Skip to main content
CVE-2026-31663 HIGH PATCH This Week

In the Linux kernel, the following vulnerability has been resolved: xfrm: hold dev ref until after transport_finish NF_HOOK After async crypto completes, xfrm_input_resume() calls dev_put() immediately on re-entry before the skb reaches transport_finish. The skb->dev pointer is then used inside NF_HOOK and its okfn, which can race with device teardown. Remove the dev_put from the async resumption entry and instead drop the reference after the NF_HOOK call in transport_finish, using a saved device pointer since NF_HOOK may consume the skb. This covers NF_DROP, NF_QUEUE and NF_STOLEN paths that skip the okfn. For non-transport exits (decaps, gro, drop) and secondary async return points, release the reference inline when async is set.

Information Disclosure Linux
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-31652 HIGH PATCH This Week

In the Linux kernel, the following vulnerability has been resolved: mm/damon/stat: deallocate damon_call() failure leaking damon_ctx damon_stat_start() always allocates the module's damon_ctx object (damon_stat_context). Meanwhile, if damon_call() in the function fails, the damon_ctx object is not deallocated. Hence, if the damon_call() is failed, and the user writes Y to “enabled” again, the previously allocated damon_ctx object is leaked. This cannot simply be fixed by deallocating the damon_ctx object when damon_call() fails. That's because damon_call() failure doesn't guarantee the kdamond main function, which accesses the damon_ctx object, is completely finished. In other words, if damon_stat_start() deallocates the damon_ctx object after damon_call() failure, the not-yet-terminated kdamond could access the freed memory (use-after-free). Fix the leak while avoiding the use-after-free by keeping returning damon_stat_start() without deallocating the damon_ctx object after damon_call() failure, but deallocating it when the function is invoked again and the kdamond is completely terminated. If the kdamond is not yet terminated, simply return -EAGAIN, as the kdamond will soon be terminated. The issue was discovered [1] by sashiko.

Memory Corruption Use After Free Information Disclosure Linux Red Hat +1
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-31650 HIGH PATCH This Week

In the Linux kernel, the following vulnerability has been resolved: mmc: vub300: fix use-after-free on disconnect The vub300 driver maintains an explicit reference count for the controller and its driver data and the last reference can in theory be dropped after the driver has been unbound. This specifically means that the controller allocation must not be device managed as that can lead to use-after-free. Note that the lifetime is currently also incorrectly tied the parent USB device rather than interface, which can lead to memory leaks if the driver is unbound without its device being physically disconnected (e.g. on probe deferral). Fix both issues by reverting to non-managed allocation of the controller.

Memory Corruption Use After Free Information Disclosure Linux Red Hat +1
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-31641 HIGH PATCH This Week

Heap buffer overflow in Linux kernel rxrpc subsystem allows local authenticated users to trigger memory corruption via crafted RxGK tokens. Exploitable through unprivileged add_key() system call when raw key/ticket lengths >= 0xfffffffd cause integer wraparound in round_up(), bypassing bounds checks while memcpy() copies up to 4 GiB into zero-sized heap allocation. Vendor patches available for stable branches 6.18.23, 6.19.13, and mainline 7.0. EPSS score of 0.02% (4th percentile) indicates low observed exploitation probability despite local privilege escalation potential with CVSS 7.8.

Buffer Overflow Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-31630 HIGH PATCH This Week

Buffer overflow in Linux kernel's AF_RXRPC procfs address formatting allows local authenticated users to corrupt memory and potentially escalate privileges. The vulnerability affects rxrpc proc handlers that write IPv6 socket addresses into 50-byte stack buffers, but ISATAP-format IPv6 addresses with ports can require 51 bytes, causing single-byte overflow. EPSS exploitation probability is low (0.02%, 4th percentile), and patches are available from kernel.org for versions 6.18.23, 6.19.13, and mainline 7.0. No active exploitation confirmed (not in CISA KEV), and CVSS 7.8 reflects local-only attack vector requiring authenticated access.

Information Disclosure Linux
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-31541 HIGH PATCH This Week

Use-after-free in Linux kernel tracing subsystem allows local authenticated attackers to achieve arbitrary code execution, privilege escalation, or denial of service. The vulnerability occurs when deleting tracing instances with copy_trace_marker enabled, where improper RCU synchronization leaves freed memory accessible. Exploitation requires local access with low privileges to manipulate kernel tracing facilities. EPSS score of 0.02% (4th percentile) indicates low observed exploitation probability. Vendor patches available across multiple stable kernel versions (6.18.20, 6.19.10, 7.0).

