Skip to main content
CVE-2026-41414 HIGH This Week

GitHub Actions workflow injection in Skim's CI pipeline allows remote code execution with elevated privileges when any GitHub user opens a pull request from a fork. The vulnerable generate-files job automatically checks out and executes attacker-controlled Rust code (via cargo run) with access to SKIM_RS_BOT_PRIVATE_KEY secret and GITHUB_TOKEN with contents:write permissions, enabling repository compromise. User interaction (maintainer reviewing the PR) is required for context, though the exploit executes automatically on PR creation. Patch available via commit bf63404, no active exploitation confirmed at time of analysis.

Code Injection RCE Skim
NVD GitHub VulDB
CVSS 3.1
7.4
EPSS
0.0%
CVE-2026-31569 HIGH PATCH This Week

Out-of-bounds memory access in Linux Kernel's KVM subsystem for LoongArch architecture allows local authenticated attackers with low privileges to read limited kernel memory and cause system crashes. The vulnerability stems from improper handling of empty EIOINTC coremap values in eiointc_update_sw_coremap(), resulting in invalid array indexing into kvm_arch::phyid_map::phys_map[]. While CVSS rates this 7.3 HIGH, the EPSS score of 0.02% (4th percentile) indicates minimal real-world exploitation activity. No active exploitation (not in CISA KEV) or public POC has been identified. Vendor patches are available across multiple stable kernel branches (6.18.21, 6.19.11, 7.0, and mainline).

Buffer Overflow Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-6968 HIGH PATCH NEWS This Week

Path traversal vulnerabilities in AWS Tough (a Rust TUF client library) versions prior to 0.22.0 enable authenticated users with delegated signing privileges to write arbitrary files outside intended repository directories, bypassing incomplete fixes from previous security patches. The flaws exist in three distinct code paths: absolute target names in copy_target/link_target operations, symlinked parent directories in save_target, and symlinked metadata filenames in SignedRole::write. AWS has released patches in tough-v0.22.0 and tuftool-v0.15.0 that implement post-resolution path containment verification. No public exploit code or active exploitation confirmed at time of analysis, though CVSS 7.1 HIGH reflects significant integrity impact when exploited.

Path Traversal Tough Tuftool
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-41427 HIGH POC PATCH GHSA This Week

Better Auth is an authentication and authorization library for TypeScript. Prior to 1.6.5, the clientPrivileges option documents a create action, but the OAuth client creation endpoints did not invoke the hook before persisting new clients. Deployments that configured clientPrivileges to restrict client registration were not actually restricted - any authenticated user could reach the create endpoints and register an OAuth client with attacker-chosen redirect URIs and metadata. This vulnerability is fixed in 1.6.5.

Authentication Bypass Better Auth Oauth Provider
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-41894 HIGH PATCH GHSA This Week

Directory traversal in SiYuan personal knowledge management system allows authenticated attackers to read arbitrary workspace files via double URL encoding bypass. The vulnerability stems from an incomplete fix for CVE-2026-30869 that added only denylist validation without removing a redundant url.PathUnescape() call in serveExport(). Attackers can use %252e%252e encoding to access sensitive files including the complete SQLite database (siyuan.db), kernel logs, and all user documents. EPSS data not available for this recent CVE; publicly available exploit code exists (GitHub commit demonstrates exploitation technique).

Path Traversal Siyuan
NVD GitHub
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-41325 HIGH PATCH GHSA This Week

Authenticated users in Kirby CMS can bypass permission controls to create unauthorized pages, files, and users by injecting malicious blueprint configuration during model creation. Versions prior to 4.9.0 and 5.4.0 fail to sanitize the 'blueprint' property in creation requests, allowing attackers with low-privilege accounts to override developer-defined authorization policies by setting 'create' => true in dynamic options. Patches are available in Kirby 4.9.0 and 5.4.0, which implement filtering of blueprint properties during normalization.

Authentication Bypass Kirby
NVD GitHub
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-6967 HIGH PATCH GHSA This Week

Metadata integrity bypass in AWS tough (TUF client library) before v0.22.0 allows authenticated users with delegated signing authority to poison local metadata caches by bypassing expiration, hash, and length validation checks. The vulnerability exists because load_delegations skips specification-mandated integrity checks applied to top-level targets metadata, enabling malicious delegated signers to inject invalid metadata. AWS has released patches in tough-v0.22.0 and tuftool-v0.15.0. CVSS 7.1 reflects network vector but high attack complexity (AT:P indicates specialized conditions). No public exploit or active exploitation confirmed at time of analysis, though authentication bypass tag suggests significant trust boundary violation.

