THREAT ALERT

Daily vulnerability intelligence for defenders – fresh CVEs with exploitability signals, patch status, and action-oriented priorities from 17 sources.

CVEs published

Get CVEs that hit your stack — not 200/day

Pick your technologies, get a weekly digest by email. Free, no spam.

React Python Postgres +200 more

React Next.js Python Postgres AWS +200 more

Trending Now See all

Critical Watch See all

Attack Technique Trend

Prediction based on ZDI Disclosures & CVE data · 30 days

Analytics

Vendor Today – Quick Filter

Techniques

results

Sort:

Base Score

Vector String

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

Integrity (I)

Availability (A)

0 | 3.9| 6.9| 8.9| 10

NONE LOW MEDIUM HIGH CRITICAL

CVSS Filter – CVEs match

No CVEs match the selected criteria

Incoming 20

Pre-NVD – not yet scored

Browse older vulnerabilities in Archive

Live Feed auto-refresh 60s

Vulnerability Intelligence — April 25, 2026

44 CVEs tracked today. 3 Critical, 13 High, 12 Medium, 16 Low.

CVE-2026-41571 CRITICAL CVSS 9.4
Remote authentication bypass in note-mark backend allows unauthenticated attackers to hijack OIDC user accounts by submitting the password 'null' to the internal login endpoint. Affected deployments running default configuration (EnableInternalLogin=true) with OIDC enabled permit complete account takeover of any OIDC-registered user. Attackers gain full access to private notebooks, markdown content, and uploaded assets, plus can persist access by overwriting the victim's password. Vendor patch available in commit dea5530c. CVSS 9.4 (AV:N/AC:L/PR:N/UI:N) reflects the zero-interaction remote attack against default installations. No EPSS or KEV data available, but the detailed POC script in the advisory significantly lowers exploitation barrier.

Authentication Bypass Docker
CVE-2026-31685 CRITICAL CVSS 9.4
In the Linux kernel, the following vulnerability has been resolved: netfilter: ip6t_eui64: reject invalid MAC header for all packets `eui64_mt6()` derives a modified EUI-64 from the Ethernet source address and compares it with the low 64 bits of the IPv6 source address. The existing guard only re...

Information Disclosure Linux
CVE-2026-31682 CRITICAL CVSS 9.1
In the Linux kernel, the following vulnerability has been resolved: bridge: br_nd_send: linearize skb before parsing ND options br_nd_send() parses neighbour discovery options from ns->opt[] and assumes that these options are in the linear part of request. Its callers only guarantee that the ICMP...

Information Disclosure Linux
CVE-2026-41520 HIGH CVSS 7.9
WireGuard private keys leak through Cilium debugging tools in deployments using transparent encryption. Cilium's cilium-bugtool and cilium sysdump command expose the node-to-node WireGuard encryption private key (cilium_wg0.key) in output archives. Attackers with high-privilege local access to these diagnostic outputs can decrypt past and future inter-node traffic. Affects all Cilium versions prior to v1.17.15, v1.18.0-v1.18.8, and v1.19.0-v1.19.2. Patches released in v1.17.15, v1.18.9, and v1.19.3. No public exploit identified at time of analysis, but exploitation requires only access to previously shared bugtool/sysdump archives.

Information Disclosure
CVE-2026-41163 HIGH CVSS 8.7
Privilege escalation in bubblewrap 0.11.x when installed setuid root allows local attackers to escape sandbox isolation via ptrace attachment during low-privileged setup phases. The vendor confirmed active exploitation risk by releasing emergency v0.11.2 patch and immediately deprecating setuid mode entirely. CVSS 8.7 severity reflects high integrity impact from sandbox breakout, though exploitation requires local access to a setuid-configured bubblewrap binary (non-default in most distributions).

Privilege Escalation
CVE-2026-31683 HIGH CVSS 7.8
In the Linux kernel, the following vulnerability has been resolved: batman-adv: avoid OGM aggregation when skb tailroom is insufficient When OGM aggregation state is toggled at runtime, an existing forwarded packet may have been allocated with only packet_len bytes, while a later packet can still ...