Memory Corruption Use After Free Information Disclosure Linux Red Hat +1
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-41477 HIGH This Week

Local privilege escalation in Deskflow (all versions up to 1.20.0 stable and 1.26.0.134 continuous) allows any low-privilege Windows user to execute arbitrary commands as SYSTEM by accessing an unauthenticated IPC named pipe. The daemon runs with SYSTEM privileges and processes commands without validating caller identity due to WorldAccessOption configuration. No public exploit identified at time of analysis, but the attack vector is straightforward for local users with basic Windows IPC knowledge.

Authentication Bypass Suse
NVD GitHub VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-35051 HIGH PATCH GHSA This Week

Authentication bypass in Traefik's ForwardAuth middleware allows remote attackers to spoof the X-Forwarded-Prefix header and gain unauthorized access to protected backend routes when deployed behind trusted upstream proxies. Despite trustForwardHeader=false configuration, Traefik fails to sanitize attacker-controlled X-Forwarded-Prefix values in authentication subrequests, enabling attackers to impersonate trusted path prefixes (e.g., /admin) and bypass authorization checks in the authentication service. The vulnerability affects Traefik v2.x and v3.x series and is confirmed patched in versions 2.11.43, 3.6.14, and 3.7.0-rc.2. No KEV listing or EPSS data available at time of analysis, but a detailed proof-of-concept with complete Docker reproduction environment is publicly available in the GitHub advisory, significantly lowering exploitation complexity for attackers.

Docker Nginx Authentication Bypass Python
NVD GitHub VulDB
CVSS 4.0
7.8
EPSS
0.0%
CVE-2026-42171 HIGH PATCH This Week

NSIS (Nullsoft Scriptable Install System) 3.06.1 before 3.12 sometimes uses the Low IL temp directory when executing as SYSTEM, allowing local attackers to gain privileges (if they can cause my_GetTempFileName to return 0, as shown in the references).

Information Disclosure Nullsoft Scriptable Install System
NVD GitHub VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-40068 HIGH PATCH GHSA This Week

Claude Code's trust bypass vulnerability allows execution of malicious hooks through manipulated git worktree configuration files. Attackers who can trick victims into cloning a crafted repository can bypass the folder trust dialog by pointing the `commondir` file to a previously-trusted path, enabling immediate execution of arbitrary code via `.claude/settings.json` hooks. The attack requires the attacker to know or correctly guess a path the victim has already trusted, limiting exploitation to targeted scenarios. Auto-update users have already received the patch; manual installation users should upgrade immediately.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
7.7
EPSS
0.1%
CVE-2026-33077 HIGH PATCH This Week

Arbitrary file read in Roxy-WI versions before 8.2.6.4 allows unauthenticated remote attackers to access sensitive files on the server via path traversal in the oldconfig parameter of the haproxy_section_save interface. This CVSS:4.0 vector indicates zero attack complexity and no prerequisites, enabling trivial exploitation to exfiltrate configuration files, credentials, or private keys. GitHub Security Advisory confirms the vulnerability with proof-of-concept exploitation status (E:P), representing immediate risk for exposed Roxy-WI management interfaces.

Nginx Apache Path Traversal
NVD GitHub VulDB
CVSS 4.0
7.7
EPSS
0.0%
CVE-2026-41485 HIGH PATCH GHSA This Week

A type assertion bug in Kyverno's forEach mutation handler crashes the cluster-wide background controller into CrashLoopBackOff and blocks admission controller operations, causing denial of service for policy-matched resources. Any authenticated user with Policy or ClusterPolicy creation permissions can trigger the crash by creating a malformed policy. The vulnerability affects Kyverno versions prior to 1.17.2 and 1.16.4, is limited to the legacy policy engine (CEL-based policies unaffected), and persists until the malicious policy is deleted. Vendor-released patches available with confirmed fix commits on GitHub.