Authentication Bypass Tough Tuftool
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-41432 HIGH PATCH GHSA This Week

Attackers can forge Stripe webhook events to obtain unlimited API quota without payment in QuantumNous new-api (Go package github.com/QuantumNous/new-api). The vulnerability exploits an empty default webhook secret that allows HMAC signature forgery, missing payment status validation, and cross-gateway order fulfillment logic that permits completing orders created through any payment provider (Epay, Creem, Waffo) via fabricated Stripe callbacks. Virtually all deployments with any payment method enabled are vulnerable in default configuration. Fixed in version 0.12.10. No public exploit code identified at time of analysis, but the detailed advisory includes a proof-of-concept pseudocode demonstrating the attack chain. CVSS 7.1 (High) with low attack complexity and low privileges required indicates practical exploitation risk for deployed instances.

Google Nginx Python RCE
NVD GitHub VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-31626 HIGH PATCH This Week

Uninitialized memory read in Linux kernel's rtl8723bs Wi-Fi driver allows adjacent network attackers to cause denial of service or potentially corrupt integrity through malformed BIP (Broadcast/Multicast Integrity Protocol) frames. The vulnerability affects the staging rtl8723bs driver where only 6 bytes are copied into an 8-byte variable during BIP verification, leaving 2 bytes uninitialized. Patches available across multiple stable kernel versions (6.12.83, 6.18.24, 6.19.14, 7.0.1). EPSS score of 0.02% (5th percentile) indicates low observed exploitation probability. Not listed in CISA KEV, and no public exploit identified at time of analysis.

Information Disclosure Linux
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-31614 HIGH PATCH This Week

In the Linux kernel, the following vulnerability has been resolved: smb: client: fix off-by-8 bounds check in check_wsl_eas() The bounds check uses (u8 *)ea + nlen + 1 + vlen as the end of the EA name and value, but ea_data sits at offset sizeof(struct smb2_file_full_ea_info) = 8 from ea, not at offset 0. The strncmp() later reads ea->ea_data[0..nlen-1] and the value bytes follow at ea_data[nlen+1..nlen+vlen], so the actual end is ea->ea_data + nlen + 1 + vlen. Isn't pointer math fun? The earlier check (u8 *)ea > end - sizeof(*ea) only guarantees the 8-byte header is in bounds, but since the last EA is placed within 8 bytes of the end of the response, the name and value bytes are read past the end of iov. Fix this mess all up by using ea->ea_data as the base for the bounds check. An "untrusted" server can use this to leak up to 8 bytes of kernel heap into the EA name comparison and influence which WSL xattr the data is interpreted as.

Buffer Overflow Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-31568 HIGH PATCH This Week

In the Linux kernel, the following vulnerability has been resolved: s390/mm: Add missing secure storage access fixups for donated memory There are special cases where secure storage access exceptions happen in a kernel context for pages that don't have the PG_arch_1 bit set. That bit is set for non-exported guest secure storage (memory) but is absent on storage donated to the Ultravisor since the kernel isn't allowed to export donated pages. Prior to this patch we would try to export the page by calling arch_make_folio_accessible() which would instantly return since the arch bit is absent signifying that the page was already exported and no further action is necessary. This leads to secure storage access exception loops which can never be resolved. With this patch we unconditionally try to export and if that fails we fixup.

Buffer Overflow Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-6966 HIGH PATCH GHSA This Week

Signature duplication in AWS Tough TUF client prior to v0.22.0 allows authenticated attackers to bypass threshold signature requirements for delegated role metadata by reusing a single valid signature multiple times. The flaw undermines TUF's multi-signature integrity model, enabling acceptance of forged metadata with reduced cryptographic validation. Vendor patch available (tough-v0.22.0, tuftool-v0.15.0). No public exploit code or active exploitation confirmed at time of analysis, but CVSS 7.0 reflects high integrity impact to both vulnerable and downstream systems.

Jwt Attack Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
7.0
EPSS
0.0%
Prev Page 3 of 3

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy