_team permission, but if administrators grant edit_team to lower-privilege roles (such as ROLE_TEAMLEAD) via the permissions UI, those users can modify team memberships, customer assignments, project assignments, and activity assignments for any team without authorization. No public exploit code or active exploitation has been identified.
PHP
Authentication Bypass
-
CVE-2026-41488
LOW
CVSS 3.1
LangChain is a framework for building agents and LLM-powered applications. Prior to 1.1.14, langchain-openai's _url_to_size() helper (used by get_num_tokens_from_messages for image token counting) validated URLs for SSRF protection and then fetched them in a separate network operation with independe...
SSRF
-
CVE-2026-41430
LOW
CVSS 1.3
Reflected cross-site scripting (XSS) in Frappe Press login page redirect parameter allows unauthenticated attackers to inject arbitrary JavaScript that executes in a victim's browser upon clicking a malicious link, with user interaction required. The vulnerability affects all versions prior to the patch commit 16d1b6ca2559f858a1de77bcb03fd7f1b81671c6, which restricts redirects to internal URLs only. CVSS score of 1.3 reflects very low confidentiality, integrity, and availability impact due to scope limitations, though XSS vulnerabilities carry inherent session hijacking and credential theft risks.
XSS
-
CVE-2026-34884
None
Pre-NVD disclosure via oss-security: oss-security mailing list - 2026/04/13. erates session ids insecurely (Robert Rothenberg <rrwo@...nsec.org>) CVE-2025-54057: Apache SkyWalking: Stored XSS vulnerability (Zhenxu Ke <kezhenxu94@...che.org>) CVE-2026-34476: Apache SkyWalking MCP: Server-Side Request...
XSS
Apache
SSRF
-
CVE-2026-31534
None
In the Linux kernel, the following vulnerability has been resolved:
smb: client: let send_done handle a completion without IB_SEND_SIGNALED
With smbdirect_send_batch processing we likely have requests without
IB_SEND_SIGNALED, which will be destroyed in the final request
that has IB_SEND_SIGNALED ...
Information Disclosure
Linux
-
CVE-2026-31051
LOW
CVSS 3.8
Denial of service via improper resource handling in the Client Balance component of Hostbill v.2025-11-24 and v.2025-12-01 allows high-privileged remote attackers to disrupt service availability and trigger limited integrity impacts. The vulnerability stems from insufficient input validation in CWE-400 (Uncontrolled Resource Consumption), requiring administrator-level access but presenting moderate real-world risk due to the low attack complexity and network accessibility of the affected component.
Denial Of Service
-
CVE-2026-4367
None
Pre-NVD disclosure via oss-security: oss-security mailing list - 2026/04/21. next day>] [month] [year] [list] oss-security mailing list - 2026/04/21 Libgcrypt security releases 1.12.2, 1.11.3, 1.10.x (Valtteri Vuorikoski <vuori@...com.org>) Re: Go 1.26.2 and Go 1.25.9 are released with 10 security f...
Buffer Overflow
-
CVE-2026-4313
LOW
CVSS 2.4
Stored XSS in AdaptiveGRC text-type form fields allows authenticated attackers to inject malicious JavaScript that executes in victims' browsers, potentially leading to theft of administrator authentication tokens and privilege escalation. The vulnerability affects multiple versions released before December 2025 due to improper server-side parameter validation. User interaction is required for exploitation, and the attacker must first authenticate to the application.
XSS
-
CVE-2026-3865
None
Pre-NVD disclosure via oss-security: oss-security mailing list - 2026/04/11. ions before 0.23 for Perl does not validate IPv6 group count, which may allow IP ACL bypass (Stig Palmquist <stig@...g.io>) CVE-2026-40199: Net::CIDR::Lite versions before 0.23 for Perl mishandles IPv4 mapped IPv6 addresses...
Path Traversal
Kubernetes