Memory corruption in Qualcomm Snapdragon camera subsystem allows local authenticated users to execute arbitrary code with high privileges through crafted input/output control (ioctl) calls targeting camera sensor interfaces with malformed output buffers. CVSS score of 7.8 reflects local attack vector requiring low-privilege account access. No EPSS data or KEV listing at time of analysis, suggesting exploitation has not been publicly observed. Qualcomm security bulletin scheduled for May 2026 indicates vendor-coordinated disclosure with patches expected in that timeframe.
Local privilege escalation in Qualcomm Snapdragon chipsets allows authenticated users to corrupt kernel memory during digital signal processor (DSP) process creation, leading to arbitrary code execution with high confidentiality, integrity, and availability impact. The vulnerability exploits allocation failure handling at kernel level. Qualcomm has published a security bulletin with remediation details for the May 2026 bulletin cycle. No active exploitation or public exploit code identified at time of analysis, though EPSS data not available to assess probabilistic risk.
Man-in-the-middle attackers can strip TLS protection from Ruby net-imap STARTTLS connections by injecting a premature tagged OK response with a predictable tag. The vulnerability allows attackers to bypass TLS encryption, forcing the client to transmit credentials and email content in cleartext while the application believes the connection is secure. Vendor-released patches (net-imap 0.6.4, 0.5.14, 0.4.24, 0.3.10) are available. CVSS 7.6 severity reflects network-accessible attack with low complexity but requires man-in-the-middle positioning. No public exploit code identified at time of analysis, though the attack mechanism is well-documented in security research (NO STARTTLS project).
Remote attackers can crash Apache HTTP Server 2.4.66 and earlier by sending malicious requests that trigger a NULL pointer dereference in mod_dav_lock, causing denial of service. The vulnerability affects only servers with mod_dav_lock enabled, a legacy module whose primary use-case (Apache Subversion < 1.2.0) is obsolete in modern deployments. CISA SSVC indicates no active exploitation, but the attack is automatable against susceptible configurations. CVSS 7.5 (High) reflects network-accessible, unauthenticated denial of service, though real-world impact is limited to the small subset of servers still running mod_dav_lock.
Assimp 6.0.2 crashes when processing malformed FBX files due to unchecked resource consumption in the FBX multi-material mesh converter. Remote attackers can trigger denial of service (application crash) via network-delivered malicious 3D model files without authentication, requiring no user interaction beyond normal file processing. EPSS data not available; no evidence of active exploitation (not in CISA KEV). Publicly documented proof-of-concept exists via GitHub Gist, enabling straightforward reproduction.
Heap buffer overflow in GnuTLS DTLS handshake allows remote unauthenticated attackers to crash applications or corrupt memory. The vulnerability stems from inconsistent fragment validation in merge_handshake_packet(), where attackers can send crafted DTLS fragments with conflicting message_length values to trigger out-of-bounds writes. Red Hat reported this affecting RHEL 6-10 and OpenShift Container Platform 4. CVSS 7.5 (High) reflects network-accessible denial of service, though memory corruption may enable further exploitation. No EPSS data, KEV status, or POC availability reported at time of analysis, but the remote unauthenticated attack vector (AV:N/PR:N) and low complexity (AC:L) make this a priority for systems using DTLS.
Authentication bypass in GeoVision LPC2011/LPC2211 license plate camera firmware version 1.10 allows remote unauthenticated attackers to brute-force predictable session cookies via the Web Interface and gain access to the device. The flaw stems from insufficient randomness in session token generation (CWE-341), enabling attackers to enumerate valid cookies through a crafted series of HTTP requests. No public exploit identified at time of analysis, and EPSS is low at 0.06%, but CISA SSVC rates technical impact as partial with no current exploitation observed.