Denial Of Service Suse
NVD GitHub VulDB
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-41068 HIGH PATCH GHSA This Week

Cross-namespace privilege escalation in Kyverno 1.17.x allows authenticated namespace administrators to bypass RBAC controls and read ConfigMaps from any Kubernetes namespace. The vulnerability exploits unvalidated `configMap.namespace` field in Kyverno's ConfigMap context loader, enabling attackers to leverage Kyverno's privileged service account permissions. This is a regression following incomplete fix for CVE-2026-22039, which addressed the same issue in `apiCall` context but missed the ConfigMap loader. Patch available in version 1.17.2. CVSS 7.7 with Changed Scope indicates significant multi-tenant cluster risk; EPSS data not available but the regression nature and RBAC bypass impact warrant immediate patching in multi-tenant environments.

Kubernetes Authentication Bypass Privilege Escalation Suse
NVD GitHub
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-31952 HIGH PATCH This Week

SQL injection in Xibo CMS versions 1.7 through 4.4.0 allows authenticated users with DataSet or Layout access privileges to extract and modify arbitrary database contents via crafted API filter parameters. The vulnerability affects a widely-deployed open source digital signage platform and has been addressed in version 4.4.1, with patches retroactively provided for out-of-support versions (3.3, 2.3, 1.8) indicating vendor awareness of active deployments on legacy versions. EPSS data not available, but the low attack complexity (AC:L) and network vector (AV:N) combined with the broad version range (nearly 7 years of releases) suggest significant exposure across installations.

Microsoft SQLi
NVD GitHub
CVSS 3.1
7.6
EPSS
0.1%
CVE-2026-41419 HIGH PATCH This Week

Path traversal in 4ga Boards before 3.3.5 allows authenticated users with board import privileges to force the server to read and expose arbitrary local files as board attachments during BOARDS archive import. Attackers can then download sensitive host files (configuration files, credentials, application source code) through the normal download interface. CVSS score of 7.6 reflects high confidentiality impact with low integrity/availability impact. No public exploit code or active exploitation confirmed at time of analysis, though the attack technique is straightforward for authenticated insiders.

Path Traversal 4Gaboards
NVD GitHub
CVSS 3.1
7.6
EPSS
0.0%
CVE-2026-33662 HIGH This Week

Integer overflow in OP-TEE OS RSA signature encoding crashes the Trusted Execution Environment on platforms with RSA hardware acceleration. Affects versions 3.8.0 through 4.10 when attackers supply cryptographic operations with deliberately undersized RSA moduli, causing memset() to overwrite memory until the TEE crashes. This denial-of-service attack requires no authentication and can be triggered remotely (CVSS AV:N/PR:N), completely disabling the secure-world environment that protects cryptographic keys, biometric data, and DRM operations on affected Arm TrustZone systems. EPSS data not available; no active exploitation confirmed at time of analysis.

Denial Of Service Integer Overflow Linux
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-33666 HIGH This Week

Integer overflow in Zserio serialization framework versions before 2.18.1 enables remote denial of service via network-accessible deserialization endpoints. Attackers can send crafted serialized data that triggers arithmetic overflow in BitStreamReader's setBitPosition() bounds check, causing the parser to read 512 MB from a buffer only a few bytes long and crash the process with segmentation fault. EPSS data not available, no active exploitation confirmed, but remote unauthenticated attack vector (CVSS AV:N/PR:N) makes this immediately exploitable against any application accepting untrusted Zserio-serialized input over network interfaces.

Buffer Overflow Integer Overflow Zserio
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-33524 HIGH PATCH GHSA This Week

Unbounded memory allocation in Eclipse zserio serialization framework allows remote attackers to trigger system crashes via crafted payloads as small as 4-5 bytes, forcing allocations up to 16 GB and causing out-of-memory errors. Affects both C++ and Java runtimes used in Navigation Data Standard (NDS) implementations deployed across millions of vehicles from Toyota, BMW, Volkswagen, Mercedes-Benz, and 39 other automotive manufacturers. Vendor-released patch available in zserio v2.18.1, addressing unchecked length parameters in Array.h, BitStreamReader.h, and Java runtime equivalents. CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) indicates trivial remote exploitation without authentication.

Docker Java Denial Of Service
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-41324 HIGH PATCH GHSA This Week

Denial of service in basic-ftp for Node.js allows remote malicious FTP servers to crash client applications via unbounded memory consumption during directory listing operations. Attackers controlling or compromising an FTP server can send infinite or extremely large listing responses to Client.list() calls, exhausting client memory until process termination. Unauthenticated network attack with low complexity (CVSS:3.1 AV:N/AC:L/PR:N). No public exploit identified at time of analysis, though attack concept is straightforward for anyone operating a malicious FTP server.

Node.js Denial Of Service Red Hat
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-41311 HIGH PATCH GHSA This Week

Infinite recursion in LiquidJS template engine crashes Node.js processes via out-of-memory condition when attackers submit templates with circular block references. Unauthenticated remote attackers can consume ~4GB RAM and terminate any application accepting user-provided Liquid templates by nesting identically-named blocks within `{% layout %}` / `{% block %}` tags. Vendor patch available via GitHub commit e2311df. CVSS 7.5 (High) reflects network-accessible, low-complexity attack requiring no privileges or user interaction, causing complete availability loss.

Node.js Denial Of Service
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-31662 HIGH PATCH This Week

In the Linux kernel, the following vulnerability has been resolved: tipc: fix bc_ackers underflow on duplicate GRP_ACK_MSG The GRP_ACK_MSG handler in tipc_group_proto_rcv() currently decrements bc_ackers on every inbound group ACK, even when the same member has already acknowledged the current broadcast round. Because bc_ackers is a u16, a duplicate ACK received after the last legitimate ACK wraps the counter to 65535. Once wrapped, tipc_group_bc_cong() keeps reporting congestion and later group broadcasts on the affected socket stay blocked until the group is recreated. Fix this by ignoring duplicate or stale ACKs before touching bc_acked or bc_ackers. This makes repeated GRP_ACK_MSG handling idempotent and prevents the underflow path.

Information Disclosure Linux Integer Overflow Red Hat Suse
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-31563 HIGH PATCH This Week

Memory management flaw in Linux kernel's Cadence macb network driver causes kernel warning and potential denial of service. Specifically affects the macb Ethernet driver on ARM64 ZynqMP platforms (kernel versions 6.1+ containing commit 6bc8a5098bf4). The vulnerability stems from calling napi_consume_skb() with IRQs disabled during TX packet cleanup, violating kernel API contracts and potentially causing system instability under network load. EPSS exploitation probability is very low (0.02%, 7th percentile) with vendor-released patches available across all stable kernel branches (6.1.168, 6.6.131, 6.12.80, 6.18.21, 6.19.11, 7.0). No active exploitation or public exploit code identified at time of analysis.

Information Disclosure Linux
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-31552 HIGH PATCH This Week

Denial of service via CPU soft lockup in Linux kernel's wlcore Wi-Fi driver (versions 5.10 through 7.0) occurs when memory allocation fails during wireless frame transmission. Incorrect error code return (-EAGAIN instead of -ENOMEM) triggers infinite retry loop while holding critical mutex, causing system unresponsiveness. Vendor-released patches available across all affected stable kernel branches (5.10.253, 5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.20, 6.19.10, 7.0). CVSS 7.5 (High) reflects network attack vector with no authentication required, though EPSS score of 0.02% (7th percentile) indicates low observed exploitation probability. No active exploitation confirmed (not in CISA KEV); no public exploit identified at time of analysis.

Denial Of Service Linux Red Hat Suse
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-31638 HIGH PATCH This Week

Null pointer dereference in Linux kernel rxrpc subsystem allows remote network attackers to crash the system by sending malformed packets to a client-side connection after a call has been torn down. The flaw affects Linux kernel versions 6.2 onward where the rxrpc client code unconditionally releases a call reference that was never acquired, converting a protocol error into a kernel panic. Vendor patches are available across stable branches (6.6.135, 6.12.82, 6.18.23, 6.19.13, 7.0). EPSS exploitation probability is low (0.02%, 5th percentile) and no public exploit has been identified at time of analysis.

Denial Of Service Linux Null Pointer Dereference Red Hat Suse
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-31612 HIGH PATCH This Week

Information disclosure in Linux kernel's ksmbd SMB server allows remote unauthenticated attackers to leak uninitialized heap memory via malformed SMB2 requests. The vulnerability exists in smb2_get_ea() which fails to validate EaNameLength from client requests before using it in strncmp(), enabling heap content extraction. With EPSS score of 0.02% and no KEV listing, exploitation likelihood remains low despite CVSS 7.5 rating. Patches available across kernel versions 6.12.83, 6.18.24, 6.19.14, and 7.0.1.

Information Disclosure Linux
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-31598 HIGH PATCH This Week

Kernel deadlock in Linux OCFS2 filesystem allows remote denial of service through lock ordering violation between unlink and direct I/O operations. OCFS2's orphan directory locking in ocfs2_unlink and ocfs2_dio_end_io_write acquire ip_alloc_sem and inode_lock in opposite orders (ABBA pattern), enabling concurrent operations to deadlock the system. Affects mainline Linux kernel through 6.19.14 with patches available in 6.12.83, 6.18.24, 7.0.1, and 6.19.14. EPSS score of 0.02% suggests minimal real-world exploitation likelihood despite CVSS 7.5 score, and no active exploitation or public POC identified.

Information Disclosure Linux
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-31557 HIGH PATCH This Week

A workqueue deadlock in Linux kernel NVMe-over-Fabrics target (nvmet) allows remote denial of service via recursive locking during controller disconnect. The nvmet subsystem's async event handler can trigger reentrant workqueue completion when nvmet_ctrl_free() flushes work on the same queue (nvmet-wq) that invoked it, causing a lockdep-detected recursive lock scenario. EPSS score of 0.02% indicates very low probability of exploitation in the wild. Patches available for kernel versions 6.12.80, 6.18.21, 6.19.11, and mainline 7.0 via upstream commits.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-31640 HIGH PATCH This Week

Linux kernel rxrpc subsystem allows remote denial of service via malformed RESP challenge packets due to incorrect serial number comparison logic. The rxrpc_post_response() function compares challenge serial numbers from the wrong packet structure, causing response queue corruption that can crash the kernel networking stack. This affects Linux kernel versions containing commit 5800b1cf3fd8 through the 6.16-6.19 and 7.0 series. Patches are available from kernel.org for affected stable branches. EPSS exploitation probability is very low (0.02%, 4th percentile) and no public exploits or active exploitation have been identified, suggesting limited real-world risk despite the network-accessible attack vector.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-31635 HIGH POC PATCH This Week

Remote denial of service in Linux kernel rxrpc subsystem allows unauthenticated network attackers to trigger kernel crash via malformed rxgk RESPONSE packets. An inverted length check in rxgk_verify_response() accepts oversized authenticators, causing skb_to_sgvec() to hit BUG_ON() and panic the kernel. EPSS exploitation probability is very low (0.02%, 4th percentile), no active exploitation confirmed, and patches are available across stable kernel branches 6.18.23, 6.19.13, and 7.0.

Information Disclosure Linux
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-31539 HIGH PATCH This Week

Race condition in Linux kernel SMB Direct receive credit management allows remote denial of service against SMB3 network storage services. The flaw enables remote unauthenticated attackers to exhaust receive buffer credits through timing exploitation of the gap between hardware packet reception and completion processing, causing service disruption. EPSS exploitation probability is low (0.02%, 4th percentile), and patches are available from kernel.org for versions 6.18.x, 6.19.x, and 7.0. This affects only systems using SMB Direct (RDMA-enabled SMB3), not standard SMB implementations.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-31538 HIGH PATCH This Week

Denial of service in Linux kernel SMB server (ksmbd) affects versions 6.18 through 7.0-rc via race condition in SMBDirect receive credit management. Remote unauthenticated attackers can trigger resource exhaustion through crafted SMB packets exploiting the window between hardware reception and completion processing. Vendor patches released for stable branches 6.18.11, 6.19.1, and mainline 7.0. Low EPSS score (0.02%) indicates limited exploitation interest despite network attack vector and no authentication requirement.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-21728 HIGH PATCH GHSA This Week

Denial of service in Grafana Tempo allows unauthenticated remote attackers to exhaust server memory by sending trace queries with excessively large result limits. The vulnerability causes unbounded memory allocation during query processing, degrading or halting service availability depending on deployment resources. EPSS data not available; no CISA KEV listing or public exploit identified at time of analysis. Mitigation available through configuration change rather than software patch.

Denial Of Service Tempo
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-31600 HIGH PATCH This Week

Kernel panic in Linux arm64 memory management causes system crash when handling invalid large leaf page table mappings during DMA bounce buffer operations. ARM64 systems running Linux 7.0-rc4 and earlier (specifically kernels with commit a166563e7ec37 that introduced large block mapping support) crash with translation faults when components like SWIOTLB, secretmem, kfence, or realm DMA attempt to invalidate large leaf mappings. Exploitation requires no special privileges as this is triggered by normal kernel operations during boot or DMA activity. Vendor patches available across stable branches (6.18.24, 6.19.14, 7.0.1). EPSS score is 1st percentile (0.01%) indicating extremely low observed exploitation probability, consistent with this being an availability issue requiring specific ARM64 hardware configurations rather than a remotely exploitable vulnerability.

Linux Null Pointer Dereference Denial Of Service Red Hat Suse
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-39816 HIGH PATCH GHSA This Week

Apache NiFi TinkerpopClientService allows authenticated high-privilege users to execute arbitrary code without proper permission validation. The service fails to enforce required Execute Code permissions, enabling privilege escalation within the NiFi environment. While CVSS scores this at 7.5 (High), real-world risk requires authenticated high-privilege access (PR:H), significantly limiting the attack surface to compromised admin accounts or malicious insiders. No public exploit code has been identified, and CISA KEV does not list this vulnerability, suggesting no confirmed active exploitation at time of disclosure.

Authentication Bypass Apache Deserialization
NVD
CVSS 4.0
7.5
EPSS
0.0%
CVE-2026-33208 HIGH PATCH This Week

Command injection in Roxy-WI versions prior to 8.2.6.4 enables authenticated attackers to execute arbitrary OS commands with sudo privileges on managed servers. The vulnerability stems from unsanitized input in the /config/<service>/find-in-config endpoint that breaks out of grep command context during remote SSH execution. A proof-of-concept exploit exists (CVSS E:P), and the CVSS 4.0 score of 7.4 reflects network-based attack with low complexity requiring only low-privilege authentication. Vendor-released patch 8.2.6.4 available via GitHub commit 02f147d.

RCE Nginx Command Injection Apache
NVD GitHub
CVSS 4.0
7.4
EPSS
0.4%
CVE-2026-41476 HIGH PATCH This Week

Out-of-bounds memory read in Deskflow's clipboard deserialization allows authenticated remote peers to crash the application or potentially leak memory contents. The vulnerability affects versions prior to 1.26.0.138 and stems from insufficient validation of clipboard data structure during network transfer between connected machines. A malicious peer on the shared keyboard/mouse network can exploit this by sending specially crafted clipboard updates. CVSS 7.4 reflects network-based attack with low complexity requiring authenticated peer connection. No public exploit identified at time of analysis, though proof-of-concept code exists (CVSS E:P).

Buffer Overflow Deserialization Suse
NVD GitHub VulDB
CVSS 4.0
7.4
EPSS
0.0%
CVE-2026-42035 HIGH POC PATCH GHSA This Week

Prototype pollution in Axios 1.x (prior to 1.15.1) and 0.x (prior to 0.31.1) enables HTTP header injection attacks when any dependency in the application pollutes Object.prototype with specific properties (getHeaders, append, pipe, on, once, Symbol.toStringTag). Attackers exploit the HTTP adapter's duck-type checking to inject arbitrary headers into outbound HTTP requests, potentially leading to authentication bypass, session hijacking, or cache poisoning. EPSS data unavailable; no confirmed active exploitation (CISA KEV) at time of analysis. Publicly available exploit code exists per vendor advisory GHSA-6chq-wfr3-2hj9.

Node.js RCE Red Hat
NVD GitHub VulDB
CVSS 3.1
7.4
EPSS
0.0%
CVE-2026-41414 HIGH This Week

GitHub Actions workflow injection in Skim's CI pipeline allows remote code execution with elevated privileges when any GitHub user opens a pull request from a fork. The vulnerable generate-files job automatically checks out and executes attacker-controlled Rust code (via cargo run) with access to SKIM_RS_BOT_PRIVATE_KEY secret and GITHUB_TOKEN with contents:write permissions, enabling repository compromise. User interaction (maintainer reviewing the PR) is required for context, though the exploit executes automatically on PR creation. Patch available via commit bf63404, no active exploitation confirmed at time of analysis.

Code Injection RCE Skim
NVD GitHub VulDB
CVSS 3.1
7.4
EPSS
0.0%
CVE-2026-31569 HIGH PATCH This Week

Out-of-bounds memory access in Linux Kernel's KVM subsystem for LoongArch architecture allows local authenticated attackers with low privileges to read limited kernel memory and cause system crashes. The vulnerability stems from improper handling of empty EIOINTC coremap values in eiointc_update_sw_coremap(), resulting in invalid array indexing into kvm_arch::phyid_map::phys_map[]. While CVSS rates this 7.3 HIGH, the EPSS score of 0.02% (4th percentile) indicates minimal real-world exploitation activity. No active exploitation (not in CISA KEV) or public POC has been identified. Vendor patches are available across multiple stable kernel branches (6.18.21, 6.19.11, 7.0, and mainline).

Buffer Overflow Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-6968 HIGH PATCH NEWS This Week

Path traversal vulnerabilities in AWS Tough (a Rust TUF client library) versions prior to 0.22.0 enable authenticated users with delegated signing privileges to write arbitrary files outside intended repository directories, bypassing incomplete fixes from previous security patches. The flaws exist in three distinct code paths: absolute target names in copy_target/link_target operations, symlinked parent directories in save_target, and symlinked metadata filenames in SignedRole::write. AWS has released patches in tough-v0.22.0 and tuftool-v0.15.0 that implement post-resolution path containment verification. No public exploit code or active exploitation confirmed at time of analysis, though CVSS 7.1 HIGH reflects significant integrity impact when exploited.

Path Traversal Tough Tuftool
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-41427 HIGH POC PATCH GHSA This Week

Better Auth is an authentication and authorization library for TypeScript. Prior to 1.6.5, the clientPrivileges option documents a create action, but the OAuth client creation endpoints did not invoke the hook before persisting new clients. Deployments that configured clientPrivileges to restrict client registration were not actually restricted - any authenticated user could reach the create endpoints and register an OAuth client with attacker-chosen redirect URIs and metadata. This vulnerability is fixed in 1.6.5.

Authentication Bypass Better Auth Oauth Provider
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-41894 HIGH PATCH GHSA This Week

Directory traversal in SiYuan personal knowledge management system allows authenticated attackers to read arbitrary workspace files via double URL encoding bypass. The vulnerability stems from an incomplete fix for CVE-2026-30869 that added only denylist validation without removing a redundant url.PathUnescape() call in serveExport(). Attackers can use %252e%252e encoding to access sensitive files including the complete SQLite database (siyuan.db), kernel logs, and all user documents. EPSS data not available for this recent CVE; publicly available exploit code exists (GitHub commit demonstrates exploitation technique).

Path Traversal Siyuan
NVD GitHub
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-41325 HIGH PATCH GHSA This Week

Authenticated users in Kirby CMS can bypass permission controls to create unauthorized pages, files, and users by injecting malicious blueprint configuration during model creation. Versions prior to 4.9.0 and 5.4.0 fail to sanitize the 'blueprint' property in creation requests, allowing attackers with low-privilege accounts to override developer-defined authorization policies by setting 'create' => true in dynamic options. Patches are available in Kirby 4.9.0 and 5.4.0, which implement filtering of blueprint properties during normalization.

Authentication Bypass Kirby
NVD GitHub
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-6967 HIGH PATCH GHSA This Week

Metadata integrity bypass in AWS tough (TUF client library) before v0.22.0 allows authenticated users with delegated signing authority to poison local metadata caches by bypassing expiration, hash, and length validation checks. The vulnerability exists because load_delegations skips specification-mandated integrity checks applied to top-level targets metadata, enabling malicious delegated signers to inject invalid metadata. AWS has released patches in tough-v0.22.0 and tuftool-v0.15.0. CVSS 7.1 reflects network vector but high attack complexity (AT:P indicates specialized conditions). No public exploit or active exploitation confirmed at time of analysis, though authentication bypass tag suggests significant trust boundary violation.

Authentication Bypass Tough Tuftool
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-41432 HIGH PATCH GHSA This Week

Attackers can forge Stripe webhook events to obtain unlimited API quota without payment in QuantumNous new-api (Go package github.com/QuantumNous/new-api). The vulnerability exploits an empty default webhook secret that allows HMAC signature forgery, missing payment status validation, and cross-gateway order fulfillment logic that permits completing orders created through any payment provider (Epay, Creem, Waffo) via fabricated Stripe callbacks. Virtually all deployments with any payment method enabled are vulnerable in default configuration. Fixed in version 0.12.10. No public exploit code identified at time of analysis, but the detailed advisory includes a proof-of-concept pseudocode demonstrating the attack chain. CVSS 7.1 (High) with low attack complexity and low privileges required indicates practical exploitation risk for deployed instances.

Google Nginx Python RCE
NVD GitHub VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-31626 HIGH PATCH This Week

Uninitialized memory read in Linux kernel's rtl8723bs Wi-Fi driver allows adjacent network attackers to cause denial of service or potentially corrupt integrity through malformed BIP (Broadcast/Multicast Integrity Protocol) frames. The vulnerability affects the staging rtl8723bs driver where only 6 bytes are copied into an 8-byte variable during BIP verification, leaving 2 bytes uninitialized. Patches available across multiple stable kernel versions (6.12.83, 6.18.24, 6.19.14, 7.0.1). EPSS score of 0.02% (5th percentile) indicates low observed exploitation probability. Not listed in CISA KEV, and no public exploit identified at time of analysis.

Information Disclosure Linux
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-31614 HIGH PATCH This Week

In the Linux kernel, the following vulnerability has been resolved: smb: client: fix off-by-8 bounds check in check_wsl_eas() The bounds check uses (u8 *)ea + nlen + 1 + vlen as the end of the EA name and value, but ea_data sits at offset sizeof(struct smb2_file_full_ea_info) = 8 from ea, not at offset 0. The strncmp() later reads ea->ea_data[0..nlen-1] and the value bytes follow at ea_data[nlen+1..nlen+vlen], so the actual end is ea->ea_data + nlen + 1 + vlen. Isn't pointer math fun? The earlier check (u8 *)ea > end - sizeof(*ea) only guarantees the 8-byte header is in bounds, but since the last EA is placed within 8 bytes of the end of the response, the name and value bytes are read past the end of iov. Fix this mess all up by using ea->ea_data as the base for the bounds check. An "untrusted" server can use this to leak up to 8 bytes of kernel heap into the EA name comparison and influence which WSL xattr the data is interpreted as.

Buffer Overflow Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-31568 HIGH PATCH This Week

In the Linux kernel, the following vulnerability has been resolved: s390/mm: Add missing secure storage access fixups for donated memory There are special cases where secure storage access exceptions happen in a kernel context for pages that don't have the PG_arch_1 bit set. That bit is set for non-exported guest secure storage (memory) but is absent on storage donated to the Ultravisor since the kernel isn't allowed to export donated pages. Prior to this patch we would try to export the page by calling arch_make_folio_accessible() which would instantly return since the arch bit is absent signifying that the page was already exported and no further action is necessary. This leads to secure storage access exception loops which can never be resolved. With this patch we unconditionally try to export and if that fails we fixup.

Buffer Overflow Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-6966 HIGH PATCH GHSA This Week

Signature duplication in AWS Tough TUF client prior to v0.22.0 allows authenticated attackers to bypass threshold signature requirements for delegated role metadata by reusing a single valid signature multiple times. The flaw undermines TUF's multi-signature integrity model, enabling acceptance of forged metadata with reduced cryptographic validation. Vendor patch available (tough-v0.22.0, tuftool-v0.15.0). No public exploit code or active exploitation confirmed at time of analysis, but CVSS 7.0 reflects high integrity impact to both vulnerable and downstream systems.

Jwt Attack Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
7.0
EPSS
0.0%
CVE-2026-1789 MEDIUM This Month

Information disclosure in Canon production printers and office/small office multifunction printers allows authenticated administrators to access sensitive device information through crafted requests to the browser-based remote management interface. The vulnerability affects multiple printer models and requires high-privilege administrative access; no active exploitation has been confirmed at time of analysis, though the remote network vector and low attack complexity indicate practical exploitability by privileged internal users.

Information Disclosure Microsoft
NVD
CVSS 4.0
6.9
EPSS
0.0%
Prev Page 3 of 6 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy