Remote code execution in Synway SMG Gateway Management Software allows unauthenticated attackers to execute arbitrary OS commands via command injection in the RADIUS configuration endpoint. The vulnerability exploits unsanitized POST parameters (radius_address, radius_address2, shared_secret2, source_ip, timeout, retry) that are directly interpolated into sed commands at /en/9-2radius.php. Shadowserver Foundation confirmed active exploitation beginning July 11, 2025, with publicly available exploit code and Nuclei templates enabling widespread automated attacks. CVSS 9.3 critical severity reflects the combination of network accessibility, zero authentication requirements, and complete system compromise potential.
Weaver (Fanwei) E-office versions prior to 10.0_20221201 contain an unauthenticated arbitrary file upload vulnerability in the OfficeServer.php endpoint that allows remote attackers to upload. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Weaver (Fanwei) E-cology 9.5 versions prior to 10.52 contain an arbitrary file read vulnerability in the XmlRpcServlet interface at the XML-RPC endpoint that allows unauthenticated remote attackers. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Command injection in Amazon ECS Agent on Windows allows authenticated attackers with task definition permissions to execute arbitrary shell commands with SYSTEM privileges on the underlying host. The vulnerability exists in the FSx Windows File Server volume mounting component (versions prior to 1.103.0), where username field input is not properly sanitized before being passed to OS commands. This affects AWS customers running Windows-based ECS container workloads with FSx volumes - exploitation requires IAM permissions to register ECS task definitions or write to credential stores (Secrets Manager/SSM Parameter Store) used by FSx configurations. Vendor-released patch: version 1.103.0. EPSS and KEV data not provided; no public exploit identified at time of analysis.
Stack-based buffer overflow in Tenda 4G300 US_4G300V1.0Mt_V1.01.42_CN_TDC01 allows authenticated remote attackers to execute arbitrary code with elevated privileges via crafted SafeMacFilter requests. The vulnerability resides in function sub_427C3C at endpoint /goform/SafeMacFilter, where insufficient input validation of the 'page' parameter enables memory corruption. Public exploit code exists on GitHub (Axelioc/CVE), significantly lowering the barrier to exploitation for attackers with valid router credentials. CVSS 7.4 reflects high confidentiality, integrity, and availability impact requiring only low-privilege authentication.
Buffer overflow in TOTOLINK A800R router firmware 4.1.2cu.5137 enables authenticated remote attackers to achieve arbitrary code execution with high privileges. The vulnerability exists in the setWiFiMultipleConfig function of the wireless configuration module (wireless.so) within the cstecgi.cgi web interface, exploitable via malformed wepkey2 parameter. Public proof-of-concept exploit code is available on GitHub. EPSS data not provided, CISA KEV status not listed, indicating exploitation is demonstrated but not yet observed in widespread campaigns.
Authentication bypass in Progress MOVEit Automation allows remote unauthenticated attackers to completely circumvent authentication controls and gain unauthorized access with high impact to confidentiality, integrity, and availability. Affects all versions before 2025.0.9, all 2024.x versions before 2024.1.8, and all versions prior to 2024.0.0. Progress Software has released patches for all supported versions. CVSS 9.8 critical severity with network-accessible, low-complexity exploitation requiring no privileges or user interaction. No public exploit or active exploitation confirmed at time of analysis, though the authentication bypass nature and MOVEit's history as a high-value target make this a priority remediation candidate.
Argument injection in Gotenberg v8.30.1 and earlier allows unauthenticated remote attackers to manipulate filesystem operations by embedding newline characters in PDF metadata values. The vulnerability bypasses an incomplete fix from v8.30.1 that sanitized only metadata keys while leaving values unvalidated, enabling injection of ExifTool pseudo-tags like -FileName, -Directory, -SymLink, and -HardLink through the /forms/pdfengines/metadata/write endpoint. Attackers can move files to arbitrary paths (including overwriting /etc/passwd), create symlinks for read/write primitives, and persist data via hard links - all without authentication against default configurations. Vendor-released patch: version 8.31.0. CVSS 10.0 severity reflects the network attack vector (AV:N), no authentication requirement (PR:N), low complexity (AC:L), and scope change (S:C) enabling container escape scenarios. No public exploit identified at time of analysis, though complete PoC reproduction steps are documented in GitHub advisory GHSA-q7r4-hc83-hf2q.
Unauthenticated remote file write in Shopizer v3.2.5 allows attackers to upload arbitrary files to any writable system path via path traversal in the /content/images/add endpoint. With CVSS 10.0 and network-based exploitation requiring no authentication or user interaction, this enables immediate remote code execution by uploading malicious executables or web shells. No public exploit confirmed at time of analysis, though the attack vector is straightforward for a path traversal vulnerability. EPSS data not available, but the technical characteristics (AV:N/PR:N/AC:L) indicate high exploitability once details become widely known.
OS command injection in VetCoders mcp-server-semgrep 1.0.0 allows remote unauthenticated attackers to execute arbitrary commands via unsanitized ID arguments passed to multiple analysis functions (analyze_results, filter_results, export_results, compare_results, scan_directory, create_rule) in src/index.ts. The vulnerability stems from unsafe use of child_process.exec() which interpolates user input into shell command strings. Publicly available exploit code exists, and vendor-released patch version 1.0.1 is available.
Path traversal in JeeSite 5.15.1 allows authenticated users with file upload permissions to write arbitrary files to any filesystem location during chunked uploads by manipulating the fileMd5 parameter in /a/file/upload. Attackers can bypass directory restrictions to plant webshells, modify configuration files, or overwrite executables with whitelisted extensions, achieving remote code execution and full system compromise. Scope change in CVSS vector indicates container escape or cross-tenant impact in multi-tenant deployments. No active exploitation confirmed (not in CISA KEV) but vulnerability disclosed via GitHub issue #530.
Improper authorization in the GoClaw and GoClaw Lite RPC gateway allows unauthenticated remote attackers to invoke privileged methods including configuration exfiltration, heartbeat manipulation, and agent mutation via WebSocket connections. Versions up to 3.8.5 implement a fail-open authorization policy where unclassified RPC methods default to viewer-level access and authentication failures fall back to authenticated viewer sessions. Public exploit code exists (GitHub issue #866) demonstrating unauthorized method invocation. Vendor-released patch: version 3.9.0 implements fail-closed authorization with explicit method classification and rejects connections lacking valid credentials.
Improper access controls in 1024-lab smart-admin up to version 3.30.0 allow remote unauthenticated attackers to gain unauthorized access to the Druid demo interface at /smart-admin-api/druid/index.html, potentially exposing sensitive data or administrative functionality. The vulnerability has a publicly available proof of concept and a CVSS score of 5.5 (low confidentiality/integrity impact), though the vendor has not yet acknowledged or patched the issue despite early notification.
SQL injection in SourceCodester Hotel Management System 1.0 allows unauthenticated remote attackers to extract, modify, or delete database contents via the room_type parameter in /index.php/reservation/check. CVSS 7.3 indicates medium-to-high severity with confidentiality, integrity, and availability impacts. Publicly available exploit code (GitHub) significantly lowers the barrier to exploitation. EPSS data unavailable, but public POC availability and remote unauthenticated attack vector suggest elevated real-world risk for internet-exposed installations of this PHP-based hotel management system.
Identity collision in the go-pkgz/auth Patreon OAuth provider allows any Patreon-authenticated user to impersonate every other Patreon user in the same application. The Patreon provider hashes an uninitialized variable instead of the actual Patreon account ID, assigning the constant value patreon_da39a3ee5e6b4b0d3255bfef95601890afd80709 to all users. Applications using token.User.ID as the stable account key can experience cross-account access, privilege escalation, and data leakage. Vendor-released patch available in versions 1.25.2 and 2.1.2. No evidence of active exploitation or public POC beyond the vendor's disclosure, but the vulnerability is trivially exploitable with remote unauthenticated access to any affected application.
Out-of-bounds read in the GnuTLS DTLS handshake reassembly logic lets remote unauthenticated attackers trigger an integer underflow by sending malformed handshake fragments with zero length and a non-zero offset, enabling information disclosure or denial of service against Red Hat-shipped GnuTLS (RHEL 6 through 10, OpenShift Container Platform 4, and Red Hat Hardened Images). Reported by Red Hat with a vendor patch available and errata released; no public exploit identified at time of analysis, and EPSS is very low (0.04%, 11th percentile) with SSVC exploitation status 'none'. CVSS 9.1 reflects high confidentiality and availability impact over the network at low complexity without authentication.
Account takeover via SAML SSO authentication bypass in Sentry allows attackers to hijack arbitrary user accounts when controlling a malicious SAML Identity Provider within multi-organization instances. Attackers with permissions to configure SSO settings in one organization can link a victim's email address to their malicious IdP, then authenticate as that victim across the instance. The vulnerability was responsibly disclosed via bug bounty, patched in version 26.4.1 (deployed to SaaS in April 2026), and requires knowledge of the victim's email address plus multi-organization deployment (SENTRY_SINGLE_ORGANIZATION = False). No public exploit identified at time of analysis, though technical details and patch code are public via GitHub advisory GHSA-rcmw-7mc7-3rj7.
Silent dependency checksum bypass in hexpm/hex package manager (versions 0.16.0 through 2.4.1) allows attackers to substitute malicious dependencies without detection. The Hex.RemoteConverger module fails to verify lockfile checksums due to a string-versus-atom type mismatch in the verification logic, causing the security check to be silently skipped. Attackers who can poison local package caches or compromise registry responses can deliver modified packages that overwrite mix.lock without raising alerts. SSVC framework indicates proof-of-concept exists, attack is non-automatable (requires user interaction and precise timing), with total technical impact. Fixed in version 2.4.2 (commit d7528c8).
Heap overflow in Wireshark 4.6.0 through 4.6.4 TLS protocol dissector enables remote code execution when a user opens a malicious capture file or inspects crafted network traffic. The vulnerability requires user interaction (UI:R) but no authentication, making it exploitable via social engineering. No public exploit code identified at time of analysis, though the technical details are disclosed in vendor advisory wnpa-sec-2026-14 and tracked in GitLab issue #21090. CVSS 8.8 reflects the combination of network vector, low complexity, and potential for complete system compromise despite the user interaction requirement.
Remote code execution in IBM Langflow Desktop 1.0.0 through 1.8.4 allows authenticated attackers to execute arbitrary commands at the privilege level of the Langflow process. Attackers can exfiltrate API keys and database credentials from environment variables, modify application files, or pivot to internal network targets. IBM has released a vendor patch addressing this code injection vulnerability. No active exploitation confirmed by CISA KEV at time of analysis, though CVSS 8.8 severity and low attack complexity indicate high exploitability once authenticated access is obtained.
XML External Entity (XXE) injection in RTI Connext Professional's Core Libraries allows remote unauthenticated attackers to exfiltrate sensitive data and cause denial of service through maliciously crafted XML documents processed by the DDS middleware. Affects versions 4.3x through 7.6.x across all major release branches (4.3x-7.4.0), with vendor patch available but no public exploit identified at time of analysis. CVSS 8.8 (High) reflects network attack vector with high confidentiality and availability impact but no integrity compromise, consistent with typical XXE data exfiltration and resource exhaustion scenarios. SSVC assessment indicates non-automatable exploitation with partial technical impact, suggesting targeted attack scenarios rather than mass exploitation.
XML external entity injection in SpringBlade v4.8.0's /designer/loadReport endpoint enables authenticated attackers to execute arbitrary code remotely. The vulnerability requires low-privilege authentication (PR:L) but no other special conditions (AC:L, UI:N), allowing attackers with basic credentials to compromise confidentiality, integrity, and availability. EPSS probability is low (0.02%, 6th percentile) indicating minimal observed exploitation activity. No CISA KEV listing confirms this is not yet widely exploited in the wild, though a GitHub issue documents the flaw suggesting proof-of-concept details may exist.
Cross-site request forgery in Dbit N300 T1 Pro wireless router V1.0.0 allows remote unauthenticated attackers to execute arbitrary administrative actions by convincing an authenticated administrator to visit a malicious webpage. The router lacks anti-CSRF tokens and Origin/Referer validation on configuration endpoints like /api/setWlan, enabling complete router compromise through social engineering. Publicly available exploit code exists (SSVC: poc status) with EPSS data not provided, indicating proof-of-concept demonstration but no confirmed active exploitation at time of analysis.
Cross-site request forgery in U-SPEED N300 Router V1.0.0 allows remote attackers to execute administrative actions through victim browsers when authenticated administrators visit attacker-controlled webpages. The router's web management interface lacks CSRF tokens and Origin/Referer validation, enabling attackers to craft malicious pages that trigger state-changing operations using the victim's valid session cookie. A proof-of-concept exploit exists (GitHub repository linked), though no active exploitation is confirmed in CISA KEV at time of analysis. CVSS 8.8 severity reflects high impact across confidentiality, integrity, and availability when exploitation succeeds.
Path traversal in JeeSite v5.15.1's file upload endpoint allows authenticated users with file upload permissions to write arbitrary files to any filesystem location, enabling remote code execution by uploading malicious files (e.g., JSP webshells) outside intended directories. The vulnerability exists in the fileEntityId parameter of /a/file/upload, bypassing directory restrictions while respecting file extension whitelists. EPSS score of 0.01% (3rd percentile) indicates low predicted exploitation probability, and no public exploit or CISA KEV listing exists at time of analysis, though vendor issue tracker discussion provides technical details that could facilitate POC development.
Privilege escalation in IBM Turbonomic prometurbo agent allows compromised service accounts to exfiltrate cluster-wide Kubernetes secrets and achieve full cluster takeover. Affects versions 8.16.0 through 8.17.6 deployed in Kubernetes environments. The operator grants excessive RBAC permissions enabling unrestricted read access to all secrets cluster-wide. CVSS 8.8 indicates high severity with scope change to container/cluster level. No active exploitation confirmed (not in CISA KEV), but the attack path from service account compromise to cluster admin is well-understood in Kubernetes threat models.
Remote code execution in HKUDS OpenHarness allows authenticated remote attackers to execute arbitrary operating system commands via the /bridge slash command. Attackers with remote sender privileges can invoke '/bridge spawn' with malicious command arguments that bypass input validation and execute directly through the shell subprocess helper, granting access to local files, credentials, workspace state, and repository contents. Vendor-released patch available (commit 438e373) that restricts /bridge to local-only invocation by default.
Remote denial-of-service in CryptPad 2025.3.1 allows unauthenticated attackers to flood WebSocket frames and degrade or deny service for all users of an instance. The vulnerability stems from unbounded WebSocket connection handling without rate limiting. Fixed in version 2026.2.2 via nginx rate limiting configuration (30 requests/minute with burst=5). CVSS 8.7 (High) reflects network-accessible, low-complexity attack requiring no authentication. No CISA KEV listing or public exploit identified at time of analysis, but low technical barrier suggests high exploitability.
Improper input validation in Progress MOVEit Automation enables authenticated low-privilege attackers to escalate privileges and cause high-impact denial of service across container boundaries. Affecting all versions prior to 2025.1.5, 2025.0.9, and 2024.1.8, this network-accessible vulnerability with low attack complexity allows attackers to disrupt availability system-wide. Progress issued a Critical Security Alert Bulletin addressing this issue alongside CVE-2026-4670 in their April 2026 advisory. No public exploit identified at time of analysis, but the straightforward attack path (AV:N/AC:L/PR:L) and Changed scope indicate significant real-world risk for organizations running unpatched instances.
Unauthenticated attackers can exploit a weakness in the XML parser functionality of the SOAP endpoints in 4D server. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Arcane's Huma backend exposes four GET endpoints (`/api/templates*`) without authentication, allowing remote unauthenticated attackers to read all stored Docker Compose templates including plaintext environment files containing database passwords, API keys, and OAuth secrets. The vulnerability affects Arcane backend versions prior to 1.18.0. Because Arcane's "Save as Template" workflow persists production secrets verbatim into these templates, this is not theoretical information disclosure but direct credential theft. The frontend correctly treats these paths as authenticated, revealing a backend authorization gap (CWE-862). Vendor-released patch available in version 1.18.0. No active exploitation or public exploit code identified at time of analysis, though the attack is trivial (CVSS:4.0 AV:N/AC:L/PR:N).
SQL injection in SSCMS v7.4.0 enables high-privileged attackers to execute arbitrary SQL statements via the stl:sqlContent tag's queryString attribute. Attackers with administrative access can craft encrypted payloads to the /api/stl/actions/dynamic endpoint, bypassing parameterization controls to achieve database compromise, authentication bypass, or complete data exfiltration. EPSS data not available; no confirmed active exploitation (CISA KEV negative); public exploit code availability unknown but detailed technical advisory published by VulnCheck increases weaponization risk.
Server-Side Request Forgery (SSRF) in n8n-mcp SDK allows authenticated remote attackers to access cloud metadata endpoints and internal network resources via IPv4-mapped IPv6 address bypass. Versions 2.47.4 through 2.47.13 fail to validate IPv6 addresses in the synchronous URL validator (SSRFProtection.validateUrlSync()), enabling attackers who control the n8nApiUrl parameter to bypass RFC1918, localhost, and cloud metadata protections using addresses like [::ffff:169.254.169.254]. The vulnerability is non-blind SSRF returning response bodies to the attacker, and forwards the n8nApiKey in the x-n8n-api-key header to attacker-controlled targets. Confirmed actively exploited (CISA KEV). Vendor-released patch: version 2.47.14. EPSS exploitation probability not provided but risk is elevated given KEV status and availability of exploit code in the GitHub advisory.
Local privilege escalation in Absolute Secure Access Windows client versions prior to 14.50 allows authenticated local attackers to escalate privileges to SYSTEM level by sending malformed API data. The vulnerability stems from an arbitrary read/write flaw in the client's API handling. Vendor patch is available (version 14.50). EPSS score not available for this recent CVE; no public exploit identified at time of analysis, and not currently listed in CISA KEV.
Stored XSS in Jupyter Notebook's CommandLinker feature enables authentication token theft through malicious notebook files, leading to complete account takeover. Attackers craft notebook files with disguised controls that, when clicked once by victims, execute arbitrary code via the Jupyter REST API, granting full filesystem access and kernel control. Reported by NVIDIA AI Red Team. Vendor-released patches available: Jupyter Notebook 7.5.6 and JupyterLab 4.5.7. No public exploit code identified at time of analysis, but proof-of-concept demonstrated internally by NVIDIA researchers. This vulnerability targets data science and ML engineering environments where notebook sharing is common practice.
Authenticated users in Chartbrew 4.9.0 can modify or delete dashboard sharing policies across projects they don't own due to insufficient authorization checks. An attacker with legitimate access to one project can manipulate SharePolicy records (visibility settings, passwords, allowed parameters, expiration dates) for dashboards in any other project within the same Chartbrew instance. While CVSS rates this 8.1 HIGH, real-world risk depends heavily on multi-tenancy deployment: single-organization instances face lower insider threat exposure than multi-tenant SaaS scenarios. EPSS data not available. No public exploit identified at time of analysis, though exploitation requires only basic authenticated API access.
Horizontal privilege escalation in Chartbrew 4.9.0 allows authenticated low-privilege team members to access datasets, data requests, and database connections belonging to other projects within the same team. Attackers with credentials to any single project can read, modify, create, and delete data assets across all sibling projects by exploiting missing project-level authorization checks on multiple API endpoints. This enables cross-project data exfiltration and unauthorized execution of victim database queries remotely with low complexity (EPSS not provided, no CISA KEV listing, vendor-patched in v5.0.0).
Heap buffer overflow in FreeBSD dhclient enables potential remote code execution when processing maliciously crafted DHCP packets. Affects FreeBSD 13.5, 14.3, 14.4, and 15.0 branches prior to security patches. EPSS exploitation probability is low (0.03%, 8th percentile) and no active exploitation confirmed, but SSVC classifies this as automatable with partial technical impact. The vulnerability requires network position to send crafted DHCP responses (CVSS AV:N/AC:H), making exploitation complexity high but not requiring authentication.
Heap buffer overflow in FreeBSD's libnv library allows remote unauthenticated attackers to achieve privilege escalation or denial of service through maliciously crafted message headers. The vulnerability affects FreeBSD versions 13.5, 14.3, 14.4, and 15.0, with patches released in security advisory FreeBSD-SA-26:17.libnv. Despite network attack vector and privilege escalation potential (CVSS 8.1), EPSS scoring indicates only 0.02% exploitation probability (5th percentile), and no active exploitation or public exploit code has been identified. SSVC classifies technical impact as partial with no confirmed exploitation.
Remote code execution as root in FreeBSD dhclient allows malicious DHCP servers to inject arbitrary commands via unsanitized BOOTP file field in DHCP responses. When dhclient writes lease data without escaping embedded double-quotes and later re-parses it (e.g., after system restart), injected dhclient.conf directives execute through dhclient-script. EPSS score is notably low (0.02%, 5th percentile) with SSVC indicating no observed exploitation and partial technical impact, suggesting limited real-world targeting despite the high-severity nature of root code execution. No public exploit code identified at time of analysis.
Remote authenticated attackers can flood PDKS (Personnel and Document Tracking System) through uncontrolled interaction frequency, achieving high integrity and availability impacts without confidentiality breach. This workforce management software by MeWare Software Development Inc. is vulnerable to denial-of-service conditions and potential data integrity compromise through rate-limiting bypass. Affects versions from V16.20200313 through VMYR_3.5.2025117. TR-CERT advisory available, EPSS data not provided, no CISA KEV listing identified.
Remote authenticated attackers can bypass authorization controls in MeWare PDKS through user-controlled key manipulation, enabling privilege escalation to access and modify sensitive data without proper permissions. Affecting PDKS versions from V16.20200313 to VMYR_3.5.2025117, this vulnerability allows low-privileged users to abuse authorization mechanisms via network access without user interaction. No confirmed active exploitation or public exploit code identified at time of analysis, with EPSS data unavailable for risk quantification.
Remote code execution in Krayin CRM 2.1.5 allows authenticated attackers to execute arbitrary code through the compose email function via code injection. The vulnerability was patched in version 2.1.6 released by the vendor. A public proof-of-concept exploit exists on GitHub (cybercrewinc/CVE-2026-36340), significantly lowering the barrier to exploitation. With CVSS 8.1 (High) and network accessibility requiring only low-privilege authentication, this presents immediate risk to organizations running unpatched Krayin CRM instances, particularly those exposing the CRM to internal users or external partners.
Buffer overflow in Linux kernel Xen hypervisor interface allows local authenticated users to achieve arbitrary code execution with high privilege escalation impact. The vulnerability stems from improper handling of non-NUL-terminated build ID data from HYPERVISOR_xen_version(XENVER_build_id) in drivers/xen/sys-hypervisor.c, where sprintf reads past buffer boundaries seeking a NUL terminator. Affects Linux kernel versions from 5.10 through 7.0 series when running as Xen domain. Vendor-released patches available across all affected stable branches (5.10.254, 5.15.204, 6.1.170, 6.6.137, 6.12.85, 6.18.26, 7.0.3). EPSS score of 0.08% (23rd percentile) indicates low probability of mass exploitation despite high CVSS 7.8, reflecting specialized Xen-only attack surface. No public exploit identified at time of analysis.
Gotenberg versions up to 8.30.1 allow Server-Side Request Forgery (SSRF) against internal networks and cloud metadata endpoints via case-variation bypass of webhook and downloadFrom deny-lists. Remote unauthenticated attackers can use uppercase URL schemes (HTTP://, HTTPS://) to circumvent the default case-sensitive regex (^https?://) protecting private IP ranges; Go's net/url.Parse() normalizes schemes to lowercase during connection establishment, completing the bypass. The flaw affects two features added in commit 3f01ca1 (April 2026): webhook callback URLs and downloadFrom file fetching. Vendor-released patch version 8.31.0 available. CVSS 9.1 (Critical) with Changed Scope reflects potential access to instance metadata services (e.g., AWS 169.254.169.254) and internal APIs that return sensitive data in Content-Disposition headers. This is a regression of the pattern previously fixed in CVE-2026-27018 for the Chromium deny-list.
Double-free vulnerability in Linux kernel Xen privcmd driver allows local authenticated attackers to corrupt memory and potentially execute arbitrary code or cause denial of service. When userspace performs partial munmap() on privcmd mappings, VMA splitting creates duplicate pointers to the same memory pages array, leading to kvfree() being called twice on the same allocation during VMA cleanup. Xen Security Advisory XSA-487 confirms this issue affects virtualization hosts running Xen paravirtualized domains. No public exploit identified at time of analysis, with EPSS score of 0.03% indicating low predicted exploitation probability. Vendor-released patches available for stable kernel versions 5.10.254, 5.15.204, 6.1.170, 6.6.137, 6.12.85, 6.18.26, and 7.0.3.
Uninitialized variable use in Linux kernel CIFS replay logic allows local authenticated attackers to potentially access sensitive kernel memory, corrupt data, or trigger denial of service. The vulnerability exists in CIFS request replay code paths where certain local variables lack proper reinitialization after replay labels, potentially causing undefined behavior during SMB session recovery operations. Patches available for kernel versions 6.6.128, 6.12.75, 6.18.16, 6.19.6, and 7.0. EPSS score of 0.02% indicates minimal observed exploitation activity, consistent with the local access requirement and specialized triggering conditions.
Stack corruption in FreeBSD libnv library allows local authenticated attackers to elevate privileges to root when exploiting setuid-root applications. The vulnerability stems from libnv's select(2) implementation failing to validate socket descriptors against FD_SETSIZE limits (1024), enabling descriptor exhaustion attacks that corrupt stack memory. Confirmed by FreeBSD Security Advisory SA-26:16 with patches available across all stable branches. EPSS score of 0.02% indicates low observed exploitation probability, and no active exploitation or public POC identified at time of analysis.
Local privilege escalation in FreeBSD kernel allows authenticated users to gain root privileges through buffer overflow in execve(2) argument handling. The vulnerability stems from an operator precedence bug causing attacker-controlled data to overwrite adjacent execution argument buffers. CISA SSVC framework indicates no active exploitation detected, though the technical impact enables complete system compromise. EPSS probability remains very low (0.02%, 5th percentile), suggesting targeted rather than widespread threat. FreeBSD has released patches across all supported release branches.
Heap buffer overflow in Wireshark's SBC codec handler enables local code execution when processing malicious capture files. Affects Wireshark versions 4.4.0-4.4.14 and 4.6.0-4.6.4. The vulnerability requires user interaction (opening a crafted packet capture file) but no authentication, posing significant risk to network analysts who routinely process captures from untrusted sources. Wireshark Foundation has published security advisory WNPA-sec-2026-16 with remediation details. EPSS probability data not available; no evidence of active exploitation (not in CISA KEV) or public proof-of-concept at time of analysis.