Buffer Overflow Linux
CVE-2026-31680 HIGH CVSS 7.8
In the Linux kernel, the following vulnerability has been resolved: net: ipv6: flowlabel: defer exclusive option free until RCU teardown `ip6fl_seq_show()` walks the global flowlabel hash under the seq-file RCU read-side lock and prints `fl->opt->opt_nflen` when an option block is present. Exclus...

Denial Of Service Linux
CVE-2026-31679 HIGH CVSS 7.1
In the Linux kernel, the following vulnerability has been resolved: openvswitch: validate MPLS set/set_masked payload length validate_set() accepted OVS_KEY_ATTR_MPLS as variable-sized payload for SET/SET_MASKED actions. In action handling, OVS expects fixed-size MPLS key data (struct ovs_key_mpls...

Information Disclosure Linux
CVE-2026-31678 HIGH CVSS 7.8
In the Linux kernel, the following vulnerability has been resolved: openvswitch: defer tunnel netdev_put to RCU release ovs_netdev_tunnel_destroy() may run after NETDEV_UNREGISTER already detached the device. Dropping the netdev reference in destroy can race with concurrent readers that still obse...

Information Disclosure Linux
CVE-2026-31676 HIGH CVSS 7.5
In the Linux kernel, the following vulnerability has been resolved: rxrpc: only handle RESPONSE during service challenge Only process RESPONSE packets while the service connection is still in RXRPC_CONN_SERVICE_CHALLENGING. Check that state under state_lock before running response verification and...

Information Disclosure Linux
CVE-2026-31675 HIGH CVSS 7.8
In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_netem: fix out-of-bounds access in packet corruption In netem_enqueue(), the packet corruption logic uses get_random_u32_below(skb_headlen(skb)) to select an index for modifying skb->data. When an AF_PACKET TX_RING ...

Buffer Overflow Information Disclosure Linux
CVE-2026-31674 HIGH CVSS 7.1
In the Linux kernel, the following vulnerability has been resolved: netfilter: ip6t_rt: reject oversized addrnr in rt_mt6_check() Reject rt match rules whose addrnr exceeds IP6T_RT_HOPS. rt_mt6() expects addrnr to stay within the bounds of rtinfo->addrs[]. Validate addrnr during rule installation...

Information Disclosure Linux
CVE-2026-31673 HIGH CVSS 7.8
In the Linux kernel, the following vulnerability has been resolved: af_unix: read UNIX_DIAG_VFS data under unix_state_lock Exact UNIX diag lookups hold a reference to the socket, but not to u->path. Meanwhile, unix_release_sock() clears u->path under unix_state_lock() and drops the path reference ...

Information Disclosure Linux
CVE-2026-6992 HIGH CVSS 7.3
OS command injection in Linksys MR9600 router firmware 2.0.6.206937 allows authenticated administrators to execute arbitrary system commands via crafted 'pin' parameter to the BTRequestGetSmartConnectStatus JNAP action handler. Publicly available exploit code exists (CVSS E:P), enabling remote compromise of router with full system-level access. Vendor notified but unresponsive, leaving users without confirmed patch. EPSS data not available; CVSS 7.3 severity reflects high impact limited by high privilege requirement (PR:H).

Command Injection Linksys
CVE-2026-6988 HIGH CVSS 7.4
Remote authenticated attackers can execute arbitrary code on Tenda HG10 routers (firmware HG7_HG9_HG10re_300001138_en_xpon) by sending a malformed 'nextHop' parameter to the /boaform/formRouting endpoint in the Boa web service. This buffer overflow vulnerability has publicly available exploit code on GitHub and is rated 8.8 (High) with low attack complexity. EPSS data unavailable; not currently listed in CISA KEV. Successful exploitation requires only low-privilege authentication and grants full device compromise (confidentiality, integrity, and availability impact).

Buffer Overflow Tenda
CVE-2026-6951 HIGH CVSS 8.2
Remote code execution in simple-git before 3.36.0 allows unauthenticated attackers to execute arbitrary commands via incomplete sanitization of command-line options. The vulnerability bypasses the prior CVE-2022-25912 fix by accepting --config instead of the blocked -c flag, enabling protocol.ext.allow=always configuration and malicious ext:: URLs. Publicly available exploit code exists (POC confirmed), with EPSS score of 0.08% indicating low current exploitation probability despite the theoretical severity. SSVC framework classifies this as automatable with total technical impact.

RCE Code Injection
CVE-2026-41572 MEDIUM CVSS 5.3
Soft-deleted public books in note-mark allow unauthenticated access to notes and assets via direct API endpoints and slug URLs. When a note-mark owner deletes a public book, the GORM soft-delete mechanism fails to filter raw SQL JOIN clauses in note and asset queries, leaving notes and uploaded content readable to any caller who knows the note ID or slug path. CVSS 5.3 (network, low complexity, no authentication required) reflects confidentiality impact; patch is available from vendor.

Authentication Bypass Docker
CVE-2026-31684 MEDIUM CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved: net: sched: act_csum: validate nested VLAN headers tcf_csum_act() walks nested VLAN headers directly from skb->data when an skb still carries in-payload VLAN tags. The current code reads vlan->h_vlan_encapsulated_proto and then pu...

Information Disclosure Linux Red Hat Suse
CVE-2026-31681 MEDIUM CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved: netfilter: xt_multiport: validate range encoding in checkentry ports_match_v1() treats any non-zero pflags entry as the start of a port range and unconditionally consumes the next ports[] element as the range end. The checkentry ...

Information Disclosure Linux Red Hat Suse
CVE-2026-31677 MEDIUM CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved: crypto: af_alg - limit RX SG extraction by receive buffer budget Make af_alg_get_rsgl() limit each RX scatterlist extraction to the remaining receive buffer budget. af_alg_get_rsgl() currently uses af_alg_readable() only as a gat...

Information Disclosure Linux Red Hat Suse
CVE-2026-7002 MEDIUM CVSS 6.9
SQL injection in KLiK SocialMediaWebsite 1.0.1 and earlier allows remote unauthenticated attackers to execute arbitrary SQL commands via the c_id parameter in /includes/get_message_ajax.php. The vulnerability targets the private message handling component and permits unauthorized database access, modification, and potential data exfiltration. CVSS 7.3 reflects network-accessible, low-complexity exploitation requiring no authentication or user interaction, with partial impact to confidentiality, integrity, and availability. No public exploit code or CISA KEV listing identified at time of analysis, suggesting limited observed exploitation despite the accessible attack surface.

PHP SQLi
CVE-2026-6994 MEDIUM CVSS 5.3
Code injection in Envoy up to 1.33.0 via improper query parameter handling in the Header Mutation filter allows authenticated remote attackers to inject arbitrary code through the params.add function, resulting in limited confidentiality and integrity impact. The CVSS 5.3 score reflects the requirement for prior authentication and limited scope of impact, though the injection vector in a core HTTP filtering component warrants prompt patching.

Code Injection Red Hat
CVE-2026-6993 MEDIUM CVSS 5.5
Unintended intermediary exposure in go-kratos kratos up to 2.9.2 allows remote attackers to disclose sensitive information via manipulation of the http.DefaultServeMux fallback handler in the NewServer function. The vulnerability has publicly available exploit code and affects the HTTP transport layer with a CVSS score of 5.5, representing a confidentiality impact without availability or integrity concerns.

Information Disclosure Red Hat
CVE-2026-6987 MEDIUM CVSS 5.5
Remote command injection in PicoClaw Web Launcher Management Plane (versions up to 0.2.4) allows unauthenticated attackers to execute arbitrary system commands via the /api/gateway/restart endpoint. CVSS 7.3 (AV:N/AC:L/PR:N/UI:N) indicates network-accessible exploitation without authentication. Proof-of-concept code exists (CVSS:E:P). Vendor has not responded to responsible disclosure (reported via GitHub issue #2307), indicating no official patch is available. The Web Launcher Management Plane component suggests this affects administrative/control interfaces, making it a high-priority target for internet-exposed deployments.

Command Injection
CVE-2026-6985 MEDIUM CVSS 5.5
Remote denial of service in Cesanta Mongoose up to version 7.20 allows unauthenticated attackers to trigger an infinite loop via manipulation of TCP option length parameters in the handle_opt function, causing service unavailability. Publicly available exploit code exists. Patch released in version 7.21.

Denial Of Service
CVE-2026-6982 MEDIUM CVSS 5.3
SQL injection in ShowDoc API Page Sort Endpoint allows authenticated remote attackers to manipulate the pages parameter and execute arbitrary SQL queries with limited confidentiality, integrity, and availability impact. Affected versions include 2.10.10, 3.6.2, and 3.8.0; vendor has released patch v3.8.1 but explicitly stated no backports will be provided for older versions.

PHP SQLi
CVE-2026-6980 MEDIUM CVSS 5.5
Remote command injection in GitPilot-MCP allows unauthenticated attackers to execute arbitrary system commands via the repo_path function in main.py. The vulnerability affects all versions up to commit 9ed9f153ba4158a2ad230ee4871b25130da29ffd, with publicly available exploit code demonstrating practical exploitation. CVSS 7.3 (High) with network vector and no authentication required indicates significant exposure, though CVSS impact ratings (L/L/L) suggest attackers may have limited privileges in command execution context.

Command Injection
CVE-2026-6977 MEDIUM CVSS 5.5
Improper authorization in Vanna AI's Legacy Flask API allows remote unauthenticated attackers to bypass authentication controls and gain unauthorized access. Affects Vanna versions up to 2.0.2. A publicly available proof-of-concept exploit has been disclosed on GitHub, though vendor has not responded to disclosure. CVSS 7.3 severity reflects network-accessible attack with low complexity requiring no privileges or user interaction, enabling confidentiality, integrity, and availability impacts.

Authentication Bypass Python
CVE-2026-7001 LOW CVSS 1.9
Cross-site scripting (XSS) in Datacom DM4100 version 1.3.6.1.4.1.3709 allows authenticated remote attackers to inject malicious scripts via manipulation of the Name parameter in the Ethernet Configuration Page. The vulnerability requires high-privilege administrative access and user interaction to trigger, limiting real-world impact despite public exploit availability. Vendor has not responded to disclosure.

XSS
CVE-2026-7000 LOW CVSS 1.9
Reflected cross-site scripting (XSS) in Datacom DM4100 version 1.3.6.1.4.1.3709 allows remote attackers with high administrative privileges to inject malicious scripts via the VLAN Name parameter on the VLAN Page, exploitable only with user interaction. Public exploit code is available, and the vendor has not responded to early disclosure notifications.

XSS
CVE-2026-6999 LOW CVSS 1.9
Cross-site scripting (XSS) vulnerability in BIVOCOM TR321 version 21.1.1.50 allows authenticated remote attackers with high privileges to inject malicious scripts via manipulation of the Network Name SSID parameter in the Wireless Setting component. The vulnerability requires user interaction to trigger and has limited integrity impact. Exploit code has been publicly published, though the vendor has not responded to disclosure attempts.

XSS
CVE-2026-6998 LOW CVSS 1.9
Reflected cross-site scripting (XSS) in BDCOM P3310D 0.4.2 Build 86345 via the Owner parameter on the New RMON Statistics Page allows authenticated remote attackers to inject malicious scripts. The vulnerability requires user interaction (clicking a crafted link) and high-privilege access to exploit, limiting real-world risk despite public exploit availability. The vendor has not responded to disclosure attempts.

XSS
CVE-2026-6997 LOW CVSS 1.9
Reflected cross-site scripting (XSS) in BDCOM P3310D 0.4.2 build 10.1.0F-86345 allows authenticated remote attackers with high privileges to inject malicious scripts via the Owner parameter on the New RMON History Page, requiring user interaction to execute. Publicly available exploit code exists, and the vendor has not responded to early disclosure notification.

XSS
CVE-2026-6996 LOW CVSS 1.9
Stored cross-site scripting (XSS) in BDCOM P3310D 0.4.2 build 86345 allows authenticated remote attackers to inject malicious scripts via the Description parameter in the rmon event Tab component. The vulnerability requires high-privilege authentication and user interaction to trigger, limiting practical exploitation scope. Public exploit code is available; however, the low CVSS score (2.4) reflects the authentication barrier and limited confidentiality/availability impact.

XSS
CVE-2026-6995 LOW CVSS 1.9
Reflected cross-site scripting (XSS) in BDCOM P3310D 0.4.2 10.1.0F Build 86345 allows high-privileged authenticated users to inject malicious scripts via the User name parameter in the New User Page (/index.asp), affecting only the injecting user's session due to session-scoped impact. Public exploit code is available, but exploitation requires administrative credentials and user interaction (form submission), significantly limiting real-world attack surface despite the remote attack vector.

XSS
CVE-2026-6991 LOW CVSS 2.1
SQL injection vulnerability in Zod CUID Data Type Handler affects versions up to 4.3.6, allowing authenticated remote attackers to manipulate input validation logic in the regex component and execute arbitrary SQL queries. The vulnerability has been publicly disclosed with proof-of-concept code available; the vendor was contacted early but provided no response, and no patch has been issued as of analysis time.

SQLi
CVE-2026-6990 LOW CVSS 2.0
Stored cross-site scripting (XSS) in projeto-siga SIGA 11.0.3.18 allows authenticated remote attackers to inject malicious scripts via the Nome/Descrição parameter in the /sigawf/app/responsavel/novo endpoint. Successful exploitation requires user interaction (UI:R) and an authenticated session (PR:L), limiting impact to information disclosure (I:L). Public exploit code is available, though exploitation remains constrained by authentication and user interaction requirements.

XSS
CVE-2026-6989 LOW CVSS 2.1
Command injection in Tenda F453 firmware up to version 1.0.0.3 allows authenticated remote attackers to execute arbitrary system commands via the TendaTelnet function in the /goform/telnet endpoint. The vulnerability has publicly available exploit code and may be actively used against deployed devices. Attack requires low-privilege authentication but carries significant risk due to the telnet service's direct command execution capability.

Command Injection Tenda
CVE-2026-6986 LOW CVSS 2.9
Improper verification of cryptographic signatures in Cesanta Mongoose versions up to 7.20 allows remote attackers to bypass GCM authentication tag validation in the mg_aes_gcm_decrypt function. The vulnerability has high attack complexity and requires no user interaction, but provides only integrity impact (not confidentiality or availability). Publicly available exploit code exists, and vendor has released patched version 7.21.

Information Disclosure Jwt Attack
CVE-2026-6984 LOW CVSS 2.0
Server-side template injection in AstrBot Dashboard API (version 4.22.1 and earlier) allows remote authenticated attackers with high privileges to execute arbitrary template code via the create_template function, leading to information disclosure and potential code execution. Publicly available exploit code exists, and the vendor has not yet responded to disclosure despite early notification.

Information Disclosure Ssti
CVE-2026-6983 LOW CVSS 2.0
Server-side request forgery (SSRF) in Pagekit up to version 1.0.18 allows authenticated high-privilege administrators to manipulate the url parameter in the /index.php/admin/system/update/download endpoint, enabling them to force the server to make arbitrary HTTP requests to internal or external systems. Publicly available exploit code exists, and the vendor did not respond to early disclosure efforts.

PHP SSRF
CVE-2026-6981 LOW CVSS 2.1
Server-side request forgery (SSRF) in AiraHub2 allows authenticated remote attackers to manipulate the connect_stream_endpoint and sync_agents functions in AiraHub.py, enabling arbitrary HTTP requests to internal or external systems. The vulnerability affects multiple endpoints and has publicly available exploit code; however, the vendor has not responded to disclosure attempts and uses a rolling release model, making patch status unclear.

SSRF
CVE-2026-6979 LOW CVSS 2.1
Server-side request forgery (SSRF) in devlikeapro WAHA up to version 2026.3.4 allows authenticated remote attackers to forge requests from the server via the media.controller.ts API endpoint, enabling potential reconnaissance, internal resource access, and lateral movement attacks. Publicly available exploit code exists and the vendor has not responded to disclosure efforts.

SSRF
CVE-2026-6978 LOW CVSS 2.0
SQL injection in JiZhiCMS up to version 2.5.6 allows authenticated high-privileged administrators to execute arbitrary SQL queries via the sqls parameter in the /index.php/admins/Sys/addcache.html endpoint. The vulnerability is remotely exploitable and publicly available exploit code exists, though the low CVSS score (4.7) reflects the requirement for high-level administrative authentication, limiting real-world attack surface.

PHP SQLi

Track CVEs for your stack Sign up free →

Today's Vulnerabilities Vulnerabilities