Symlink-following path traversal in apko (versions 0.14.8 through <1.2.5) allows malicious APK archives to write arbitrary files to host paths during build operations. A crafted .apk can install a symlink entry pointing outside the build root, then traverse that symlink via subsequent file-write or directory-creation operations to reach any path writable by the build user. Affects disk-backed operations in apko build-cpio and downstream tools like melange; in-memory tarfs paths (apko build, apko publish) are not vulnerable. Vendor-released patch available in apko v1.2.5. CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) indicates network-reachable unauthenticated exploitation, though practical attack requires convincing a target to process the malicious APK during a build. No EPSS or KEV data available; publicly available exploit code exists in the form of regression tests demonstrating each primitive.
Unbounded cache growth in @fastify/accepts-serializer versions ≤6.0.3 allows remote unauthenticated attackers to exhaust Node.js heap memory by sending numerous distinct Accept header variants, crashing the application. The plugin caches serializer selections keyed by Accept header without size limits, enabling trivial memory exhaustion attacks against any exposed Fastify endpoint. Fix available in version 6.0.4, which implements an LRU cache with 100-entry default limit. No public exploit code identified at time of analysis, but attack is straightforward to execute with basic HTTP tools.
Denial of Service in FRRouting 10.0 through 10.6 allows remote unauthenticated attackers to crash the BGP daemon via a malformed BGP UPDATE message exploiting an integer underflow in next-hop capability processing. Upstream fix available in commit 693a2e0 but released patched version not independently confirmed. No public exploit identified at time of analysis, with EPSS score not provided suggesting low observed exploitation activity.
Remote denial of service in the Postfix mail transfer agent (before 3.8.16, 3.9.x before 3.9.10, and 3.10.x before 3.10.9) lets attackers crash the process through a malformed enhanced status code that ends immediately after the third numeric component with no trailing text, triggering a buffer over-read. The flaw affects availability only - no data exposure or code execution - and has no public exploit identified at time of analysis. EPSS is very low (0.04%, 11th percentile) and CISA SSVC rates exploitation as none and non-automatable, consistent with a crash-only bug.
Network-accessible denial-of-service in HashiCorp Boundary workers allows unauthenticated remote attackers to block legitimate worker connections by manipulating TLS handshake timing during node enrollment. Attackers can connect to the worker authentication listener and intentionally delay or withhold client certificates, causing connection handlers to block and preventing legitimate workers from enrolling or routing traffic. Both Community Edition and Enterprise versions prior to 0.21.3, 0.20.3, and 0.19.5 are vulnerable. EPSS data not provided; no CISA KEV listing indicating limited observed exploitation. Vendor-confirmed vulnerability with patches released across three active release branches.
Remote denial of service in Apache OpenNLP versions before 2.5.9 and 3.0.0-M3 allows unauthenticated attackers to crash JVM processes by uploading malicious .bin model files that trigger OutOfMemoryError through unbounded array allocation. Exploitation requires no authentication (AV:N/AC:L/PR:N) and affects any code path deserializing binary model files from untrusted sources. EPSS score of 0.02% (5th percentile) suggests low widespread exploitation risk, and no active exploitation or public POC has been identified at time of analysis. Vendor-released patches are available with default safeguards limiting count fields to 10 million entries.
Remote attackers can crash GoBGP v4.3.0 by sending a malformed BGP UPDATE message that triggers an out-of-bounds read in IPv6 extended community parsing. The flaw allows unauthenticated denial of service against default configurations with no authentication required (CVSS AV:N/AC:L/PR:N/UI:N). No public exploit identified at time of analysis, and EPSS score of 0.02% (4th percentile) indicates very low observed exploitation probability. Upstream fixes available via GitHub commits 362cce3e and 9ce8936.
Package substitution in Chainguard apko allows network-positioned attackers to inject arbitrary APK packages into container images during build. apko verifies APKINDEX.tar.gz signatures but fails to validate individual downloaded .apk packages against signed index checksums, accepting mismatched packages silently. Attackers controlling download responses (compromised mirrors, HTTP repositories, poisoned CDN caches) can replace legitimate packages with malicious ones. Fixed in version 1.2.7. CVSS 7.5 with network vector and no authentication required. EPSS data not available; no CISA KEV listing indicates targeted rather than widespread exploitation at time of analysis.
Reflected cross-site scripting in GeoVision LPC2011/LPC2211 Web Interface enables remote attackers to execute arbitrary JavaScript in victim browsers via crafted URLs targeting the ssi.cgi error handler. The vulnerability chains through social engineering (requires user interaction) but achieves high confidentiality impact through changed scope (S:C), allowing session hijacking and credential theft from authenticated administrators. EPSS data not provided; no CISA KEV listing indicates this is not yet confirmed as actively exploited in the wild. Publicly available exploit code status unknown but detailed technical disclosure exists from Cisco Talos Intelligence.
Reflected cross-site scripting in GeoVision LPC2011/LPC2211 1.10 web interface (ssi.cgi) allows remote unauthenticated attackers to execute arbitrary JavaScript in victim browsers via crafted URLs. The vulnerability achieves scope change (S:C in CVSS), enabling access to high-confidentiality data across security contexts despite requiring user interaction. No public exploit code or CISA KEV listing identified at time of analysis, though vendor advisory confirms the flaw. EPSS data not available. The RCE tag appears to be a mislabeling - this is strictly client-side JavaScript execution (XSS), not server-side remote code execution.
Remote code execution in SambaBox 5.1-5.2 allows authenticated administrators to inject and execute arbitrary OS commands through improper input sanitization. Attackers with high-privilege access can achieve full system compromise with confidentiality, integrity, and availability impact. Reported by Turkish national CERT (TR-CERT/USOM), no CISA KEV listing or public exploit code identified at time of analysis, indicating limited observed exploitation activity.
Heap buffer overflow in BusyBox udhcpc6 (DHCPv6 client) allows network-adjacent attackers to achieve remote code execution or denial of service on embedded systems. The vulnerability stems from incorrect heap buffer allocation in option_to_env() when parsing D6_OPT_DNS_SERVERS options in DHCPv6 responses. Particularly dangerous on embedded devices lacking heap hardening protections. Fixed in commit 42202bf. No active exploitation confirmed (not in CISA KEV), but publicly available proof-of-concept from VulnCheck disclosure increases real-world risk for IoT and embedded deployments.
Nil-pointer dereference in Incus daemon's custom volume backup import logic allows authenticated users to crash the service by supplying a malformed backup archive containing null entries in the volume_snapshots array, enabling repeated denial of service attacks. The vulnerability exists in the CreateCustomVolumeFromBackup function which fails to validate snapshot pointers before dereferencing them during import operations. CVSS 6.5 (authenticated network access, high availability impact); no public exploit code or active exploitation reported at analysis time, but proof-of-concept demonstration included in advisory.
Nil-pointer dereference in Incus daemon's storage bucket import logic allows authenticated users to crash the daemon by submitting a malformed bucket backup archive with a missing config section in index.yaml, enabling denial of service through repeated exploitation. The vulnerability affects Incus versions prior to 7.0.0 and requires valid storage bucket feature access but no special privileges beyond authenticated user status.
Denial of service in Incus prior to version 7.0.0 allows authenticated users to crash the Incus daemon by importing a maliciously crafted backup archive with physical snapshot directories but tampered metadata arrays. The vulnerability stems from an incorrect bounds check (len(slice) >= i-1 instead of len(slice) > i) in the backup restore and migration code paths, enabling out-of-bounds array access that triggers a runtime panic. Repeated exploitation keeps the Incus service offline, confirmed by a publicly available proof-of-concept.
Missing authorization in Kirby CMS allows authenticated Panel users to access sensitive site configuration, user data, and role information regardless of configured permission restrictions. Authenticated attackers with low-privilege Panel accounts can enumerate all users, access the site model, and view role configurations including permission settings-even when site administrators explicitly disabled these capabilities via wildcard permission denial ('*': false). Vendor-released patches in versions 4.9.0 and 5.4.0 add missing permission gates for site.access, user.access/users.access, user.list/users.list, and role information. No public exploit identified at time of analysis, but exploitation requires only authenticated Panel access with network connectivity.