Skip to main content
CVE-2026-41473 HIGH POC PATCH This Week

CyberPanel versions prior to 2.4.4 contain an authentication bypass vulnerability in the AI Scanner worker API endpoints that allows unauthenticated remote attackers to write arbitrary data to the database by sending requests to the /api/ai-scanner/status-webhook and /api/ai-scanner/callback endpoints. Attackers can exploit the lack of authentication checks to cause denial of service through storage exhaustion, corrupt scan history records, and pollute database fields with malicious data.

Authentication Bypass Denial Of Service Cyberpanel
NVD GitHub
CVSS 4.0
8.8
EPSS
0.2%
CVE-2026-40466 HIGH POC PATCH GHSA This Week

Remote code execution in Apache ActiveMQ 5.x (before 5.19.6) and 6.x (before 6.2.5) allows authenticated attackers to bypass prior security fixes (CVE-2026-34197) by injecting malicious Spring XML configurations through HTTP Discovery transport connectors via Jolokia. Attackers leverage a VM transport loophole to invoke arbitrary bean factory methods like Runtime.exec() during Spring context initialization. EPSS score is low (0.06%, 19th percentile) with no confirmed active exploitation (not in CISA KEV), suggesting limited widespread targeting despite high CVSS 8.8 score. Exploitation requires authenticated Jolokia access and presence of activemq-http module on classpath.

RCE Java Apache Apache Activemq Broker Apache Activemq All +1
NVD VulDB GitHub
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-41326 HIGH POC PATCH GHSA This Week

Arbitrary file write in Kata Containers v3.4.0 to v3.28.0 allows untrusted hosts to overwrite binaries and exfiltrate data from guest workloads, including those in confidential VMs (CVMs). The vulnerability stems from inadequate validation in the CopyFile policy, permitting host-initiated writes to arbitrary paths inside guest images. This enables binary replacement for code execution or data theft across the trust boundary. Patched in v3.29.0. EPSS data not available; no active exploitation confirmed at time of analysis.

Information Disclosure Kata Containers
NVD GitHub VulDB
CVSS 4.0
8.2
EPSS
0.0%
CVE-2026-41907 HIGH POC PATCH This Week

Buffer overwrite vulnerability in uuid JavaScript library versions prior to 14.0.0 enables remote attackers to corrupt memory and potentially disclose sensitive information through out-of-range writes when applications use v3, v5, or v6 UUID generation functions with caller-provided output buffers. The library fails to validate buffer boundaries, allowing partial writes beyond allocated memory regions. Vendor patch available in version 14.0.0 per GitHub security advisory GHSA-w5hq-g745-h8pq. No confirmed active exploitation (not in CISA KEV), and CVSS 4.0 Environmental Score suggests exploitation status is unproven (E:U).

Memory Corruption Information Disclosure Red Hat
NVD GitHub VulDB
CVSS 4.0
8.1
EPSS
0.0%
CVE-2026-31581 HIGH POC PATCH This Week

In the Linux kernel, the following vulnerability has been resolved: ALSA: 6fire: fix use-after-free on disconnect In usb6fire_chip_abort(), the chip struct is allocated as the card's private data (via snd_card_new with sizeof(struct sfire_chip)). When snd_card_free_when_closed() is called and no file handles are open, the card and embedded chip are freed synchronously. The subsequent chip->card = NULL write then hits freed slab memory. Call trace: usb6fire_chip_abort sound/usb/6fire/chip.c:59 [inline] usb6fire_chip_disconnect+0x348/0x358 sound/usb/6fire/chip.c:182 usb_unbind_interface+0x1a8/0x88c drivers/usb/core/driver.c:458 ... hub_event+0x1a04/0x4518 drivers/usb/core/hub.c:5953 Fix by moving the card lifecycle out of usb6fire_chip_abort() and into usb6fire_chip_disconnect(). The card pointer is saved in a local before any teardown, snd_card_disconnect() is called first to prevent new opens, URBs are aborted while chip is still valid, and snd_card_free_when_closed() is called last so chip is never accessed after the card may be freed.

Memory Corruption Use After Free Information Disclosure Linux
NVD VulDB GitHub
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-42033 HIGH POC PATCH GHSA This Week

Prototype pollution in Axios HTTP client versions before 1.15.1 and 0.31.1 enables silent interception and modification of all JSON responses or complete HTTP transport hijacking when the JavaScript Object.prototype has been polluted by a co-dependency. This vulnerability requires a separate prototype pollution source within the same Node.js process but requires no authentication once that precondition exists. An attacker can then access credentials, headers, and request bodies across the application. EPSS data not available; no public exploit identified at time of analysis.

Node.js Information Disclosure Prototype Pollution Axios
NVD GitHub VulDB
CVSS 3.1
7.4
EPSS
0.0%
CVE-2026-35064 HIGH CISA Act Now

Unauthenticated network discovery in SenseLive X3050 management ecosystem exposes device presence, identifiers, and management interfaces to attackers on the same network segment. The vendor's management protocol fails to authenticate discovery functions (CWE-306), allowing rapid enumeration of all deployed X3050 units without credentials. CISA ICS-CERT has issued an advisory (ICSA-26-111-12), indicating awareness in industrial control system environments. CVSS 8.7 reflects high confidentiality impact from network-based, low-complexity attacks requiring no privileges or user interaction.

Authentication Bypass X3050
NVD GitHub
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-27841 HIGH CISA Act Now

Cross-Site Request Forgery in SenseLive X3050's web management interface enables authenticated attackers to force victims into executing unauthorized configuration changes and potentially disruptive operations. A remote attacker with low privileges can craft malicious web pages that, when visited by an authenticated administrator, trigger state-changing requests without the victim's knowledge, leading to high integrity and availability impact on the device. CISA ICS-CERT has issued an advisory (ICSA-26-111-12) for this industrial control system component, indicating coordination with the vendor and awareness within the critical infrastructure community.

CSRF X3050
NVD GitHub
CVSS 4.0
8.4
EPSS
0.0%
CVE-2026-33076 HIGH PATCH This Week

Remote code execution in Roxy-WI versions before 8.2.6.4 allows unauthenticated attackers to write malicious code into scheduled tasks via path traversal in the haproxy_section_save interface. The vulnerability chains CWE-22 path traversal with cron job manipulation, enabling arbitrary command execution on servers managing HAProxy, Nginx, Apache, and Keepalived infrastructure. CVSS 8.9 with network attack vector and no privileges required indicates critical risk, though EPSS data and KEV status are unavailable to confirm active exploitation.

RCE Nginx Apache Path Traversal
NVD GitHub
CVSS 4.0
8.9
EPSS
0.5%
CVE-2026-41486 HIGH PATCH GHSA This Week

Remote code execution in Ray Data 2.49.0-2.54.0 allows attackers to execute arbitrary Python code by crafting malicious Parquet files containing Ray tensor extension types. When Ray Data reads these files, it deserializes untrusted metadata using cloudpickle.loads() without validation, triggering code execution during schema parsing before any data is read. The vulnerability requires only that a victim read a crafted Parquet file from any source (cloud storage, HuggingFace datasets, shared filesystems)-no cluster access or authentication needed. This reintroduces a vulnerability class previously fixed in May 2024, making it a regression introduced in July 2025 (PR #54831). Working proof-of-concept exists demonstrating exploitation via HuggingFace datasets following Ray's own documentation. EPSS data not available, not currently in CISA KEV.

Python Code Injection Deserialization RCE
NVD GitHub VulDB
CVSS 4.0
8.9
EPSS
0.1%
CVE-2026-33078 HIGH PATCH This Week

SQL injection in Roxy-WI versions before 8.2.6.4 allows remote unauthenticated attackers to execute arbitrary SQL commands via the server_ip parameter in the haproxy_section_save function. The vulnerability stems from unsanitized URL path parameters being directly interpolated into SQL queries using Python string formatting. Proof-of-concept code exists (CVSS E:P), and the CVSS 4.0 score of 8.9 with network vector (AV:N), low complexity (AC:L), and no authentication (PR:N) indicates a critical, easily exploitable vulnerability. Vendor-released patch available in version 8.2.6.4.

Nginx SQLi Python Apache
NVD GitHub
CVSS 4.0
8.9
EPSS
0.0%
CVE-2026-6043 HIGH This Week

Helix Core Server (P4D) before 2026.1 ships with insecure default configurations allowing remote unauthenticated attackers to create arbitrary user accounts, enumerate users, authenticate without passwords, and access repository contents via the built-in 'remote' user. EPSS score of 0.06% (19th percentile) suggests low observed exploitation attempts despite the high CVSS 8.8 score and SSVC classification as automatable with partial impact. No active exploitation confirmed (not in CISA KEV). Perforce reports this as vendor-disclosed with secure-by-default enforced in version 2026.1.

Authentication Bypass Helix Core Server P4D
NVD VulDB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2026-41044 HIGH PATCH GHSA This Week

Remote code execution in Apache ActiveMQ allows authenticated attackers with admin console access to inject malicious Spring XML contexts that execute arbitrary code on the broker's JVM. Attackers exploit improper broker name validation to embed xbean bindings, then trigger VM transport creation via DestinationView mbean to load remote Spring XML files containing malicious bean factory methods like Runtime.exec(). EPSS score of 0.06% (19th percentile) indicates low observed exploitation probability despite CVSS 8.8, with CISA SSVC confirming no active exploitation and non-automatable attack chain. Vendor patches available: versions 5.19.6 and 6.2.5 address the vulnerability.

RCE Java Apache Apache Activemq Apache Activemq Broker +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-41421 HIGH PATCH This Week

Authenticated local users can execute arbitrary code on Windows, macOS, and Linux via HTML injection in SiYuan desktop notification messages through version 3.6.4. The Electron-based desktop application mishandles notification rendering with unsafe settings (nodeIntegration enabled, contextIsolation disabled, webSecurity disabled), escalating XSS to full system compromise. Vendor-released patch available in version 3.6.5. No evidence of active exploitation (not in CISA KEV) or public exploit code at time of analysis.

XSS Microsoft Command Injection RCE
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-31570 HIGH PATCH This Week

Out-of-bounds heap write in Linux kernel CAN gateway CRC8 checksum processing allows adjacent network attackers to corrupt kernel memory and potentially achieve code execution. The cgw_csum_crc8_rel() function in the CAN gateway subsystem uses raw negative index values instead of bounds-checked variables when accessing canfd_frame data, enabling writes up to 56 bytes before the heap object. Exploitation requires CAP_NET_ADMIN capability to configure CAN gateway CRC8 checksums. EPSS exploitation probability is very low (0.02%, 7th percentile) and no active exploitation has been reported. Vendor patches available across multiple kernel versions (5.10.253, 5.15.203, 6.1.168, 6.6.131, 6.12.80, 6.18.21, 6.19.11, 7.0).

Buffer Overflow Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-31629 HIGH PATCH This Week

Use-after-free in Linux kernel NFC LLCP implementation allows adjacent-network attackers to execute arbitrary code with kernel privileges. The flaw occurs when socket state is LLCP_CLOSED in nfc_llcp_recv_hdlc() and nfc_llcp_recv_disc(), where missing return statements cause double release_sock() and refcount underflow, leading to memory corruption. Vendor-released patches available for stable kernels 6.12.83, 6.18.24, 6.19.14, and 7.0.1. EPSS score of 0.02% (5th percentile) indicates low observed exploitation probability, and no active exploitation or public POC confirmed at time of analysis.

Information Disclosure Linux
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-31622 HIGH PATCH This Week

Heap buffer overflow in Linux kernel NFC-A digital target driver allows adjacent-network attackers to corrupt memory and potentially execute code. A malicious NFC peer device can trigger unbounded cascade loops during anti-collision protocol, writing beyond the 10-byte nfcid1 buffer with each iteration. EPSS score of 0.02% (5th percentile) indicates low likelihood of mass exploitation, but the adjacent attack vector (AV:A) limits exposure to proximity-based attacks. Vendor patches available across multiple stable kernel branches (6.12.83, 6.18.24, 6.19.14, 7.0.1). No active exploitation confirmed (not in CISA KEV); no public exploit identified at time of analysis.

Linux Buffer Overflow
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-31588 HIGH PATCH This Week

Use-after-free in Linux kernel KVM x86 MMIO emulation allows local authenticated users with low privileges to potentially execute arbitrary code, escalate privileges, or cause denial of service. The flaw occurs when KVM's emulator initiates MMIO writes using on-stack variables that cross page boundaries between two MMIO pages, creating dangling pointers when fragments are processed across separate KVM_RUN calls, especially when different tasks handle subsequent runs. EPSS exploitation probability is very low (0.02%, 5th percentile), and vendor patches are available for kernel versions 6.12.83, 6.18.24, 6.19.14, and 7.0.1. No active exploitation or public POC identified at time of analysis.

Information Disclosure Linux Use After Free Memory Corruption
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-31558 HIGH PATCH This Week

Out-of-bounds array access in Linux kernel KVM subsystem on LoongArch allows local authenticated attackers with low privileges to execute arbitrary code, escalate privileges, or cause denial of service by passing negative cpuid values to kvm_get_vcpu_by_cpuid(). The function lacks bounds checking before indexing phyid_map::phys_map[], enabling read/write beyond array boundaries with container escape potential (CVSS scope change). Vendor patches available across multiple stable kernel branches (6.12.80, 6.18.21, 6.19.11). EPSS score of 0.02% indicates low automated exploitation likelihood, with no confirmed active exploitation or public POC at time of analysis.

Buffer Overflow Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-31553 HIGH PATCH This Week

Address calculation error in Linux kernel KVM on ARM64 allows local authenticated attackers with low privileges to corrupt memory descriptors, potentially enabling container escape or privilege escalation to compromise host integrity and confidentiality. The vulnerability affects KVM's stage-1/stage-2 page table descriptor swapping logic where pointer arithmetic incorrectly multiplies the offset by 8, causing writes to unintended memory locations. Vendor patches available for Linux 6.19.11 and mainline with EPSS exploitation probability at 5th percentile, indicating low observed exploitation despite high CVSS severity.

Information Disclosure Linux Red Hat Suse
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-41429 HIGH PATCH This Week

Memory corruption in arduino-esp32's NBNS packet handler allows adjacent network attackers to achieve remote code execution on ESP32-family microcontrollers without authentication. Affects all versions prior to 3.3.8 when NetBIOS is explicitly enabled via NBNS.begin(). The parser trusts attacker-controlled name_len field from UDP port 137 traffic, writing unbounded data to fixed-size buffers. EPSS data not available, no CISA KEV listing, but GitHub security advisory confirms the vulnerability with patch released in version 3.3.8.

Buffer Overflow Stack Overflow Arduino Esp32
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-6912 HIGH PATCH This Week

Authenticated users with low privileges can escalate to deployment admin in AWS Ops Wheel (pre-PR #165) by manipulating the custom:deployment_admin attribute through crafted UpdateUserAttributes API calls to Cognito User Pool. This privilege escalation allows full control over Cognito user account management and deployment administration. Upstream fix available via GitHub PR #165; AWS security bulletin AMZN-2026-018 confirms patch availability. No active exploitation confirmed (not in CISA KEV), but CVSS 8.7 reflects critical impact across confidentiality, integrity, and availability.

Privilege Escalation Aws Ops Wheel
NVD GitHub
CVSS 4.0
8.7
EPSS
0.2%
CVE-2026-41503 HIGH PATCH This Week

Remote attackers can crash BACnet Stack-powered embedded devices (versions prior to 1.4.3) by sending malformed ReadPropertyMultiple (RPM) requests containing a 1-byte property payload with an extended tag marker (0xF9). The vulnerability triggers an out-of-bounds read in the RPM service decoder, causing denial-of-service on industrial building automation systems that use this open-source C library. Affects default configurations where ReadPropertyMultiple service is enabled. EPSS data and KEV status not available; no public exploit confirmed at time of analysis, though GitHub security advisory provides technical details that could facilitate reproduction.

Buffer Overflow Information Disclosure Bacnet Stack
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-41502 HIGH PATCH This Week

Remote denial of service in BACnet Stack library versions before 1.4.3 allows unauthenticated attackers to crash embedded building automation devices by sending a malformed ReadPropertyMultiple request with a truncated object identifier. The off-by-one buffer read vulnerability triggers crashes on resource-constrained BACnet devices running the default-enabled RPM service handler. CVSS v4.0 scores this 8.7 (High) based on network attack vector and high availability impact, though no public exploit code or active exploitation has been identified at time of analysis.

Buffer Overflow Information Disclosure Bacnet Stack
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-41475 HIGH PATCH This Week

Out-of-bounds read in BACnet Stack library versions before 1.4.3 allows unauthenticated remote attackers to crash embedded BACnet devices or disclose memory contents by sending malformed WritePropertyMultiple (WPM) service requests over BACnet/IP. The flaw affects building automation and industrial control systems using the vulnerable C library. No public exploit identified at time of analysis, though the CVSS v4.0 score of 8.7 reflects high availability impact and network-accessible attack surface with low complexity.

Buffer Overflow Information Disclosure Bacnet Stack
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-41680 HIGH POC PATCH GHSA This Week

Unauthenticated remote attackers can crash Node.js applications using marked versions 18.0.0-18.0.1 by sending a specially crafted 3-byte sequence (tab, vertical tab, newline). The infinite recursion loop exhausts memory and triggers an out-of-memory crash, enabling complete denial of service against any exposed markdown parsing endpoint. Vendor-released patch fixes the vulnerability in version 18.0.2. No public exploit identified at time of analysis, though the attack input is trivially simple and reproducible. CVSS v4.0 8.7 reflects high availability impact with network reachability and no authentication barriers.

Node.js Denial Of Service Red Hat
NVD GitHub
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-6947 HIGH PATCH This Week

Brute-force protection bypass in D-Link DWM-222W USB Wi-Fi Adapter allows remote unauthenticated attackers to perform unlimited authentication attempts against the device's login interface. The vulnerability eliminates rate limiting controls, enabling adversaries to systematically guess credentials until device takeover is achieved. CVSS 8.7 reflects the high integrity impact (VI:H) from potential device compromise, though no public exploit code has been identified and CISA has not flagged active exploitation.

Authentication Bypass D-Link
NVD
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-33317 HIGH This Week

Out-of-bounds read and write in OP-TEE OS PKCS#11 Trusted Application (versions 3.13.0-4.10.0) allows authenticated local attackers with low privileges to read up to 7 bytes beyond heap boundaries and write arbitrary attribute values outside allocated buffers, potentially compromising the integrity and confidentiality of the Trusted Execution Environment. The vulnerability affects Arm TrustZone-based TEE implementations running alongside Linux kernels on Cortex-A cores. Patches available in three upstream commits targeting version 4.11.0. EPSS data not provided; no CISA KEV status indicating targeted rather than widespread exploitation. CVSS 8.7 reflects high confidentiality/integrity impact with scope change, representing potential TEE compromise from the normal world.

Buffer Overflow Information Disclosure Linux
NVD GitHub VulDB
CVSS 3.1
8.7
EPSS
0.0%
CVE-2026-5367 HIGH PATCH This Week

Heap over-read in Open Virtual Network (OVN) DHCPv6 client ID processing allows remote unauthenticated attackers to extract sensitive memory contents across network boundaries. The vulnerability affects OVN's DHCPv6 implementation and carries a CVSS score of 8.6 with scope change, enabling cross-tenant information disclosure in multi-tenant virtualized environments. Public advisory released via oss-security mailing list on 2026-04-20, though no confirmed active exploitation or public POC identified at time of analysis.

Information Disclosure
NVD VulDB
CVSS 3.1
8.6
EPSS
0.0%
CVE-2026-31611 HIGH PATCH This Week

Out-of-bounds read in Linux kernel's ksmbd SMB server allows remote unauthenticated attackers to manipulate file permissions by crafting malicious ACE SIDs with insufficient sub-authorities, triggering parse_dacl() to read 4 bytes past the ACL buffer boundary and apply those arbitrary bytes as POSIX file mode bits. EPSS exploitation probability is very low (0.02%, 5th percentile) with no public exploit identified at time of analysis. Vendor-released patches available across stable kernel branches (6.12.83, 6.18.24, 6.19.14, 7.0.1).

Information Disclosure Linux
NVD VulDB
CVSS 3.1
8.6
EPSS
0.0%
CVE-2026-6272 HIGH This Week

Eclipse KUKSA Databroker 0.5.0-0.6.0 allows privilege escalation from read-only JWT tokens to signal provider registration. Attackers with valid read-scope tokens can hijack the kuksa.val.v2 OpenProviderStream API to inject forged sensor/telemetry data into the vehicle data bus, poisoning downstream automotive systems and applications. CVSS 8.5 (High) reflects high integrity and availability impact across system and subsequent components. No active exploitation confirmed (not in CISA KEV), but the attack complexity is low and requires only low-privilege authentication.

Authentication Bypass Eclipse Kuksa Databroker
NVD
CVSS 4.0
8.5
EPSS
0.0%
CVE-2026-41433 HIGH PATCH GHSA This Week

OpenTelemetry eBPF Instrumentation versions 0.4.0 through 0.7.x allow local attackers controlling a Java workload to overwrite arbitrary host files via path traversal when Java injection is enabled and the agent runs with elevated privileges. The vulnerability exploits unsafe file creation in the Java agent injection path, where the injector trusts the target process's TMPDIR environment variable and lacks boundary checks, enabling symlink-based file clobbering and filesystem escape. Vendor-released patch available in version 0.8.0. No public exploit identified at time of analysis, but CVSS 8.4 reflects high integrity and availability impact with scope change from container to host.

Java Path Traversal
NVD GitHub VulDB
CVSS 3.1
8.4
EPSS
0.0%
CVE-2026-41898 HIGH PATCH GHSA This Week

Buffer overflow in rust-openssl 0.9.24 through 0.10.77 allows remote unauthenticated attackers to trigger memory corruption via crafted PSK (Pre-Shared Key) or cookie callback responses. The FFI trampolines in SslContextBuilder fail to validate closure-returned buffer sizes against allocated memory regions before passing values to OpenSSL, enabling out-of-bounds writes. Patch released in version 0.10.78. SSVC framework indicates no active exploitation detected, non-automatable attack requiring precise timing conditions (CVSS AT:P), with partial technical impact limited to confidentiality breach and minor availability disruption.

Buffer Overflow OpenSSL Rust Openssl
NVD GitHub VulDB
CVSS 4.0
8.3
EPSS
0.0%
CVE-2026-41309 HIGH PATCH This Week

Resource exhaustion in Open Source Social Network (OSSN) versions prior to 9.0 allows remote unauthenticated attackers to trigger Denial of Service by uploading specially crafted images with extreme pixel dimensions (e.g., 10000×10000). While the compressed file size appears small, server-side decompression and resizing allocates excessive memory and CPU, crashing or degrading service. EPSS exploitation probability data not available, but the attack vector is straightforward (AV:N/AC:L/PR:N) with publicly documented technical details and fix commit available on GitHub. CVSS 8.2 reflects the easy remote exploitation path despite limited confidentiality impact.

Denial Of Service Opensource Socialnetwork
NVD GitHub
CVSS 3.1
8.2
EPSS
0.1%
CVE-2026-31631 HIGH PATCH This Week

Buffer overread in Linux kernel's rxgk_do_verify_authenticator() function allows remote unauthenticated attackers to trigger information disclosure and high-availability denial of service through network-accessible RxGK authentication handling. The vulnerability stems from improper buffer size validation before nonce verification in the RxRPC subsystem. Patches are available from the Linux kernel stable tree (versions 6.19.13, 6.18.23, and 7.0). EPSS score of 0.02% (4th percentile) indicates very low observed exploitation probability, and no active exploitation or public POC has been identified. Despite the high CVSS base score of 8.2, real-world risk appears limited to environments using RxRPC with RxGK authentication.

Linux Memory Corruption Buffer Overflow Red Hat Suse
NVD VulDB
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-5364 HIGH This Week

Remote code execution in Drag and Drop File Upload for Contact Form 7 plugin (≤1.1.3) allows unauthenticated attackers to upload arbitrary PHP files via a sanitization bypass vulnerability. The flaw exploits a race condition where file extension validation occurs on unsanitized input while the file saves with a sanitized extension, enabling special characters like '$' to be stripped mid-process. Exploitability is constrained by .htaccess restrictions and filename randomization, reducing real-world risk despite the 8.1 CVSS score. EPSS data not available; no active exploitation or POC publicly confirmed at time of analysis.

PHP WordPress File Upload RCE
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-41316 HIGH PATCH GHSA This Week

Remote code execution in Ruby ERB library via unsafe deserialization allows unauthenticated attackers to execute arbitrary code by exploiting incomplete protection in Marshal.load workflows. While ERB 2.2.0+ added guards to prevent code execution during deserialization in result() and run() methods, the def_module(), def_method(), and def_class() methods remained unprotected, enabling attackers to bypass the @_init safeguard. Exploitation requires high complexity (AV:N/AC:H) as applications must deserialize untrusted Marshal data with ERB loaded. No EPSS or KEV data available; exploitation likelihood depends on prevalence of unsafe Marshal.load patterns in Ruby codebases.

Deserialization RCE Erb
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-41416 HIGH PATCH This Week

Integer overflow in PJSIP 2.16 and earlier enables remote unauthenticated attackers to trigger memory corruption or application crashes via malicious SDP packets with asymmetric ptime values. The vulnerability causes undersized buffer allocation during media stream processing, creating conditions for memory corruption with potential code execution or denial of service. Fixed in version 2.17 with no public exploit identified at time of analysis, though CVSS 8.1 and network attack vector indicate significant risk for internet-facing VoIP/multimedia applications.

Buffer Overflow Integer Overflow Pjproject
NVD GitHub VulDB
CVSS 4.0
8.1
EPSS
0.0%
CVE-2026-41323 HIGH PATCH GHSA This Week

Kyverno's apiCall feature automatically attaches the admission controller's ServiceAccount token to HTTP requests without validating the destination URL, enabling authenticated attackers to exfiltrate tokens to attacker-controlled servers and achieve full cluster compromise through webhook configuration tampering. Affects Kyverno versions prior to 1.18.0-rc1, 1.17.2-rc1, and 1.16.4. Vendor-released patches available across all three affected version branches. EPSS data not provided, but the vulnerability enables privilege escalation from low-privilege Kubernetes user to cluster admin via token theft, representing critical risk in multi-tenant environments.

Information Disclosure Suse
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-31613 HIGH PATCH This Week

Out-of-bounds heap read in Linux kernel SMB client allows malicious SMB servers to leak kernel memory to userspace via crafted symlink error responses. When processing STATUS_STOPPED_ON_SYMLINK errors in SMB 3.1.1, inadequate bounds checking in smb2_check_message() and symlink_data() allows server-controlled ErrorDataLength values to trigger reads beyond buffer boundaries. The leaked heap bytes are UTF-16-decoded into the symlink target and exposed through readlink(2) syscalls (confidentiality impact), with potential for denial-of-service through memory corruption (availability impact). CVSS 8.1 (High) requires user interaction. EPSS score is very low at 0.02% (5th percentile), indicating minimal observed exploitation activity. Patches available in kernel versions 6.18.24, 6.19.14, and 7.0.1.

Buffer Overflow Linux Information Disclosure
NVD VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-23902 HIGH PATCH GHSA This Week

Tenant authorization bypass in Apache DolphinScheduler versions before 3.4.1 allows authenticated low-privilege users to execute workflows using arbitrary tenant configurations not assigned to their account, exposing high confidentiality and integrity risks. The vulnerability (CWE-863: Incorrect Authorization) enables privilege escalation through tenant context manipulation during workflow execution. Despite a CVSS score of 8.1, EPSS probability is low (0.02%, 4th percentile) with no active exploitation confirmed. Vendor patch is available in version 3.4.1.

Authentication Bypass Deserialization Apache
NVD VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-40912 HIGH PATCH GHSA This Week

Authentication bypass in Traefik's StripPrefixRegex middleware allows unauthenticated remote attackers to access protected resources when combined with ForwardAuth, BasicAuth, or DigestAuth. By inserting a percent-encoded dot (%2e) in the URL prefix, attackers exploit a length mismatch between decoded path matching and encoded path slicing, causing ForwardAuth to receive a dot-segment path (/./admin/secret) that bypasses protection rules while backend servers normalize it to the protected path (/admin/secret). Confirmed with working proof-of-concept against Traefik v3.6.11. Patches released for v2.11.43, v3.6.14, and v3.7.0-rc.2. No CVSS score assigned yet, but meets criteria for high severity given complete authentication bypass with network attack vector requiring no privileges or user interaction.

Docker Java Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
7.8
EPSS
0.0%
CVE-2026-39858 HIGH PATCH GHSA This Week

Authentication bypass in Traefik Proxy's ForwardAuth and snippet-based authentication middleware allows remote unauthenticated attackers to access protected routes by exploiting incomplete header sanitization. Traefik sanitizes canonical forwarded headers (X-Forwarded-Proto) but fails to strip underscore-based aliases (X_Forwarded_Proto). When authentication backends normalize these header variants equivalently, attackers can inject spoofed trust context through alias headers to satisfy authentication checks without valid credentials. Patches released for versions 2.11.43, 3.6.14, and 3.7.0-rc.2. No public exploit identified at time of analysis, though the detailed technical disclosure in the GitHub advisory provides sufficient implementation details for reproduction.

Authentication Bypass Canonical
NVD GitHub VulDB
CVSS 4.0
7.8
EPSS
0.0%
CVE-2026-31667 HIGH PATCH This Week

In the Linux kernel, the following vulnerability has been resolved: Input: uinput - fix circular locking dependency with ff-core A lockdep circular locking dependency warning can be triggered reproducibly when using a force-feedback gamepad with uinput (for example, playing ELDEN RING under Wine with a Flydigi Vader 5 controller): ff->mutex -> udev->mutex -> input_mutex -> dev->mutex -> ff->mutex The cycle is caused by four lock acquisition paths: 1. ff upload: input_ff_upload() holds ff->mutex and calls uinput_dev_upload_effect() -> uinput_request_submit() -> uinput_request_send(), which acquires udev->mutex. 2. device create: uinput_ioctl_handler() holds udev->mutex and calls uinput_create_device() -> input_register_device(), which acquires input_mutex. 3. device register: input_register_device() holds input_mutex and calls kbd_connect() -> input_register_handle(), which acquires dev->mutex. 4. evdev release: evdev_release() calls input_flush_device() under dev->mutex, which calls input_ff_flush() acquiring ff->mutex. Fix this by introducing a new state_lock spinlock to protect udev->state and udev->dev access in uinput_request_send() instead of acquiring udev->mutex. The function only needs to atomically check device state and queue an input event into the ring buffer via uinput_dev_event() -- both operations are safe under a spinlock (ktime_get_ts64() and wake_up_interruptible() do not sleep). This breaks the ff->mutex -> udev->mutex link since a spinlock is a leaf in the lock ordering and cannot form cycles with mutexes. To keep state transitions visible to uinput_request_send(), protect writes to udev->state in uinput_create_device() and uinput_destroy_device() with the same state_lock spinlock. Additionally, move init_completion(&request->done) from uinput_request_send() to uinput_request_submit() before uinput_request_reserve_slot(). Once the slot is allocated, uinput_flush_requests() may call complete() on it at any time from the destroy path, so the completion must be initialised before the request becomes visible. Lock ordering after the fix: ff->mutex -> state_lock (spinlock, leaf) udev->mutex -> state_lock (spinlock, leaf) udev->mutex -> input_mutex -> dev->mutex -> ff->mutex (no back-edge)

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-31665 HIGH PATCH This Week

In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_ct: fix use-after-free in timeout object destroy nft_ct_timeout_obj_destroy() frees the timeout object with kfree() immediately after nf_ct_untimeout(), without waiting for an RCU grace period. Concurrent packet processing on other CPUs may still hold RCU-protected references to the timeout object obtained via rcu_dereference() in nf_ct_timeout_data(). Add an rcu_head to struct nf_ct_timeout and use kfree_rcu() to defer freeing until after an RCU grace period, matching the approach already used in nfnetlink_cttimeout.c. KASAN report: BUG: KASAN: slab-use-after-free in nf_conntrack_tcp_packet+0x1381/0x29d0 Read of size 4 at addr ffff8881035fe19c by task exploit/80 Call Trace: nf_conntrack_tcp_packet+0x1381/0x29d0 nf_conntrack_in+0x612/0x8b0 nf_hook_slow+0x70/0x100 __ip_local_out+0x1b2/0x210 tcp_sendmsg_locked+0x722/0x1580 __sys_sendto+0x2d8/0x320 Allocated by task 75: nft_ct_timeout_obj_init+0xf6/0x290 nft_obj_init+0x107/0x1b0 nf_tables_newobj+0x680/0x9c0 nfnetlink_rcv_batch+0xc29/0xe00 Freed by task 26: nft_obj_destroy+0x3f/0xa0 nf_tables_trans_destroy_work+0x51c/0x5c0 process_one_work+0x2c4/0x5a0

Information Disclosure Linux Memory Corruption Use After Free
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-31656 HIGH PATCH This Week

Local privilege escalation in the Linux kernel's i915 graphics driver allows authenticated users to trigger a use-after-free condition via a race between the heartbeat worker and intel_engine_park_heartbeat() function when releasing engine heartbeat requests. The vulnerability stems from a non-atomic pointer read-and-clear operation that permits double-free of the same request object, causing refcount underflow and potential arbitrary code execution with elevated privileges. Patches are available across multiple stable kernel branches (5.15.203, 6.1.169, 6.6.135, 6.12.82, 6.18.23, 6.19.13, 7.0). EPSS exploitation probability is low (0.02%, 7th percentile), and no public exploit or active exploitation has been identified at time of analysis.

Information Disclosure Linux Integer Overflow
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-31566 HIGH PATCH This Week

Use-after-free in Linux kernel AMD GPU driver allows local authenticated users to potentially execute arbitrary code, escalate privileges, or cause denial of service. The amdgpu_amdkfd_submit_ib() function in the AMD KFD (Kernel Fusion Driver) prematurely releases a DMA fence reference before waiting on it, creating a race condition where the fence memory may be freed before use. Vendor-released patches are available for multiple stable kernel branches (6.1.168, 6.6.131, 6.12.80, 6.18.21, 6.19.11, 7.0). EPSS exploitation probability is very low at 0.02% (7th percentile), and no public exploit or active exploitation has been identified at time of analysis.

Amd Information Disclosure Linux Memory Corruption Use After Free +2
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-31548 HIGH PATCH This Week

Use-after-free race condition in Linux kernel Wi-Fi cfg80211 subsystem allows local authenticated users to trigger kernel crashes or potentially execute code. When a nl80211 socket closes while a peer measurement (PMSR) request is active, concurrent interface teardown can leave a scheduled work item (pmsr_free_wk) that later invokes the driver's abort callback on already-freed interface structures. EPSS score of 0.02% (7th percentile) indicates very low probability of exploitation in the wild. Patches available across all supported kernel branches since commit 9bb7e0f24e7e (introduced in Linux 5.0), with fixes released in stable versions 6.1.167, 6.6.130, 6.12.78, 6.18.20, and 6.19.10.

Denial Of Service Linux Red Hat Suse
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-31666 HIGH PATCH This Week

In the Linux kernel, the following vulnerability has been resolved: btrfs: fix incorrect return value after changing leaf in lookup_extent_data_ref() After commit 1618aa3c2e01 ("btrfs: simplify return variables in lookup_extent_data_ref()"), the err and ret variables were merged into a single ret variable. However, when btrfs_next_leaf() returns 0 (success), ret is overwritten from -ENOENT to 0. If the first key in the next leaf does not match (different objectid or type), the function returns 0 instead of -ENOENT, making the caller believe the lookup succeeded when it did not. This can lead to operations on the wrong extent tree item, potentially causing extent tree corruption. Fix this by returning -ENOENT directly when the key does not match, instead of relying on the ret variable.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-31648 HIGH PATCH This Week

Race condition in Linux kernel memory management allows local attackers with low privileges to corrupt kernel page state, potentially achieving high-impact denial of service, data corruption, or privilege escalation. The vulnerability affects kernel versions 6.6.x through 7.0-rc3, with patches confirmed released for stable branches 6.6.135, 6.12.82, 6.18.23, 6.19.13, and mainline 7.0. EPSS exploitation probability is low (0.02%, 5th percentile), and no public exploit code or active exploitation has been identified at time of analysis. The CVSS vector (AV:L/AC:L/PR:L/UI:N) indicates local access with low attack complexity, while the specific race condition requires precise timing between file mapping and inode size modification operations.

Denial Of Service Linux Integer Overflow Red Hat Suse
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
Page 1 of 3 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy