506 CVEs tracked today. 28 Critical, 213 High, 227 Medium, 29 Low.
-
CVE-2026-44364
CRITICAL
CVSS 9.3
A Cross-Site Request Forgery vulnerability in the MISP Modules website allowed an attacker to cause an authenticated user to submit unintended requests to the home endpoint. The vulnerability was due to the home blueprint being exempted from CSRF protection. This could allow modification of session ...
CSRF
-
CVE-2026-44351
CRITICAL
CVSS 9.1
### Summary
A critical authentication-bypass vulnerability in `fast-jwt`'s async key-resolver flow allows any unauthenticated attacker to forge arbitrary JWTs that are accepted as authentic. When the application's key resolver returns an empty string (`''`), for example via the common `keys[decoded...
Authentication Bypass
Node.js
-
CVE-2026-44262
CRITICAL
CVSS 9.4
Remote code execution in Scramble API documentation generator versions 0.13.2 through 0.13.21 allows unauthenticated attackers to execute arbitrary PHP code when documentation endpoints are publicly accessible and validation rules reference user-controlled input. Fixed in version 0.13.22. The CVSS score of 9.4 (Critical) reflects the network-accessible, low-complexity attack requiring no authentication, though exploitation requires specific configuration where documentation endpoints remain enabled and validation rules incorporate request-supplied data. No active exploitation (CISA KEV) or public POC identified at time of analysis, but the GitHub security advisory provides full technical details enabling reproduction.
PHP
RCE
Code Injection
-
CVE-2026-44109
CRITICAL
CVSS 9.2
OpenClaw's Feishu webhook integration fails open when encryptKey is missing or callback tokens are blank, allowing remote unauthenticated attackers to bypass signature verification and replay protection mechanisms. Attackers can submit crafted webhook requests or malformed card-action callbacks directly to command dispatch without authentication, enabling arbitrary command execution. Vendor-confirmed authentication bypass; patch released in version 2026.4.15. No public exploit code or CISA KEV listing identified at time of analysis, but the fail-open behavior and network attack vector (CVSS AV:N/AC:L/PR:N) make this highly exploitable against misconfigured deployments.
Authentication Bypass
-
CVE-2026-43948
CRITICAL
CVSS 9.9
Complete account takeover in wger Python fitness management platform allows authenticated gym managers with no gym assignment (gym=None) to reset passwords of any other unaffiliated user and receive the new plaintext password in the HTTP response body. The vulnerability stems from a Django ORM authorization check that incorrectly evaluates None != None as False, bypassing the tenant isolation guard. Newly registered users default to gym=None state, making every public-registration wger deployment vulnerable. CVSS 9.9 Critical severity with scope change (cross-tenant impersonation). GitHub advisory GHSA-mhc8-p3jx-84mm confirms exploitation requires only low privilege (delegated gym.manage_gym permission) with no user interaction, enabling permanent victim lockout as original passwords are invalidated.
Authentication Bypass
Python
Docker
-
CVE-2026-43585
CRITICAL
CVSS 9.2
Bearer token revocation bypass in OpenClaw gateway allows attackers to authenticate using rotated-out tokens until process restart. OpenClaw gateway HTTP and WebSocket handlers captured bearer authentication configuration at startup, failing to re-resolve credentials after SecretRef rotation. Attackers possessing a previously valid token can maintain unauthorized gateway access to /v1/* endpoints, /tools/invoke, plugin routes, and canvas upgrade paths even after operators rotate secrets, believing the old token is revoked. Fixed in version 2026.4.15. CVSS 9.2 reflects network-accessible attack with high complexity; no public exploit identified at time of analysis.
Authentication Bypass
-
CVE-2026-43581
CRITICAL
CVSS 9.0
Chrome DevTools Protocol exposure in OpenClaw sandbox browser allows adjacent network attackers to remotely control sandboxed Chrome instances and access sensitive data. The CDP relay binds to 0.0.0.0 without source IP restrictions in versions before 2026.4.10, enabling attackers on the same Docker network to bypass sandbox isolation and execute arbitrary JavaScript in browser contexts. Vendor-released patch available (v2026.4.10); no public exploit identified at time of analysis. CVSS 9.0 reflects adjacent network attack vector with high confidentiality, integrity, and availability impact across virtual and system scopes.
Information Disclosure
Google
-
CVE-2026-43578
CRITICAL
CVSS 9.1
Privilege escalation in OpenClaw 2026.3.31 through 2026.4.9 allows remote unauthenticated attackers to maintain elevated execution context by injecting malicious async completion events that bypass heartbeat owner-downgrade detection. The flaw stems from incomplete pattern matching in local background exec completion filtering, enabling attackers to submit untrusted completion content that prevents proper privilege de-escalation after operations complete. Vendor-released patch available in version 2026.4.10 and later. No evidence of active exploitation (not in CISA KEV) or public exploit code at time of analysis, but CVSS 9.1 critical rating reflects network-accessible attack surface with no authentication required.
Privilege Escalation
-
CVE-2026-43575
CRITICAL
CVSS 9.2
Authentication bypass in OpenClaw 2026.2.21 through 2026.4.9 allows remote unauthenticated attackers to access the sandbox noVNC helper route and gain unauthorized control of interactive browser sessions. The vulnerability exposes session credentials by failing to enforce bridge authentication on the /sandbox/novnc endpoint. OpenClaw is an open-source AI agent framework. Patch available in version 2026.4.10 and later. No evidence of active exploitation (not in CISA KEV) and EPSS data not available at time of analysis.
Authentication Bypass
-
CVE-2026-43208
CRITICAL
CVSS 9.8
Out-of-bounds memory access in Linux kernel RPS (Receive Packet Steering) subsystem allows remote unauthenticated attackers to trigger kernel crashes or potentially achieve code execution with SYSTEM privileges. The flaw stems from incorrect assumptions about RPS hash table sizing across receive queues, introduced in commit 48aa30443e52. Exploitation requires no authentication (CVSS AV:N/PR:N) but EPSS probability remains low at 0.02% (4th percentile), suggesting limited real-world targeting. Patches available for stable kernel branches 6.18.16, 6.19.6, and 7.0.
Buffer Overflow
Linux
Memory Corruption
Red Hat
Suse
-
CVE-2026-43198
CRITICAL
CVSS 9.8
Race condition in Linux kernel TCP/IPv6 stack allows remote unauthenticated attackers to trigger use-after-free conditions during IPv6-mapped IPv4 socket creation, potentially achieving arbitrary code execution or denial of service. The flaw occurs in tcp_v6_syn_recv_sock() where child socket visibility in the TCP hash table races with incomplete IPv6 structure initialization, causing other CPUs to access invalid memory via newinet->pinet6 pointing to listener data. Vendor patches available for kernel versions 6.18.16, 6.19.6, and 7.0. EPSS score of 0.02% (4th percentile) indicates low observed exploitation probability despite critical CVSS 9.8 rating, suggesting this requires specific IPv6-mapped IPv4 configuration and precise timing to exploit.
Information Disclosure
Linux
Race Condition
Red Hat
Suse
-
CVE-2026-43197
CRITICAL
CVSS 9.1
Out-of-bounds memory reads in Linux kernel netconsole subsystem allow information disclosure and system crashes via unterminated console messages. The vulnerability affects Linux kernel 6.6+ including 6.18.x and 6.19.x branches, triggered by netconsole's failure to validate message buffer boundaries when converting to NBCON console infrastructure. Vendor patches available for 6.18.16, 6.19.6, and 7.0. EPSS score of 0.02% suggests minimal real-world exploitation despite CVSS 9.1 rating. No public exploit identified at time of analysis.
Buffer Overflow
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43186
CRITICAL
CVSS 9.8
Heap buffer overflow in Linux kernel's IPv6 IOAM (In-situ Operations, Administration, and Maintenance) packet processing allows remote unauthenticated attackers to corrupt kernel memory and trigger system crashes. Attackers send crafted IPv6 packets with inconsistent IOAM trace headers (nodelen=0 with type bits set), causing __ioam6_fill_trace_data() to write ~100 bytes beyond allocated memory into skb_shared_info structures. Despite CVSS 9.8 critical rating, EPSS exploitation probability is low (0.05%, 16th percentile) and no active exploitation or public POC has been identified. Vendor patches available across multiple stable kernel branches (5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0).
Buffer Overflow
Linux
Memory Corruption
Red Hat
Suse
-
CVE-2026-43185
CRITICAL
CVSS 9.8
Heap buffer overflow in Linux kernel ksmbd SMB Direct negotiation allows remote unauthenticated attackers to achieve arbitrary code execution. The vulnerability stems from a signedness bug where a malicious SMB Direct client sends a crafted preferred_send_size value (0x80000000) that bypasses minimum size validation, then follows with an oversized message (>1420 bytes) triggering heap corruption. With CVSS 9.8 critical severity and network-accessible attack vector requiring no authentication, this represents a severe pre-auth remote code execution risk. EPSS score of 0.02% suggests limited observed exploitation activity. Vendor patches available across multiple stable kernel branches.
Buffer Overflow
Linux
Red Hat
Suse
-
CVE-2026-43125
CRITICAL
CVSS 9.8
Remote unauthenticated attackers can cause critical out-of-bounds writes in the Linux kernel's Distributed Lock Manager (DLM) subsystem by sending malformed network messages with unvalidated length parameters to dlm_dump_rsb_name(). When the length exceeds DLM_RESNAME_MAXLEN, dlm_search_rsb_tree() writes beyond allocated buffers, enabling arbitrary code execution, denial of service, or information disclosure. Patches available for kernel versions 6.12.75, 6.18.16, 6.19.6, and 7.0. EPSS exploitation probability is very low (0.02%, 5th percentile), and no public exploit or active exploitation has been identified at time of analysis, despite the critical CVSS 9.8 score.
Buffer Overflow
Linux
Memory Corruption
Red Hat
Suse
-
CVE-2026-43117
CRITICAL
CVSS 9.1
A kernel crash occurs in Linux btrfs filesystem tracepoint code when OverlayFS is layered on top of btrfs. The btrfs_sync_file() event handler incorrectly dereferences dentry->d_sb, which resolves to the overlay superblock instead of the underlying btrfs superblock, causing a kernel panic during fsid assignment. This affects Linux kernel versions from initial git commit (1da177e4c3f4) through multiple stable branches until patched releases 6.6.136, 6.12.83, 6.18.24, 6.19.14, and 7.0. EPSS score of 0.02% (5th percentile) indicates very low observed exploitation probability. Vendor patches are available across all affected stable kernel branches.
Denial Of Service
Linux
Red Hat
Suse
-
CVE-2026-43114
CRITICAL
CVSS 9.4
A logic error in Linux kernel netfilter's AVX2-accelerated nft_set_pipapo matching allows incorrect element matching when flushing and reloading sets with composite keys (e.g., 'ipv4 . port'). The AVX2 code path prematurely returns non-matching entries during multi-field lookups, causing false collision reports when reinserting elements after a set flush. This affects netfilter firewall rule processing on systems with AVX2 CPU support. With CVSS 9.4 (AV:N/AC:L/PR:N/UI:N), the vector suggests critical network-accessible impact, though the description indicates this is a firewall rule management bug rather than a direct remote exploitation path. EPSS score of 0.02% (5th percentile) and no KEV listing suggest low real-world exploitation likelihood. Patches available across stable kernel branches 6.6.136, 6.12.83, 6.18.24, 6.19.14, and 7.0.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43083
CRITICAL
CVSS 9.1
Out-of-bounds memory access in Linux kernel IOAM6 networking code allows remote unauthenticated attackers to read sensitive kernel memory or crash systems via crafted IPv6 packets with IOAM trace options. The vulnerability triggers when RX queue indices from ingress devices exceed TX queue counts on egress devices, causing array boundary violations in network qdisc operations. Additionally, a missing spinlock enables race conditions in queue statistics access from concurrent softirq and process contexts. EPSS probability is very low (0.02%, 4th percentile) with no evidence of active exploitation. Vendor patches available across multiple stable kernel branches.
Buffer Overflow
Linux
Red Hat
Suse
-
CVE-2026-42555
CRITICAL
CVSS 9.1
Spring Expression Language injection in Valtimo (open-source business process platform) allows authenticated ADMIN users to execute arbitrary OS commands and exfiltrate credentials. The vulnerability exists in DocumentMigrationService (versions 12.0.0-12.31.0 and 13.0.0-13.22.0) and the Condition framework (13.4.0-13.22.0), both of which use StandardEvaluationContext to evaluate user-supplied SpEL expressions without restrictions. Attackers can invoke Runtime.exec(), access environment variables containing database passwords and API keys, and load arbitrary Java classes. Vendor-released patches are available (12.32.0, 13.23.0). No public exploit identified at time of analysis, EPSS data not available.
RCE
Java
Code Injection
-
CVE-2026-41930
CRITICAL
CVSS 9.2
Hard-coded credentials in Vvveb's Docker deployment expose the entire application database to unauthenticated remote attackers. Versions prior to 1.0.8.2 ship with pre-configured phpMyAdmin credentials in docker-compose-apache.yaml, allowing direct database access without authentication. Attackers gain unrestricted read/write access to administrator password hashes, customer PII, and order data, enabling account takeover and data manipulation. CVSS 9.2 (Critical) reflects network-accessible attack with low complexity. Patch available in version 1.0.8.2 with vendor advisory confirmed by GitHub Security Advisory GHSA-g38h-mr9p-fjmf.
Authentication Bypass
Apache
Docker
-
CVE-2026-40010
CRITICAL
CVSS 9.1
Session fixation in Apache Wicket AuthenticatedWebSession allows remote unauthenticated attackers to hijack user sessions and escalate privileges by fixing session identifiers before authentication completes. Affects Wicket 8.0.0-8.17.0, 9.0.0-9.22.0, and 10.0.0-10.8.0. EPSS score of 0.02% (5th percentile) indicates low observed exploitation probability despite critical CVSS 9.1, suggesting this requires specific deployment conditions. Not listed in CISA KEV; no public POC identified at time of analysis. Apache has published vendor advisories with fix versions across all three major release branches.
Apache
Information Disclosure
Session Fixation
-
CVE-2026-29090
CRITICAL
CVSS 9.0
SQL injection in Rucio's DID search API allows any authenticated user to execute arbitrary SQL against the PostgreSQL metadata database when the postgres_meta plugin is configured. The vulnerability exists in FilterEngine.create_postgres_query where attacker-controlled filter parameters are interpolated directly into raw SQL via Python str.format. Exploitation enables complete database compromise including extraction of authentication tokens, password hashes (SHA-256 single-iteration, GPU-crackable), storage credentials, and session hijacking. Remote code execution is possible via PostgreSQL COPY...FROM PROGRAM if database privileges permit. CVSS 9.9 (Critical) reflects the scope change and cascading impact across confidentiality, integrity, and availability. No public exploit identified at time of analysis, but attack complexity is low (AC:L) requiring only basic authenticated access.
RCE
Python
SQLi
PostgreSQL
-
CVE-2026-29080
CRITICAL
CVSS 9.4
SQL injection in Rucio's DID search API allows any authenticated user to execute arbitrary SQL on Oracle database backends, enabling complete database compromise. The vulnerability affects Rucio versions 1.27.0 through 40.1.0 when deployed with Oracle databases using the default json_meta plugin. Attackers can extract authentication tokens, password hashes (SHA-256 single-iteration, GPU-crackable), storage credentials, and all managed data. Data modification and potential remote code execution via Oracle PL/SQL features are possible. Vendor-confirmed vulnerability with patches released across four version branches. PostgreSQL and MySQL deployments are not affected due to proper SQLAlchemy parameterization on those database dialects.
RCE
Python
Java
SQLi
PostgreSQL
-
CVE-2026-7910
CRITICAL
CVSS 9.6
Use-after-free in the Views component of Google Chrome versions prior to 148.0.7778.96 enables site isolation bypass after renderer compromise. A remote attacker who has already compromised the renderer process can escape sandbox protections via a malicious HTML page, potentially accessing cross-origin data or executing code outside the renderer sandbox. Patch released by Google in version 148.0.7778.96. EPSS score of 0.02% (3rd percentile) indicates very low probability of exploitation in the wild currently, with no evidence of active exploitation or public proof-of-concept at time of analysis.
Denial Of Service
Google
Use After Free
Memory Corruption
Red Hat
-
CVE-2026-7908
CRITICAL
CVSS 9.6
Sandbox escape in Google Chrome versions prior to 148.0.7778.96 allows remote attackers to break out of the browser's security sandbox through a use-after-free vulnerability in the Fullscreen API component. Attackers can deliver exploitation via a specially crafted HTML page requiring only user visit to the page (no additional interaction). With CVSS 9.6 (Critical) and scope change indicating containment breach, this represents a serious risk to browser security model integrity. No evidence of active exploitation (not in CISA KEV) and EPSS data not available at time of analysis.
Denial Of Service
Google
Use After Free
Memory Corruption
Red Hat
-
CVE-2026-7875
CRITICAL
CVSS 9.3
Path traversal in NanoClaw's container filesystem boundary allows compromised containers or prompt-injected agents to escape isolation and read arbitrary host files via crafted message IDs and attachment paths, with potential for recursive deletion of host directories during outbox cleanup. The vulnerability exploits insufficient validation of outbound attachment filenames and symlink resolution in the host-side message handling code. Upstream fix available (GitHub commit 7814e45) but released patched version not independently confirmed. No public exploit identified at time of analysis, though proof-of-concept test cases demonstrate both file exfiltration and destructive cleanup paths.
Path Traversal
-
CVE-2026-5081
CRITICAL
CVSS 9.1
Predictable session ID generation in Apache::Session::Generate::ModUniqueId 1.54-1.94 allows remote unauthenticated attackers to forge session tokens and hijack user sessions. The vulnerability stems from using Apache mod_unique_id values as session identifiers-these values are deterministic and constructed from publicly observable or easily guessable components (server IP, process ID, timestamp, counter). With CVSS 9.1 and SSVC automation classification, this enables systematic session hijacking at scale despite no confirmed active exploitation.
Apache
Information Disclosure
Red Hat
-
CVE-2026-0300
CRITICAL
CVSS 9.3
Remote code execution in Palo Alto Networks PAN-OS User-ID Authentication Portal (Captive Portal) allows unauthenticated attackers to execute arbitrary code with root privileges on PA-Series and VM-Series firewalls via specially crafted packets. CISA KEV confirms active exploitation in the wild with publicly available exploit code. EPSS risk assessment is not provided, but the vulnerability achieves maximum impact with minimal attack complexity (CVSS 9.3, AV:N/AC:L/PR:N), making this a critical priority for immediate remediation. The attack surface is significantly reduced when access to the portal is restricted to trusted internal networks per vendor best practices.
RCE
Buffer Overflow
Memory Corruption
Paloalto
-
CVE-2026-44375
HIGH
CVSS 7.5
### Summary
Nerdbank.MessagePack contains an uncontrolled stack allocation vulnerability in DateTime decoding. A malicious MessagePack payload can declare an oversized timestamp extension length, causing the reader to allocate an attacker-controlled number of bytes on the stack. This can trigger a ...
Denial Of Service
Deserialization
-
CVE-2026-44349
HIGH
CVSS 7.1
## Summary
`processFuzzySearch` in `server/resource/resource_findallpaginated.go:1484` splits the user-supplied `column` parameter by comma and interpolates each segment directly into `goqu.L(fmt.Sprintf("LOWER(%s) LIKE ?", prefix+col))` raw SQL with no column whitelist check. The entry point is `G...
Python
SQLi
PostgreSQL
Apple
Oracle
-
CVE-2026-44335
HIGH
CVSS 7.7
### Summary
The URL checking logic in PraisonAI has a logical flaw that could be bypassed by attackers, leading to SSRF attacks.
### Details
The current PraisonAI project uses _validate_url to validate the input URL. The main logic is to perform security checks on the host portion of the URL extrac...
SSRF
-
CVE-2026-44334
HIGH
CVSS 8.4
## TL;DR
CVE-2026-40287's fix gated `tools.py` auto-import behind `PRAISONAI_ALLOW_LOCAL_TOOLS=true` in **two** files (`tool_resolver.py`, `api/call.py`). A **third** import sink in `praisonai/templates/tool_override.py` was missed and remains unguarded. It is reached by the recipe runner on every ...
RCE
Python
Code Injection
-
CVE-2026-44307
HIGH
CVSS 8.7
Path traversal in Mako Templates (Python library) on Windows platforms allows attackers to read arbitrary files outside configured template directories via backslash-based directory traversal sequences. Affects Mako versions ≤1.3.11 when applications accept user-controlled template names on Windows systems. Vendor-released patch available in version 1.3.12 (confirmed by GitHub commit 72e10c5). No public exploit code identified at time of analysis, though exploitation conditions are straightforward when prerequisites are met.
Python
Path Traversal
Microsoft
Suse
-
CVE-2026-44304
HIGH
CVSS 8.1
LDAP filter injection in Netflix Lemur certificate management platform allows authenticated users with valid LDAP credentials to escalate privileges to administrator by injecting metacharacters into the username field during login. Attackers manipulate group membership queries to gain unauthorized admin roles, enabling access to all certificates, private keys via /certificates/<id>/key endpoint, and CA configurations. Vendor-released patch confirmed in version 1.9.0 (GitHub advisory GHSA-3r34-vq8m-39gh). CVSS 8.1 indicates high confidentiality and integrity impact with low attack complexity from network-authenticated attackers. No public exploit code identified at time of analysis, though detailed reproduction steps exist in the advisory.
Authentication Bypass
Privilege Escalation
Python
LDAP
Code Injection
-
CVE-2026-44302
HIGH
CVSS 7.5
Infinite loop denial-of-service in Snappier .NET library allows remote attackers to exhaust server resources with as few as 15 bytes of malformed Snappy-compressed data. The vulnerability affects the SnappyStream decompressor component when processing framed-format streams, causing an uncatchable busy-loop that cannot be interrupted via try/catch blocks. Publicly available exploit code exists (CVE researcher provided a working proof-of-concept). CVSS 7.5 with network vector and no authentication required indicates remotely exploitable attack surface in web applications processing compressed uploads or API payloads. No active exploitation confirmed at time of analysis, but the trivial exploit complexity (15-byte payload) makes this attractive for resource exhaustion attacks against .NET services using Snappier for decompression.
Denial Of Service
-
CVE-2026-44244
HIGH
CVSS 7.8
Arbitrary code execution via Git hook redirection in GitPython 3.1.48 and earlier allows local authenticated users to inject malicious core.hooksPath configuration through newline characters in config_writer().set_value(). Publicly available exploit code exists. The vulnerability enables persistent repository poisoning where attacker-controlled hooks execute with the privileges of any user performing Git operations (commit, merge, checkout) on the poisoned repository. Particularly dangerous in multi-tenant environments like MLRun, DVC, MLflow, or Kedro where shared repositories enable privilege escalation across user contexts. Fixed in GitPython 3.1.49.
RCE
Python
Code Injection
Suse
-
CVE-2026-44243
HIGH
CVSS 7.8
Path traversal in GitPython versions ≤3.1.47 enables arbitrary file write and deletion outside repository boundaries when applications pass attacker-controlled reference paths to reference creation, rename, or delete operations. A fully-functional proof-of-concept demonstrates successful exploitation by crafting reference names with '../../../' sequences to escape the `.git` directory and manipulate files with the process owner's permissions. Applications exposing GitPython reference APIs to user input-particularly Git automation services, CI/CD pipelines, and multi-tenant developer platforms-are at immediate risk, as no authentication is required at the library boundary. Fixed in version 3.1.48 per GitHub advisory GHSA-7545-fcxq-7j24.
Denial Of Service
Python
Path Traversal
Suse
-
CVE-2026-44241
HIGH
CVSS 7.5
Unauthenticated remote denial-of-service in Micronaut Framework 4.3.0–4.10.21 allows heap exhaustion via crafted Accept-Language headers. The TimeConverterRegistrar component caches DateTimeFormatter instances in an unbounded ConcurrentHashMap keyed by @Format pattern plus locale. Attackers exploit BCP 47 private-use extensions (e.g., en-x-0001, en-x-0002) to generate millions of unique cache entries, consuming 500+ MB per 100,000 requests until JVM crashes with OutOfMemoryError. Publicly available exploit code exists (PoC provided in advisory). EPSS score not yet available for this 2026 CVE. Affects all Micronaut HTTP servers using documented @Format temporal parameter binding—a first-class framework feature requiring no special configuration. Vendor-released patch: 4.10.22 fixes both this and sibling vulnerability GHSA-3rfq-4wpf-qqw3 in ResourceBundleMessageSource. Structurally identical to previously patched GHSA-2hcp-gjrf-7fhc but in different component.
Denial Of Service
Java
-
CVE-2026-44240
HIGH
CVSS 7.5
Remote unauthenticated attackers can trigger memory exhaustion and process-level denial of service in Node.js applications using basic-ftp by sending unterminated FTP multiline control responses during initial connection. The vulnerability occurs in the client library when connecting to malicious or compromised FTP servers, causing unbounded buffer growth in _partialResponse with repeated CPU-intensive reparsing. This affects automated FTP integrations for scheduled imports, customer-provided endpoints, backup jobs, and CI/CD pipelines. Publicly available exploit code exists per GitHub security advisory GHSA-rpmf-866q-6p89. CVSS 7.5 HIGH with network attack vector, low complexity, and no authentication required confirms practical remote exploitation risk.
Denial Of Service
Node.js
-
CVE-2026-44232
HIGH
CVSS 8.7
The dssrf Node.js library (versions < 1.3.0) allows Server-Side Request Forgery (SSRF) protection bypass through IPv6 addresses targeting internal resources. Attackers can craft HTTP requests using IPv6 loopback (::1), unique local addresses (fc00::/7), link-local addresses (fe80::/10), IPv4-mapped IPv6 addresses (::ffff:127.0.0.1, ::ffff:169.254.169.254), NAT64 prefixes, and other IPv6 categories to access internal services, cloud metadata endpoints (IMDS), and private networks that the library was explicitly designed to block. The vulnerability directly contradicts dssrf documentation claiming IPv6 is disabled entirely, and a publicly available exploit code (POC) demonstrates all affected IPv6 categories. Patch available in version 1.3.0.
SSRF
Node.js
-
CVE-2026-44118
HIGH
CVSS 8.5
Authentication bypass in OpenClaw's MCP loopback interface allows local low-privilege attackers to escalate to owner-level access. Non-owner MCP client processes can spoof the 'x-openclaw-sender-is-owner' HTTP header to impersonate the owner and access owner-gated operations. Publicly available exploit code exists via GitHub commit 3cb1a56, and VulnCheck has published a detailed advisory. The vulnerability affects OpenClaw npm package versions <= 2026.4.21, with patch 2026.4.22 available since April 2026.
Authentication Bypass
-
CVE-2026-44115
HIGH
CVSS 8.7
Shell expansion injection in OpenClaw's exec allowlist validation allows authenticated attackers to bypass command approval controls and execute arbitrary system commands. The vulnerability affects OpenClaw versions prior to 2026.4.22 through improper parsing of unquoted heredoc bodies, where shell expansion tokens ($VAR, $(), etc.) are treated as literal text during allowlist analysis but expanded at runtime. This enables attackers to embed unapproved commands within ostensibly safe allowlisted commands. VulnCheck disclosed this vulnerability, and a proof-of-concept fix commit is publicly available. CVSS 8.7 reflects high impact across confidentiality, integrity, and availability with low attack complexity.
Authentication Bypass
-
CVE-2026-44114
HIGH
CVSS 8.5
Environment variable namespace collision in OpenClaw npm package before version 2026.4.20 enables malicious workspace dotenv files to override critical runtime control variables including OPENCLAW_GIT_DIR, potentially redirecting trusted operations like source updates and installer flows to attacker-controlled paths. Exploitation requires user interaction (opening a malicious workspace) but no authentication, achieving high confidentiality and integrity impact within the local scope. CVSS 8.5 severity reflects the local attack vector with low complexity. No active exploitation confirmed (not in CISA KEV), but public exploit code exists via the GitHub security advisory demonstrating the attack surface. Fixed in version 2026.4.20 per vendor commit 018494fa.
Information Disclosure
-
CVE-2026-44113
HIGH
CVSS 8.3
OpenClaw before 2026.4.22 contains a time-of-check/time-of-use (TOCTOU) race condition in the OpenShell filesystem bridge that allows authenticated attackers with local access to read files outside the intended mount root by performing symlink swaps during filesystem operations. The vulnerability affects sandbox security guarantees by enabling bypass of containment restrictions through coordinated symlink manipulation, and has been confirmed patched in version 2026.4.22.
Authentication Bypass
-
CVE-2026-44112
HIGH
CVSS 8.4
OpenClaw before 2026.4.22 contains a time-of-check/time-of-use race condition in OpenShell sandbox filesystem writes that allows authenticated attackers to redirect file writes outside the intended mount root via symlink swaps. By exploiting the window between sandbox validation and actual file write operations, an attacker with local access can manipulate symlinks to bypass sandbox filesystem restrictions and write arbitrary files to locations outside the workspace.
Authentication Bypass
-
CVE-2026-44110
HIGH
CVSS 7.7
Authorization bypass in OpenClaw Matrix bot integration allows DM-paired attackers to execute privileged room control commands without configured permissions. Attackers who have previously established direct message pairing can exploit misaligned allowlist logic to run room control commands in bot rooms, bypassing room membership and allowlist requirements. Fixed in version 2026.4.15 after responsible disclosure by Keen Security Lab. No evidence of active exploitation; publicly available vendor advisory and fix commits reduce exploitation probability.
Authentication Bypass
-
CVE-2026-44012
HIGH
CVSS 7.1
Authenticated control-panel users in Craft CMS 5.x can enumerate asset filenames and complete folder hierarchies (volume handles, UIDs, folder names, URIs) across all volumes by sending arbitrary asset IDs to the AssetsController::actionShowInFolder endpoint, bypassing volume-level viewAssets and viewPeerAssets permission checks. The flaw stems from an incomplete February 2026 patch wave that fixed four sibling endpoints but missed this method, introduced 13 days before the patch release. No public exploit identified at time of analysis; vendor-released patch fixes 5.9.18 and later. This information disclosure vulnerability enables reconnaissance for follow-up attacks against restricted asset volumes.
PHP
Authentication Bypass
-
CVE-2026-44011
HIGH
CVSS 8.6
Remote code execution in Craft CMS allows any authenticated user to execute arbitrary system commands via malicious Yii object configuration. This vulnerability exploits uncleansed field layout data in the condition handling path, bypassing previous CVE-2024-4990 mitigations. Attackers can inject behaviors through POST requests to admin endpoints like /admin/actions/element-search/search, triggering command execution via AttributeTypecastBehavior abuse. Publicly available exploit code exists in the GitHub advisory (GHSA-qrgm-p9w5-rrfw) with detailed proof-of-concept. Affects Craft CMS 4.0.0-RC1 through 4.16.16 and 5.0.0-RC1 through 5.8.20. Vendor-released patches: 4.16.17 and 5.8.21.
CSRF
Mozilla
-
CVE-2026-44010
HIGH
CVSS 7.1
Unauthorized PII disclosure in Craft CMS GraphQL API allows cross-scope address enumeration via missing authorization check. A GraphQL API token scoped to any single low-privilege user group can read all addresses system-wide, including PII from restricted user groups (full names, home addresses, corporate addresses, tax IDs, GPS coordinates). The Address element resolver bypasses schema scope filtering that all other element resolvers enforce. Vendor-released patch: versions 5.9.18 and 4.17.12. Publicly available exploit code exists (detailed PoC in GitHub advisory). Affects all Craft CMS Pro deployments (v4.0.0+) using headless GraphQL APIs with user group scoping-a standard deployment pattern for Next.js/Nuxt/Gatsby frontends.
PHP
Authentication Bypass
Docker
-
CVE-2026-43646
HIGH
CVSS 7.5
Remote unauthenticated attackers can access restricted package resources in Apache Wicket 8.x through 10.x by crafting URLs that bypass PackageResourceGuard protections, leading to unauthorized information disclosure. The vulnerability affects Apache Wicket versions 8.0.0-8.17.0, 9.0.0-9.22.0, and 10.0.0-10.8.0. With CVSS 7.5 (High) but low EPSS (0.02%, 5th percentile), this represents a theoretical high-severity issue without evidence of active exploitation. SSVC assessment confirms no current exploitation, though the attack is automatable against default configurations.
Apache
Information Disclosure
-
CVE-2026-43584
HIGH
CVSS 8.7
Environment variable injection in OpenClaw before 2026.4.10 allows authenticated remote attackers to hijack interpreter execution behavior through insufficient filtering of high-risk startup variables (VIMINIT, EXINIT, LUA_INIT, HOSTALIASES). The vulnerability enables code execution by manipulating how downstream interpreters (Vim, ex, Lua) initialize and resolve hostnames. Patched in version 2026.4.10 following coordinated disclosure by Tencent zhuque Lab. No public exploit identified at time of analysis, though CVSS 8.7 reflects network-exploitable attack surface with low complexity requiring only low-privilege authentication.
Information Disclosure
-
CVE-2026-43577
HIGH
CVSS 7.1
Arbitrary file read in OpenClaw before 2026.4.9 allows authenticated remote attackers to bypass navigation guards and access local files via browser interaction routes. Attackers exploit the ability to trigger navigation into the local Chrome DevTools Protocol (CDP) origin through act/evaluate commands, then create or read disallowed file:// URLs despite direct navigation policy restrictions. Patch available in version 2026.4.9 and confirmed included in npm release 2026.4.14. No public exploit code identified at time of analysis, CVSS 7.1 (High) with network attack vector and low complexity.
Authentication Bypass
-
CVE-2026-43283
HIGH
CVSS 8.8
Improper DMA buffer unmapping in the Linux kernel ec_bhf Ethernet driver allows local authenticated attackers with low privileges to trigger memory corruption, potentially achieving arbitrary code execution, information disclosure, or denial of service with container escape capability (scope change). The vulnerability exists in error path handling where dma_free_coherent() receives the wrong DMA handle parameter (alloc_len instead of alloc_phys), causing incorrect buffer unmapping. Patches available across multiple stable kernel versions (5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0). EPSS score of 0.02% (7th percentile) indicates very low probability of exploitation in the wild, and no public exploit identified at time of analysis.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43281
HIGH
CVSS 7.1
In the Linux kernel, the following vulnerability has been resolved:
mailbox: Prevent out-of-bounds access in fw_mbox_index_xlate()
Although it is guided that `#mbox-cells` must be at least 1, there are
many instances of `#mbox-cells = <0>;` in the device tree. If that is
the case and the correspon...
Buffer Overflow
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43280
HIGH
CVSS 7.1
Local authenticated attackers can trigger an out-of-bounds kernel memory read in Linux kernel's xe graphics driver (6.18-6.19.x) via malicious pat_index values in the madvise IOCTL. This allows information disclosure from kernel memory and potential denial of service through kernel crashes. The vulnerability exists because madvise_args_are_sane() fails to validate pat_index bounds before passing it to xe_pat_index_get_coh_mode(), which performs unsafe array access into xe->pat.table. Vendor patches available for kernels 6.18.16+ and 6.19.6+ implement bounds checking with array_index_nospec() to prevent both direct exploitation and Spectre-based side-channel attacks. EPSS score of 0.02% indicates low observed exploitation probability, and no public exploit or CISA KEV listing exists at time of analysis.
Buffer Overflow
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43279
HIGH
CVSS 7.8
Out-of-bounds buffer writes in Linux kernel ALSA USB audio subsystem allow local authenticated attackers to crash the kernel or potentially achieve privilege escalation. The flaw occurs during implicit feedback mode playback when stream configurations mismatch between capture and playback, causing the prepare_silent_urb() function to write beyond allocated buffer boundaries. Affects all Linux kernel versions from initial commit 1da177e4c3f4 through multiple stable branches; vendor patches available for 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, and mainline 7.0. EPSS exploitation probability is low (0.02%, 7th percentile), and no public exploits or active exploitation confirmed.
Buffer Overflow
Linux
Memory Corruption
Red Hat
Suse
-
CVE-2026-43278
HIGH
CVSS 7.8
Double-free memory corruption in Linux kernel device-mapper subsystem allows local authenticated users to trigger use-after-free conditions, potentially leading to privilege escalation or denial of service. The vulnerability manifests when using request-based DM targets (e.g., dm-multipath) over NVMe devices, where cloned request bios are freed twice due to stale bio pointers in clone requests. Vendor patches available across multiple stable kernel branches (5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0). EPSS score of 0.02% indicates low predicted exploitation probability; no active exploitation confirmed at time of analysis.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43276
HIGH
CVSS 7.8
In the Linux kernel, the following vulnerability has been resolved:
net: mana: Fix double destroy_workqueue on service rescan PCI path
While testing corner cases in the driver, a use-after-free crash
was found on the service rescan PCI path.
When mana_serv_reset() calls mana_gd_suspend(), mana_gd...
Denial Of Service
Linux
Red Hat
Suse
-
CVE-2026-43274
HIGH
CVSS 8.4
Out-of-bounds memory access in Linux kernel's Microchip IPC mailbox driver allows local attackers to achieve arbitrary code execution with high integrity and confidentiality impact. The mchp-ipc-sbi driver incorrectly indexes a dynamically allocated cluster configuration array using non-contiguous hardware thread IDs (hartid) instead of sequential CPU IDs, causing reads/writes beyond array bounds on systems where hartid values exceed the number of online CPUs. Vendor patches available for stable kernel series 6.18.16, 6.19.6, and mainline 7.0. EPSS score of 0.02% suggests low probability of mass exploitation despite high CVSS severity, with no active exploitation confirmed at time of analysis.
Buffer Overflow
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43263
HIGH
CVSS 7.8
A race condition in the Linux kernel's chips-media wave5 video decoder driver allows local authenticated users to trigger a NULL pointer dereference during concurrent instance creation/destruction, potentially leading to high confidentiality, integrity, and availability impact. The vulnerability affects kernel versions from commit 9707a6254a8a onwards until patched in 6.18.16, 6.19.6, and 7.0. Fixed via interrupt handler refactoring with proper locking. EPSS score of 0.02% (4th percentile) indicates very low observed exploitation probability, and no public exploit code or CISA KEV listing exists, suggesting limited real-world exploitation despite the high CVSS 7.8 score.
Denial Of Service
Linux
Null Pointer Dereference
Red Hat
Suse
-
CVE-2026-43260
HIGH
CVSS 7.8
In the Linux kernel, the following vulnerability has been resolved:
bnxt_en: Fix RSS context delete logic
We need to free the corresponding RSS context VNIC
in FW everytime an RSS context is deleted in driver.
Commit 667ac333dbb7 added a check to delete the VNIC
in FW only when netif_running() is ...
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43258
HIGH
CVSS 7.8
Local privilege escalation and memory corruption in Linux kernel on Alpha architecture allows authenticated users to execute arbitrary code, corrupt heap memory, or crash systems via insufficient TLB shootdown during memory compaction. The vulnerability affects Alpha systems exclusively and manifests as SIGSEGV crashes, glibc allocator corruption, and compiler failures. EPSS score of 0.02% indicates low likelihood of widespread exploitation, though vendor patches are available across multiple stable kernel branches. Attack requires local authenticated access with low complexity (CVSS AV:L/AC:L/PR:L), limiting remote exploitation scenarios.
Buffer Overflow
Linux
Memory Corruption
Red Hat
Suse
-
CVE-2026-43256
HIGH
CVSS 7.8
Out-of-bounds memory access in Linux kernel Qualcomm Camera Subsystem (camss) allows local authenticated users to achieve arbitrary code execution, data corruption, or denial of service. The vfe_isr() function iterates beyond the bounds of the vfe->line[] array (size 4) using a loop count of 7, enabling access to memory at offsets +4, +5, and +6. Vendor patches available across multiple stable branches (6.1.167, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0). EPSS score 0.02% (7th percentile) indicates low observed exploitation probability; no active exploitation confirmed (not in CISA KEV).
Buffer Overflow
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43254
HIGH
CVSS 7.5
A denial-of-service vulnerability in the Linux kernel's OpenVPN TCP stream processing (ovpn_tcp_recv) allows remote unauthenticated attackers to cause packet drops and potential system unavailability through header offset overflow and misaligned protocol headers when handling coalesced TCP packets. The vulnerability affects Linux kernel versions containing commit 11851cbd60ea (OpenVPN driver) through 6.19.6, 6.18.16, and 7.0, with patches available in stable branches. EPSS score of 0.02% (4th percentile) suggests low observed exploitation probability despite the network-accessible attack vector and high availability impact (CVSS 7.5).
RCE
Linux
Integer Overflow
Red Hat
Suse
-
CVE-2026-43253
HIGH
CVSS 7.5
AMD IOMMU completion wait operations in the Linux kernel can trigger soft lockups under high load when strict mode is enabled (iommu.strict=1). The vulnerability stems from busy-waiting inside a spinlock with interrupts disabled, causing kernel responsiveness issues and potential denial of service on systems with AMD IOMMU hardware. Patches are available across multiple kernel stable branches (6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0). EPSS score is low (0.02%, 5th percentile) with no confirmed active exploitation or public POC identified at time of analysis.
Information Disclosure
Linux
Red Hat
Amd
Suse
-
CVE-2026-43250
HIGH
CVSS 7.8
In the Linux kernel, the following vulnerability has been resolved:
usb: chipidea: udc: fix DMA and SG cleanup in _ep_nuke()
The ChipIdea UDC driver can encounter "not page aligned sg buffer"
errors when a USB device is reconnected after being disconnected
during an active transfer. This occurs be...
Buffer Overflow
Linux
Memory Corruption
Red Hat
Suse
-
CVE-2026-43249
HIGH
CVSS 8.8
Double-free memory corruption in Linux kernel's Xen 9P filesystem driver (9p/xen) allows adjacent network attackers to crash the kernel or potentially execute arbitrary code. The xenwatch thread racing with back-end state changes triggers use-after-free during teardown of xen_9pfs_front_free(), causing general protection faults. Vendor patches available for mainline 7.0 and stable branches 6.19.6, 6.18.16, and 6.12.75. EPSS score of 0.02% (5th percentile) suggests low exploitation probability in the wild; no public exploit or CISA KEV listing at time of analysis.
Denial Of Service
Linux
Red Hat
Canonical
Suse
-
CVE-2026-43248
HIGH
CVSS 7.8
Out-of-bounds write in Linux kernel vhost_vdpa subsystem allows local authenticated users to achieve arbitrary kernel memory corruption via ASID group assignment. Affects Linux kernel versions 5.19 through 6.19.x, with vendor patches available for stable branches 6.12.75, 6.18.16, 6.19.6, and mainline 7.0. Exploitation requires local access with low privileges but no user interaction (CVSS:3.1/AV:L/AC:L/PR:L/UI:N). EPSS score of 0.02% (5th percentile) indicates low predicted exploitation probability, and no public exploit code or active exploitation confirmed at time of analysis.
Buffer Overflow
Linux
Memory Corruption
Red Hat
Suse
-
CVE-2026-43245
HIGH
CVSS 7.5
Kernel panic or denial of service occurs in the NTFS filesystem driver when d_compare() operations block on memory allocation. Linux kernel versions from mainline commit 1da177e4c3f4 through 6.18.x, 6.19.x, and early 7.0 are affected. The vulnerability stems from improper use of __getname() within the d_compare() function which can block, violating kernel locking requirements and causing system instability under memory pressure. EPSS score of 0.02% (4th percentile) indicates low observed exploitation likelihood. Vendor patches available for versions 6.18.16, 6.19.6, and 7.0.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43241
HIGH
CVSS 7.1
Out-of-bounds array access in the Linux kernel's NTB Switchtec hardware driver allows authenticated local users with low privileges to read sensitive kernel memory or trigger denial of service. The vulnerability affects the mw_sizes array when NTB (Non-Transparent Bridge) configurations set memory window LUTs to MAX_MWS, enabling access beyond array boundaries. Exploitation probability is low (EPSS 0.02%, 7th percentile) with no confirmed active exploitation or public POC. Vendor patches are available across all affected stable kernel branches (5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, and mainline 7.0).
Buffer Overflow
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43239
HIGH
CVSS 8.8
Race condition in Linux kernel SMB client allows concurrent query interface work items to corrupt network interface state. Affects mainline Linux kernel and stable branches 6.6.x through 7.0. Exploitation requires user interaction (likely mounting/accessing SMB shares) but enables remote attackers to achieve high confidentiality, integrity, and availability impacts. Vendor patches available across multiple stable kernel branches (6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0). EPSS exploitation probability extremely low (0.02%, 5th percentile), no active exploitation confirmed, POC status unknown.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43237
HIGH
CVSS 7.8
Use-after-free and reference count underflow in the Linux kernel's amdgpu DRM driver allows local authenticated users with low privileges to cause kernel panic, denial of service, and potentially execute arbitrary code with kernel privileges. The vulnerability affects amdgpu_gem_va_ioctl handling of GPU timeline fences where stale or freed fences are used due to premature fence selection and improper reference management. Patch available in kernel versions 6.18.16, 6.19.6, and 7.0. EPSS score of 0.02% indicates low observed exploitation probability, and no public exploit or active exploitation has been identified.
Denial Of Service
Linux
Use After Free
Memory Corruption
Red Hat
-
CVE-2026-43236
HIGH
CVSS 7.8
Use-after-free in Linux kernel's Atmel HLCDC DRM driver allows local authenticated users to execute arbitrary code, escalate privileges, or cause denial of service. The atmel_hlcdc_plane_atomic_duplicate_state() function incorrectly copies plane state without properly duplicating the drm_plane_state structure, leaving a stale commit pointer that triggers use-after-free during subsequent drm_atomic_commit() calls. Vulnerability surfaces when reopening the device node while another DRM client remains attached. EPSS score is low (0.02%) and no active exploitation confirmed at time of analysis, but local privilege escalation potential and vendor-released patches across multiple stable kernel branches indicate genuine risk for systems using Atmel HLCDC display hardware.
Information Disclosure
Linux
Use After Free
Memory Corruption
Red Hat
-
CVE-2026-43233
HIGH
CVSS 8.2
Heap buffer overflow in Linux kernel's nf_conntrack_h323 netfilter module allows remote unauthenticated attackers to trigger 1-2 byte out-of-bounds read via crafted Q.931 SETUP messages to port 1720. The vulnerability affects firewalls with H.323 connection tracking active and can cause information disclosure or denial of service. EPSS score of 0.02% suggests low exploitation probability despite network-accessible attack vector. Patches available across all maintained stable branches (5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, and mainline 7.0).
Buffer Overflow
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43232
HIGH
CVSS 8.8
Use-after-free in Linux kernel farsync driver allows remote code execution when FarSync T-series WAN cards are detached while tasklets remain active. The vulnerability occurs when fst_tx_task or fst_int_task continue executing after fst_card_info is freed in fst_remove_one(), causing the kernel to access deallocated memory. Despite the CVSS 8.8 score with network vector, the EPSS score is extremely low (0.02%, 7th percentile), suggesting minimal real-world exploitation likelihood. No active exploitation confirmed (not in CISA KEV). Patches available across multiple stable kernel versions (5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0).
Information Disclosure
Linux
Use After Free
Memory Corruption
Red Hat
-
CVE-2026-43230
HIGH
CVSS 7.5
Denial of service in Linux kernel RDS networking module allows remote unauthenticated attackers to cause persistent network reconnection failures through improper bit flag handling. The vulnerability affects the Reliable Datagram Sockets (RDS) protocol implementation where canceling a reconnect worker without clearing the reconnect-pending bit causes a permanent stuck state, preventing legitimate network reconnections. Vendor patches available across multiple stable kernel versions (5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0). EPSS exploitation probability is very low (0.02%, 7th percentile), and no public exploit or active exploitation confirmed at time of analysis.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43226
HIGH
CVSS 7.5
Denial of service in Linux kernel's RDS/TCP networking subsystem allows remote unauthenticated attackers to trigger connection state machine deadlock, causing persistent service unavailability. The vulnerability stems from improper state transition handling in RDS_CONN_ERROR conditions introduced by multipath changes, where connections can bypass normal shutdown procedures and become permanently stuck with queued shutdown workers. With CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) and EPSS probability of 0.02%, this represents a moderate-severity issue affecting network-facing systems using RDS protocol. Patches available across multiple stable kernel versions (5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0).
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43222
HIGH
CVSS 7.8
A memory corruption vulnerability in the Linux kernel's Verisilicon AV1 media driver allows local authenticated attackers to write tile info data beyond allocated buffer boundaries, potentially achieving arbitrary code execution with kernel privileges. The vulnerability affects kernel versions from 6.5 onwards where commit 727a400686a2 introduced the flaw. Patches are available across multiple stable kernel branches (6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0). EPSS score of 0.02% (5th percentile) indicates low observed exploitation probability, with no public exploit identified at time of analysis and no CISA KEV listing.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43215
HIGH
CVSS 8.8
A race condition in the Linux kernel CIFS (Common Internet File System) implementation allows attackers to exploit improper locking of tcon (tree connection) fields, potentially achieving high confidentiality, integrity, and availability impact. The vulnerability stems from legacy use of cifs_tcp_ses_lock instead of the more granular tc_lock for protecting tcon structure fields, creating synchronization gaps that could be exploited through crafted SMB operations requiring user interaction. Vendor patches are available across multiple stable kernel branches (6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0), with EPSS indicating low exploitation probability (0.02%, 5th percentile) and no confirmed active exploitation at time of analysis.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43214
HIGH
CVSS 7.8
Local privilege escalation in Linux Kernel KVM x86 allows authenticated users with low privileges to potentially achieve arbitrary code execution, information disclosure, or denial of service by exploiting a missing SRCU read-side lock when reading PDPTR registers via the KVM_GET_SREGS2 ioctl. The vulnerability triggers a lockdep warning and unsafe memory slot access in __get_sregs2(), affecting Linux kernel versions from 5.14 onward. Vendor patches available across multiple stable branches (6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6). EPSS score of 0.02% (7th percentile) suggests low exploitation probability in the wild, with no public exploit code or CISA KEV listing confirmed at time of analysis.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43213
HIGH
CVSS 7.5
Null pointer dereference in Linux kernel Realtek rtw89 WiFi PCI driver allows adjacent network attackers to trigger kernel crashes via malformed TX release reports with abnormal sequence numbers. The vulnerability causes out-of-bounds array access in wd_ring->pages when hardware reports invalid sequence numbers during wireless transmission operations. Vendor-released patches are available for kernel versions 6.18.16, 6.19.6, and 7.0. EPSS score of 0.02% (4th percentile) indicates minimal observed exploitation activity, though the CVSS vector (AV:A/AC:H/PR:N/UI:N) shows adjacent network access with high attack complexity enables complete system compromise without authentication.
Denial Of Service
Linux
Null Pointer Dereference
Red Hat
Suse
-
CVE-2026-43212
HIGH
CVSS 7.8
LoongArch architecture's cpumask_of_node() function in the Linux kernel mishandles NUMA_NO_NODE (-1) as a node index, potentially enabling local authenticated users to achieve high confidentiality, integrity, and availability impacts (CVSS 7.8). Patches available across multiple stable kernel branches (6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0) address the improper input validation. EPSS score of 0.02% (7th percentile) indicates low observed exploitation probability. No public exploit identified at time of analysis.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43211
HIGH
CVSS 7.8
A double-unlock bug in the Linux kernel PCI subsystem allows local authenticated users to trigger lock corruption, leading to privilege escalation, information disclosure, or denial of service. The flaw exists in pci_slot_trylock() where improper error handling after commit a4e772898f8b unlocks a bridge device lock that was never acquired, causing either lock state corruption or unlocking another thread's lock. With CVSS 7.8 (AV:L/AC:L/PR:L) and EPSS of 0.02% (7th percentile), this is a local vulnerability with low exploitation complexity requiring authenticated access. Vendor patches are available across all active kernel stable branches (5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0). No public exploit code or active exploitation confirmed at time of analysis.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43207
HIGH
CVSS 7.8
Resource management flaws in the Linux kernel MediaTek MDP driver allow local authenticated attackers with low privileges to trigger memory corruption via improper error handling during device probe initialization, potentially escalating to kernel code execution. Multiple stable kernel branches (5.10.x through 7.0) are affected, with vendor patches released across all maintained versions. No active exploitation confirmed (EPSS 0.02%, not in CISA KEV), though the local attack vector and low complexity suggest straightforward exploitation once local access is achieved.
Denial Of Service
Linux
Null Pointer Dereference
Red Hat
Suse
-
CVE-2026-43206
HIGH
CVSS 7.8
Out-of-bounds kernel memory write in Linux kernel's AMD KFD (Kernel Fusion Driver) allows local authenticated attackers with low privileges to escalate to root privileges. The kfd_event_page_set() function performs unchecked memset operations of fixed size (KFD_SIGNAL_EVENT_LIMIT * 8 bytes) regardless of user-supplied buffer size, enabling unprivileged userspace processes to corrupt kernel memory. Patches are available across multiple stable kernel branches (5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0). EPSS score of 0.02% (7th percentile) indicates low observed exploitation probability despite high CVSS severity, likely due to the local attack vector and requirement for systems with AMD GPU hardware running the amdkfd driver.
Buffer Overflow
Linux
Memory Corruption
Red Hat
Suse
-
CVE-2026-43205
HIGH
CVSS 7.8
In the Linux kernel, the following vulnerability has been resolved:
dpaa2-switch: validate num_ifs to prevent out-of-bounds write
The driver obtains sw_attr.num_ifs from firmware via dpsw_get_attributes()
but never validates it against DPSW_MAX_IF (64). This value controls
iteration in dpaa2_switc...
Buffer Overflow
Linux
Memory Corruption
Red Hat
Suse
-
CVE-2026-43203
HIGH
CVSS 7.5
Use-after-free in Linux kernel fore200e ATM driver allows local attackers to achieve high-severity impacts during PCA-200E or SBA-200E adapter removal. When the device is detached, tx_tasklet or rx_tasklet may still be running and access already-freed memory in fore200e_tx_tasklet() or fore200e_rx_tasklet(), potentially leading to code execution, information disclosure, or denial of service. Patches available across stable kernel branches (5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0). EPSS score of 0.02% (7th percentile) indicates low observed exploitation probability. Not listed in CISA KEV. Identified through static analysis, suggesting no active in-the-wild exploitation at time of disclosure.
Information Disclosure
Linux
Use After Free
Memory Corruption
Red Hat
-
CVE-2026-43199
HIGH
CVSS 7.5
Linux kernel's mlx5e driver allows local denial of service via kernel crash when IPsec event handling triggers illegal sleeping operations in atomic context. The mlx5e_ipsec_handle_event workqueue calls mlx5_query_mac_address() which invokes hardware command execution requiring sleep, causing a 'scheduling while atomic' bug that crashes the kernel. Affected versions include mainline 6.2+ and stable branches 6.12.x through 7.0. Patches available across all supported branches (6.12.75, 6.18.16, 6.19.6, 7.0). EPSS score of 0.02% indicates minimal exploitation probability; no active exploitation or public POC identified. CVSS 7.5 AV:N rating appears inconsistent with description indicating local kernel-level triggering conditions.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43196
HIGH
CVSS 7.8
Double-free memory corruption in Linux kernel PRUSS (Programmable Real-Time Unit Subsystem) driver allows local authenticated attackers with low privileges to achieve high-impact code execution, information disclosure, or denial of service. The vulnerability exists in pruss_clk_mux_setup() where devm_add_action_or_reset() indirectly calls pruss_of_free_clk_provider() on error path, then erroneously calls of_node_put(clk_mux_np) again afterward. Vendor patches available across stable kernel branches (5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0). EPSS score of 0.02% (7th percentile) indicates very low observed exploitation probability despite CVSS 7.8 rating; no KEV listing or public POC identified at time of analysis.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43194
HIGH
CVSS 7.5
TCP connections through veth interfaces with XDP programs can enter a permanent deadlock state where sender and receiver sequence numbers desynchronize, causing all traffic to stall indefinitely. The vulnerability stems from improper error code handling in GSO (Generic Segmentation Offload) frame transmission when individual segments within a GSO super-frame fail - TCP interprets partial segment loss as complete frame loss, advancing receiver state without sender acknowledgment. Affects Linux kernel versions from 3.18 through 6.19.x with patches available across multiple stable branches (5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0). EPSS score of 0.02% indicates low observed exploitation probability, and no active exploitation (KEV) or public exploit code has been identified at time of analysis.
Authentication Bypass
Linux
Red Hat
Suse
-
CVE-2026-43190
HIGH
CVSS 8.2
Out-of-bounds read in the Linux kernel's netfilter xt_tcpmss module allows remote unauthenticated attackers to leak memory contents and potentially cause system crashes via malformed TCP options. The xt_tcpmss TCP option parser fails to validate remaining option length before reading optlen values, triggering memory access beyond buffer boundaries when processing crafted packets. EPSS exploitation probability is low (0.02%, 7th percentile) and no public exploit identified at time of analysis, but the network attack vector (AV:N) and lack of authentication requirements (PR:N) make this exploitable against any system using netfilter with TCP MSS clamping enabled.
Buffer Overflow
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43187
HIGH
CVSS 8.8
Data loss and memory corruption in Linux kernel XFS filesystem implementation allows authenticated users with ability to set extended attributes to corrupt xattr leaf blocks and overwrite entries array. The vulnerability stems from improper freemap management when xattr entries array expands, leaving zero-length freemap entries with nonzero base values that can overlap with legitimate freemap entries. Subsequent setxattr operations can allocate namevalue entries on top of the entries array, leading to filesystem data loss. EPSS score of 0.02% suggests low widespread exploitation probability, and no active exploitation is confirmed (not in CISA KEV). Patches are vendor-released for stable kernel versions 5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, and mainline 7.0.
Information Disclosure
Linux
Integer Overflow
Red Hat
Suse
-
CVE-2026-43184
HIGH
CVSS 7.5
Information disclosure in Linux kernel's RNBD (RDMA Network Block Device) server component allows remote unauthenticated attackers to read uninitialized kernel memory through response buffers. The rnbd-srv module fails to zero response message buffers before transmission, leaking residual kernel data to network clients, particularly during protocol version mismatches. With CVSS 7.5 (High) and confirmed vendor patches across multiple stable branches (5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0), this represents a classic uninitialized memory vulnerability. EPSS exploitation probability is low (0.02%, 7th percentile) and no public exploit identified at time of analysis, but the network attack vector and lack of authentication requirements warrant prioritization for systems running RNBD server functionality.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43180
HIGH
CVSS 7.8
Double URB submission in Linux kernel kaweth USB network driver allows local attackers with low privileges to trigger high severity impacts including potential denial of service, information disclosure, or code execution. The flaw occurs when kaweth_set_rx_mode() prematurely re-enables the TX queue via netif_wake_queue() before an in-flight USB transfer completes, enabling kaweth_start_xmit() to submit the same URB twice - a condition explicitly warned against by the USB subsystem. Patches are available across all supported kernel branches (5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0). Despite CVSS 7.8 High severity, EPSS score is only 0.02% (7th percentile), indicating low observed exploitation probability. No public exploit or CISA KEV listing identified at time of analysis.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43178
HIGH
CVSS 7.8
Double memory management structure free (mmput) in Linux kernel procfs allows local authenticated attackers with low privileges to cause high-impact memory corruption, potentially leading to privilege escalation, information disclosure, or denial of service. The flaw triggers when userspace provides an incorrectly sized buffer to the PROCMAP_QUERY interface, causing the kernel to call mmput() twice on the same mm_struct after recent code refactoring moved cleanup logic. Patch available from kernel.org stable trees for versions 6.12.75, 6.18.16, 6.19.6, and mainline 7.0. EPSS score of 0.02% (5th percentile) indicates very low probability of exploitation in the wild, consistent with the local attack vector requiring authenticated access and specific API interaction. No CISA KEV listing or public exploit identified at time of analysis.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43176
HIGH
CVSS 8.8
Improper validation in the rtw89 PCI WiFi driver allows adjacent network attackers to trigger kernel crashes via malformed TX release reports on RTL8922DE wireless chipsets. The vulnerability stems from insufficient content validation of release reports before use, which can cause kernel panics when malformed SKB (socket buffer) release reports are processed. EPSS score of 0.02% and absence from CISA KEV suggest limited real-world exploitation, though the 8.8 CVSS reflects the potential for complete system compromise via adjacent network access without authentication. Patches available across multiple stable kernel branches (6.18.16, 6.19.6, 7.0).
Denial Of Service
Linux
Red Hat
Suse
-
CVE-2026-43172
HIGH
CVSS 8.8
Array bounds overflow in Linux kernel iwlwifi driver for Intel 22000 series wireless chipsets allows adjacent network attackers to achieve arbitrary memory corruption leading to code execution, privilege escalation, or denial of service. The vulnerability stems from insufficient validation of firmware-reported LMAC (Lower MAC) counts in SMEM parsing code, where malicious or corrupted firmware reporting three LMACs (exceeding the hardware-supported two) triggers out-of-bounds array access in fwrt->smem_cfg.lmac[2]. Patches available for kernel 6.18.16, 6.19.6, and mainline 7.0. EPSS exploitation probability is low (0.02%, 5th percentile) with no public exploits or CISA KEV listing, but CVSS 8.8 reflects high impact if exploited through compromised WiFi firmware or adjacent network position.
Information Disclosure
Linux
-
CVE-2026-43166
HIGH
CVSS 7.1
Out-of-bounds read in Linux kernel EROFS filesystem allows local attackers with user interaction to read kernel memory and cause denial of service via crafted compressed images. The vulnerability stems from incorrect classification of unaligned plain extents, triggering OOB access in z_erofs_transform_plain(). Vendor patches are available across multiple stable kernel branches (6.15, 6.18.16, 6.19.6, 7.0). EPSS score of 0.02% (4th percentile) indicates very low observed exploitation probability, with no active exploitation confirmed at time of analysis.
Buffer Overflow
Linux
Memory Corruption
-
CVE-2026-43164
HIGH
CVSS 7.5
Null pointer dereference in Linux kernel UDP-Lite implementation crashes systems when udp_lib_init_sock() fails during socket initialization. Affects mainline 6.18+ through 6.19.5 and stable 7.0. Remote unauthenticated attackers can trigger denial of service by sending crafted UDP-Lite packets that exploit unhandled initialization errors in udplite_sk_init() and udplitev6_sk_init(), causing NULL pointer access in __udp_enqueue_schedule_skb(). Vendor patches available for 6.18.16, 6.19.6, and 7.0 stable trees. EPSS score of 0.02% indicates low observed exploitation probability, and no active exploitation is confirmed at time of analysis.
Denial Of Service
Linux
Google
Null Pointer Dereference
-
CVE-2026-43158
HIGH
CVSS 8.8
Memory corruption in Linux kernel XFS filesystem allows authenticated users with write access to trigger kernel assertion failures and system shutdowns via crafted extended attribute operations. The vulnerability stems from incorrect freemap adjustment logic when adding xattrs to leaf blocks, causing the entries array and free space tracking to claim overlapping memory regions. This results in firstused pointer corruption where the name area starts below the end of the entries array. Vendor-released patches are available across multiple stable kernel branches (5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0). Low EPSS score (0.02%, 7th percentile) and no CISA KEV listing indicate no widespread exploitation observed, though the high CVSS 8.8 reflects severe impact on availability and potential for data corruption in XFS filesystems.
Buffer Overflow
Linux
Memory Corruption
-
CVE-2026-43153
HIGH
CVSS 7.8
A use-after-free flaw in the Linux kernel XFS filesystem's xfs_attr_leaf_hasname() function allows local authenticated attackers to potentially execute arbitrary code with kernel privileges or cause denial of service. The function's problematic calling convention can return a pointer to an already-released buffer when xfs_attr3_leaf_lookup_int fails with specific error codes, creating a memory safety issue. Despite a CVSS score of 7.8, EPSS indicates only 0.02% probability of exploitation (5th percentile), suggesting low real-world targeting. Vendor patches are available across multiple stable kernel versions (6.12.75, 6.18.16, 6.19.6, 7.0), and the fix has been committed upstream.
Information Disclosure
Linux
-
CVE-2026-43150
HIGH
CVSS 7.8
Buffer overflow in Linux kernel's ARM CMN performance monitoring driver allows local attackers with low privileges to execute arbitrary code and gain elevated access. The perf/arm-cmn driver fails to validate hardware configuration parameters against assumed maximum sizes, enabling memory corruption through crafted CMN device configurations. While EPSS indicates low exploitation probability (0.02%), patches are available across all maintained kernel branches (6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0) per vendor advisories. The local attack vector and requirement for low-privileged user access limit remote exploitation scenarios.
Buffer Overflow
Linux
Memory Corruption
-
CVE-2026-43139
HIGH
CVSS 8.6
Uninitialized memory use in Linux Kernel's xfrm6_get_saddr() function allows remote attackers to trigger information disclosure and system instability via crafted IPv6 traffic. The vulnerability affects multiple Long-Term Support (LTS) branches from 2.6.19 through 6.19.6, with vendor-released patches available for 5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, and 7.0. EPSS score of 0.02% indicates low observed exploitation probability despite the network-accessible attack vector and lack of required authentication. Not listed in CISA KEV, and no public exploit code identified at time of analysis.
Information Disclosure
Linux
-
CVE-2026-43138
HIGH
CVSS 7.8
In the Linux kernel, the following vulnerability has been resolved:
reset: gpio: suppress bind attributes in sysfs
This is a special device that's created dynamically and is supposed to
stay in memory forever. We also currently don't have a devlink between
it and the actual reset consumer. Suppres...
Information Disclosure
Linux
Use After Free
Memory Corruption
Red Hat
-
CVE-2026-43134
HIGH
CVSS 8.1
Bluetooth L2CAP implementation in Linux kernel fails to validate encryption key size when processing LE Credit Flow Control connection requests, allowing adjacent network attackers to establish L2CAP connections with insufficient cryptographic strength. This affects kernel versions from 3.14 through 6.19.5, with patches released in stable branches 5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, and 6.19.6. EPSS score of 0.01% suggests minimal exploitation likelihood despite the adjacent network attack vector and no authentication requirement. No active exploitation confirmed (not in CISA KEV), and no public exploit code identified at time of analysis.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43133
HIGH
CVSS 7.9
Nested AMD SVM virtualization in Linux kernel KVM incorrectly handles VMLOAD/VMSAVE emulation, allowing local privileged attackers in L2 guests to read and write L1 guest state, potentially escalating privileges or causing denial of service. This affects kernels since commit cc3ed80ae69f (v5.13+) and has been patched in stable releases 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, and mainline 7.0. With 7.9 CVSS (HIGH severity) but only 0.02% EPSS, this is a lower-probability threat requiring local authenticated access to nested virtualization environments. No public exploit or active exploitation (KEV) identified at time of analysis.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43128
HIGH
CVSS 7.8
Double-free vulnerability in Linux kernel RDMA subsystem allows local authenticated attackers to trigger high-severity memory corruption. The flaw in ib_umem_dmabuf_get_pinned_with_dma_device() causes dma_buf_unpin() to be called twice on error paths - once immediately on failure and again during cleanup - enabling potential privilege escalation, system crashes, or information disclosure. Patches available for kernels 6.1.165+, 6.6.128+, 6.12.75+, 6.18.16+, 6.19.6+, and 7.0+. EPSS score of 0.02% indicates low widespread exploitation probability, with no active exploitation or public POCs identified at time of analysis.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43126
HIGH
CVSS 7.8
Use-after-free in Linux kernel ALSA OSS mixer allows authenticated local attackers with low privileges to achieve arbitrary code execution, privilege escalation, or denial of service. The vulnerability stems from insufficient card disconnection checks when OSS mixer layer calls kcontrol operations individually, creating a race condition window where pending calls continue after device removal. Upstream patches available across kernel versions 6.12.75, 6.18.16, 6.19.6, and 7.0. EPSS score of 0.02% (5th percentile) indicates minimal observed exploitation probability, and no KEV listing or public exploit identified at time of analysis.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43120
HIGH
CVSS 7.8
Double-free memory corruption in Linux kernel RDMA/irdma driver allows local authenticated users to cause denial of service or potentially escalate privileges. The vulnerability occurs during memory region re-registration (rereg_user_mr) when IB_MR_REREG_TRANS flag is set: if umem allocation succeeds but subsequent steps fail, the umem is freed without nulling the pointer, leading to double-free when userspace calls ibv_dereg_mr. Vendor patches available across multiple stable kernel branches (6.6.136, 6.12.83, 6.18.24, 6.19.14, 7.0). EPSS score of 0.02% (5th percentile) indicates very low probability of exploitation in the wild, with no active exploitation confirmed (not in CISA KEV).
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43116
HIGH
CVSS 7.8
Use-after-free in Linux kernel netfilter ctnetlink allows local authenticated attackers with low privileges to achieve code execution, privilege escalation, or denial of service. The vulnerability stems from insufficient protection when accessing master conntrack objects through expectations - holding a reference on the expectation alone does not prevent the master conntrack from being freed, creating a window where exp->master points to freed memory. Patched in stable kernel versions 6.18.24, 6.19.14, and mainline 7.0. EPSS score of 0.02% (4th percentile) indicates low probability of widespread exploitation, and no public exploit or CISA KEV listing exists at time of analysis, suggesting this remains a lower-priority item despite the 7.8 CVSS score.
Information Disclosure
Linux
Race Condition
Red Hat
Suse
-
CVE-2026-43113
HIGH
CVSS 8.8
Out-of-bounds array indexing in Linux kernel's wl1251 wireless driver allows adjacent network attackers to achieve high-impact memory corruption without authentication. The wl1251_tx_packet_cb() function uses untrusted firmware completion IDs directly to index a fixed 16-entry tx_frames array without bounds validation, enabling attackers on the same wireless network segment to read/write arbitrary kernel memory. Vendor patches available across multiple stable kernel branches (6.6.136, 6.12.83, 6.18.24, 6.19.14, 7.0). EPSS score of 0.02% (5th percentile) indicates low observed exploitation probability, and no active exploitation or public POC identified. However, CVSS 8.8 reflects genuine risk for systems with wl1251 hardware on untrusted networks.
Denial Of Service
Linux
Null Pointer Dereference
Red Hat
Suse
-
CVE-2026-43112
HIGH
CVSS 8.8
Out-of-bounds read in Linux kernel CIFS client allows network attackers to achieve high-severity impacts including potential code execution, information disclosure, or denial of service when users access maliciously crafted SMB shares. The vulnerability resides in cifs_sanitize_prepath() which improperly handles empty strings or delimiter-only paths, triggering memory access violations confirmed via AddressSanitizer testing. Vendor patches available across multiple stable kernel branches (6.6.136, 6.12.83, 6.18.24, 6.19.14, 7.0). EPSS score of 0.02% (5th percentile) indicates low predicted exploitation probability despite high CVSS 8.8, and no active exploitation or public POC identified at time of analysis.
Buffer Overflow
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43111
HIGH
CVSS 7.8
Race condition in Linux kernel HID roccat driver enables local privilege escalation through use-after-free memory corruption. Local authenticated attackers can exploit concurrent access to device reader lists during roccat_report_event() operations, achieving arbitrary code execution with high integrity impact (CVSS 7.8). Vendor-released patches available across multiple kernel branches (6.6.136, 6.12.83, 6.18.24, 6.19.14, 7.0). EPSS score of 0.02% (5th percentile) indicates low observed exploitation probability despite moderate severity, suggesting limited weaponization in current threat landscape.
Information Disclosure
Linux
Use After Free
Memory Corruption
Red Hat
-
CVE-2026-43110
HIGH
CVSS 8.8
Adjacent network attackers can achieve remote code execution, information disclosure, or denial of service against Linux systems using Broadcom FullMAC wireless drivers by sending malicious WiFi interface events with out-of-bounds bsscfg indices. The brcmfmac driver's firmware event handler fails to validate array indices before accessing the driver's interface list, enabling memory corruption attacks. Vendor patches are available across multiple stable kernel branches (6.6.136, 6.12.83, 6.18.24, 6.19.14, 7.0). EPSS exploitation probability is low (0.02%, 5th percentile) and no active exploitation or public POC is identified at time of analysis, but the adjacent network attack vector and high impact warrant priority patching for systems with Broadcom WiFi hardware.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43106
HIGH
CVSS 7.8
A reference counting error in Linux kernel's cachefiles subsystem allows local authenticated users to trigger memory corruption and potentially escalate privileges. The vulnerability stems from cachefiles_cull() passing a dentry with insufficient reference count to cachefiles_bury_object(), causing a use-after-free condition. With CVSS 7.8 (high severity) but only 0.02% EPSS exploitation probability (5th percentile), this represents a kernel memory safety issue requiring local access with low attack complexity. Patches available in stable kernel versions 6.19.14 and 7.0.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43101
HIGH
CVSS 7.5
NULL pointer dereferences in Linux kernel's IPv6 IOAM (In-situ Operations, Administration, and Maintenance) trace data handling cause denial of service when network packets trigger the vulnerable code path. Affects Linux kernel 5.15 through 6.19.14 and mainline branches. Despite CVSS 7.5 High severity with network vector and no authentication, EPSS exploitation probability is very low (0.02%, 4th percentile), and no active exploitation or public POC is identified at time of analysis. Vendor patches available via stable kernel commits.
Denial Of Service
Linux
Null Pointer Dereference
Red Hat
Suse
-
CVE-2026-43099
HIGH
CVSS 7.5
Null pointer dereference in Linux kernel ICMP probe handling crashes systems when IPv6 module is configured but not loaded. The icmp_build_probe() function fails to validate ERR_PTR(-EAFNOSUPPORT) from ipv6_stub->ipv6_dev_find(), passing the error pointer directly to dev_hold() and triggering immediate kernel panic. EPSS probability is low (0.02%, 5th percentile) and no active exploitation confirmed, but CVSS 7.5 High severity reflects trivial remote unauthenticated denial-of-service against vulnerable kernel configurations. Patches available across stable branches (6.6.136, 6.12.83, 6.18.24, 6.19.14, 7.0) with upstream commit identifiers confirmed.
Denial Of Service
Linux
Null Pointer Dereference
Red Hat
Suse
-
CVE-2026-43097
HIGH
CVSS 7.8
Double-free vulnerability in the Linux kernel PCI Hyper-V driver allows local authenticated users to trigger kernel memory corruption and potentially escalate privileges. The flaw occurs in hv_pci_probe() error handling where ida_free() is called twice on the same domain number, leading to memory allocator corruption. Patches released in kernel 6.19.14 and 7.0 fix the issue by removing the redundant ida_free call. EPSS score of 0.02% indicates low exploitation probability in the wild, and no public exploit or KEV listing identified at time of analysis.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43093
HIGH
CVSS 7.8
Insufficient memory validation in Linux kernel's XSK (AF_XDP socket) UMEM registration allows local authenticated users to corrupt kernel memory structures, potentially leading to privilege escalation or system crashes. The xdp_umem_reg() function fails to validate adequate headroom space for minimum-sized Ethernet frames and skb_shared_info structures in multi-buffer scenarios, enabling memory corruption when XSK frames are processed. Vendor patches are available across multiple stable kernel branches (6.6.136, 6.12.83, 6.18.24, 6.19.14, 7.0). EPSS score of 0.02% indicates very low probability of mass exploitation, with no active exploitation or public POC identified.
Information Disclosure
Linux
-
CVE-2026-43091
HIGH
CVSS 7.8
Use-after-free in Linux kernel's XFRM subsystem allows local authenticated users to gain elevated privileges through a race condition during network namespace teardown. The xfrm_policy_fini() function frees policy hash tables without waiting for concurrent RCU readers, enabling attackers with low-level privileges to exploit the timing window between policy deletion and memory deallocation. EPSS score is very low (0.02%, 5th percentile) and no public exploit identified at time of analysis, but CVSS 7.8 reflects high impact if successfully exploited. Vendor-released patches available across multiple stable kernel branches (6.6.136, 6.12.83, 6.18.24, 6.19.14, mainline 7.0).
Information Disclosure
Linux
-
CVE-2026-43084
HIGH
CVSS 7.8
Local privilege escalation in Linux kernel netfilter nfnetlink_queue allows authenticated users with low privileges to execute arbitrary code with high integrity and availability impact via race condition in shared hash table. The vulnerability stems from a use-after-free condition when multiple queues share a global hash table, enabling parallel CPU operations to access freed nf_queue_entry structures. EPSS score is low (0.02%, 5th percentile) indicating minimal observed exploitation activity. Vendor patches available across multiple stable kernel branches (6.12.83, 6.18.24, 6.19.14) with upstream commits confirmed.
Denial Of Service
Linux
Use After Free
Memory Corruption
-
CVE-2026-43078
HIGH
CVSS 7.8
Memory corruption in the Linux kernel's AF_ALG crypto subsystem allows local authenticated users to execute arbitrary code or cause denial of service through a page reassignment overflow in af_alg_pull_tsgl. The vulnerability affects multiple stable kernel branches (4.14 through 7.0) and has been patched across all maintained versions. With CVSS 7.8 and low attack complexity (AC:L), this presents a realistic privilege escalation path for local attackers, though EPSS exploitation probability remains low at 0.02% and no public exploit or KEV listing exists at time of analysis.
Buffer Overflow
Linux
Memory Corruption
-
CVE-2026-43076
HIGH
CVSS 7.8
Use-after-free in Linux kernel's OCFS2 filesystem allows local attackers with user interaction to achieve arbitrary code execution, privilege escalation, or denial of service via crafted filesystem images. Affects kernels since initial OCFS2 implementation (2.6.16+) through 6.19.13. Vendor patches available across all supported stable branches (6.6.136, 6.12.83, 6.18.24, 6.19.14, 7.0). EPSS score of 0.02% (5th percentile) suggests low probability of mass exploitation, though CVSS 7.8 reflects high impact if triggered. No active exploitation confirmed (not in CISA KEV) and no public POC identified at time of analysis.
Information Disclosure
Linux
Use After Free
Memory Corruption
-
CVE-2026-43075
HIGH
CVSS 7.8
Out-of-bounds write in Linux kernel's ocfs2 filesystem driver allows local attackers with low privileges to achieve arbitrary code execution or system crash via a corrupted ocfs2 filesystem image. Exploitation occurs during copy_file_range operations when the malicious id_count field in the inode block exceeds physical inline data capacity, causing a buffer overflow past the inode block buffer. Vendor patches are available across multiple stable kernel versions (6.6.136, 6.12.83, 6.18.24, 6.19.14, 7.0). EPSS exploitation probability is low (0.02%, 5th percentile), and no active exploitation or public POC is currently identified.
Buffer Overflow
Linux
Memory Corruption
-
CVE-2026-43074
HIGH
CVSS 7.8
Use-after-free in Linux kernel eventpoll subsystem allows local authenticated attackers with low privileges to achieve high-impact compromise including arbitrary code execution, privilege escalation, or system crash. The vulnerability stems from premature deallocation of the eventpoll structure while still in use by concurrent threads, creating a race condition exploitable on systems running affected kernel versions 6.4 through 6.19.x and 6.6.x through 6.12.x. Vendor patches available across all affected stable branches with EPSS indicating low widespread exploitation probability (0.02%, 5th percentile), though local access requirements limit attack surface to already-authenticated users or containerized environments.
Information Disclosure
Linux
-
CVE-2026-42845
HIGH
CVSS 7.7
### Summary
(Tested on Form 9.0.3 released on April, 28th)
The Form plugin's file upload handler at `user/plugins/form/classes/Form.php:583` accepts a POST-supplied `filename` parameter (`$filename = $post['filename'] ?? $upload['file']['name']`) that overrides the original uploaded filename. The o...
PHP
File Upload
-
CVE-2026-42844
HIGH
CVSS 8.7
Privilege escalation in Grav CMS 2.0.0-beta.2 allows authenticated API users with minimal media.write permissions to fabricate super-admin accounts via arbitrary YAML file upload. The /api/v1/blueprint-upload endpoint accepts attacker-controlled destination and scope parameters that, when combined with specific values (destination=self@: and scope=users/anything), write files directly into user/accounts/. Because Grav parses YAML files in this directory as authoritative user accounts and accepts plaintext passwords on first login, attackers craft a new account with api.super privileges, then authenticate as that account to gain full administrative control. Publicly available exploit code exists (detailed PoC in vendor advisory). Vendor-released patch restricts accounts directory uploads to image-only extensions and blocks config-bearing file types (YAML, JSON, Twig) across all blueprint-upload targets.
PHP
Privilege Escalation
RCE
-
CVE-2026-42602
HIGH
CVSS 8.1
### Summary
A server-side authentication bypass in `azureauthextension` allows any party who holds a single valid Azure access token for *any scope the collector's configured identity can mint for* to authenticate to any OpenTelemetry receiver that uses `auth: azure_auth`. The extension's `Authenti...
Authentication Bypass
Microsoft
Hashicorp
-
CVE-2026-42577
HIGH
CVSS 7.5
## Summary
Netty's epoll transport fails to detect and close TCP connections that receive a RST after being half-closed, leading to stale channels that are never cleaned up and, in some code paths, a 100% CPU busy-loop in the event loop thread.
## Affected versions
All versions of 4.2.x `netty-tr...
Denial Of Service
-
CVE-2026-42561
HIGH
CVSS 7.5
CPU exhaustion in python-multipart allows remote unauthenticated attackers to cause denial of service through crafted multipart/form-data requests with unbounded header blocks. Applications using Starlette, FastAPI, or other ASGI frameworks that parse attacker-controlled file uploads are vulnerable to worker thread starvation and event-loop blocking. Vendor-released patch available in version 0.0.27, which enforces default limits on both header count and individual header size during multipart parsing.
Denial Of Service
Python
Suse
-
CVE-2026-42559
HIGH
CVSS 8.8
DNS rebinding in rmcp Rust crate allows malicious websites to control local MCP servers and achieve arbitrary code execution through exposed developer tools. Fixed in version 1.4.0 via Host header validation with loopback-only default allowlist. The vulnerability affects Streamable HTTP server transport only (stdio and child-process transports unaffected). Vendor-released patch available (PR #764, commit 8e22aa2). Similar vulnerabilities patched across TypeScript, Python, Go, and Java MCP SDKs indicate coordinated disclosure. CVSS 8.8 (network vector, low complexity, requires user interaction) reflects browser-mediated attack requiring victim to visit attacker site.
RCE
Python
Java
Nginx
-
CVE-2026-42557
HIGH
CVSS 8.6
JupyterLab's CommandLinker executes arbitrary commands via single-click social engineering when users open malicious notebooks shared through email, GitHub, or Binder links. Attackers embed deceptive HTML buttons with allowlisted data-commandlinker-* attributes in pre-saved notebook output cells to trigger commands without code execution submission, enabling immediate arbitrary code execution in available kernels, silent file deletion, or resource exhaustion in multi-tenant deployments. The patched version 4.5.7 was released by the JupyterLab team through GitHub advisory GHSA-mqcg-5x36-vfcg. Chromium browser users face expanded terminal access risk through multi-click clipboard permission abuse. Third-party JupyterLab extensions increase attack surface by exposing additional commands to exploitation.
XSS
RCE
Google
-
CVE-2026-42552
HIGH
CVSS 7.5
FlightPHP Core's default error handler exposes full exception messages, stack traces, and absolute filesystem paths in HTTP 500 responses without any debug-mode gating. All versions before 3.18.1 leak internal application structure, vendor package names, and any secrets interpolated into exception messages to unauthenticated remote attackers. This information disclosure primes follow-on attacks like LFI and path traversal by revealing server paths and configuration file locations. Vendor-released patch in version 3.18.1 introduces a flight.debug setting (default false) that suppresses verbose output in production. CVSS 7.5 reflects network-accessible information disclosure with no privileges required.
PHP
Information Disclosure
Path Traversal
-
CVE-2026-42551
HIGH
CVSS 7.5
Flight PHP micro-framework (< 3.18.1) silently converts GET requests into DELETE or PUT operations via unvalidated X-HTTP-Method-Override headers or _method query parameters, enabling trivial CSRF attacks against destructive endpoints. Attackers can trigger resource deletion using simple HTML image tags without JavaScript or user interaction. The vulnerability bypasses middleware filters that gate only POST/DELETE verbs, and creates CDN cache poisoning scenarios where cached GET responses reflect executed DELETE operations. Patch available in version 3.18.1 introducing opt-in method override control (flight.allow_method_override setting). No active exploitation confirmed at time of analysis; publicly available exploit code exists in GitHub advisory.
PHP
CSRF
-
CVE-2026-42550
HIGH
CVSS 8.8
SQL injection in Flight PHP framework's SimplePdo database helpers allows privilege escalation through crafted array keys. Applications forwarding user-controlled request data shapes to insert(), update(), or delete() methods enable remote authenticated attackers to inject arbitrary SQL, create administrative accounts, modify sensitive columns, or exfiltrate data. Vendor-released patch in version 3.18.1 validates identifiers with safe-identifier regex. Publicly available proof-of-concept demonstrates privilege escalation via malicious JSON request keys. Researcher @Rootingg discovered and reported through GitHub Security Advisory GHSA-xwqr-rcqg-22mr.
PHP
Privilege Escalation
SQLi
-
CVE-2026-42548
HIGH
CVSS 8.6
Reflected cross-site scripting in Flight PHP framework's JSONP endpoint implementation allows remote attackers to execute arbitrary JavaScript in victim browsers by injecting malicious code through unvalidated callback parameters. Flight PHP versions prior to 3.18.1 concatenate user-supplied `jsonp` query parameters directly into JavaScript responses without identifier validation, enabling cookie theft and session hijacking when vulnerable endpoints are embedded via script tags. The vulnerability was patched in version 3.18.1 (commit b8dd23a) with regex validation limiting callbacks to legal JavaScript identifiers. A working proof-of-concept demonstrates cookie exfiltration via crafted callback parameters.
PHP
XSS
-
CVE-2026-42544
HIGH
CVSS 7.5
Granian ASGI server suffers remote denial of service when unauthenticated attackers send malformed WebSocket upgrade requests containing non-ASCII bytes in the Sec-WebSocket-Protocol header, causing worker process termination. Each crafted request kills one worker process; sequential requests across all workers achieve complete service outage. The vulnerability exists in Granian's pre-application WebSocket scope construction (src/asgi/utils.rs), making application-layer defenses ineffective. Publicly available exploit code exists with complete proof-of-concept demonstrating the attack. Vendor-released patch 2.7.4 addresses the issue for affected versions 1.2.0 through 2.7.3.
Denial Of Service
Python
-
CVE-2026-42503
HIGH
CVSS 8.8
Adjacent network code execution in gopls language server occurs when developers use debugging flags -listen or -port without explicit host specification. The Go language server (gopls) binds to all network interfaces (0.0.0.0) instead of localhost when these debugging flags are used, enabling unauthenticated remote code execution from adjacent network attackers. No public exploit identified at time of analysis, though the attack vector is straightforward for developers who enable network debugging in shared network environments like coffee shops or corporate LANs. EPSS data not available for this recent CVE.
Information Disclosure
-
CVE-2026-42339
HIGH
CVSS 7.1
Server-Side Request Forgery in new-api allows authenticated regular users to probe internal services and exfiltrate localhost content by injecting 0.0.0.0 into multimodal API requests. The SSRF protection filter fails to block the 0.0.0.0/8 address range, which resolves to localhost on Linux. Attackers holding any valid API token can send crafted image_url, file_data, or video_url parameters to /v1/chat/completions, /v1/responses, or /v1/messages endpoints, bypassing private-IP checks entirely. When requests route through AWS/Bedrock Claude adaptors, the server fetches the content and inlines it into model responses, upgrading blind SSRF to full-read exfiltration of internal images, PDFs, and text files on default-allowed ports 80, 443, 8080, and 8443. No public exploit code identified at time of analysis; no vendor-released patch confirmed for versions through 0.11.9-alpha.1.
SSRF
-
CVE-2026-42283
HIGH
CVSS 7.7
Cross-Site WebSocket Hijacking in DevSpace UI Server allows remote attackers to execute commands inside Kubernetes pods when developers visit malicious websites while DevSpace UI is running. The UI server's WebSocket endpoint at localhost:8090 accepts connections from any origin, enabling browser-based exploitation without authentication. DevSpace 6.3.20 and earlier are affected; version 6.3.21 contains the fix. No public exploit code identified at time of analysis, but exploitation technique is well-documented in WebSocket security research. The vulnerability enables attackers to stream pod logs, open interactive shells, and execute pipeline commands through the victim's active DevSpace session.
Information Disclosure
Node.js
-
CVE-2026-42280
HIGH
CVSS 7.1
Token validation flaw in Auth0.js SDK versions 8.11.0 through 9.32.0 allows authenticated attackers to retrieve user profile information by submitting a valid access token alongside a crafted invalid ID token, bypassing access control rules defined in Auth0 Actions. The vulnerability affects applications that depend on Auth0 Actions for authorization decisions, potentially exposing sensitive user profile data to attackers holding valid but insufficiently privileged access tokens. Vendor-released patch available in version 10.0.0, discovered through coordinated disclosure by security researcher Quan Le.
Authentication Bypass
-
CVE-2026-41938
HIGH
CVSS 8.7
Remote code execution in Vvveb CMS versions before 1.0.8.2 allows authenticated users with media-upload permissions to execute arbitrary PHP code with web server privileges via a two-stage attack: uploading a malicious .htaccess file to map .phtml extensions to the PHP handler, then uploading a .phtml file containing PHP code. Exploitation requires only low-privileged authentication (CVSS PR:L) and no user interaction (UI:N), making post-authentication compromise straightforward. Vendor-released patch available in version 1.0.8.2 per GitHub security advisory GHSA-wwmv-4g9g-p48g and commit 54a9e846. VulnCheck advisory provides detailed technical analysis of the bypass technique.
PHP
RCE
File Upload
-
CVE-2026-41936
HIGH
CVSS 8.6
XML external entity injection in Vvveb CMS versions before 1.0.8.2 allows authenticated site_admin users to read arbitrary server files and overwrite administrator password hashes via the admin Tools/Import feature. The vulnerability resides in system/import/xml.php where LIBXML_NOENT flag enabled external entity resolution, allowing injection of file:// and php://filter protocols. Attackers with low-privilege admin accounts can escalate to full administrator access by replacing password hashes in the database. Vendor-released patch version 1.0.8.2 removes LIBXML_NOENT flag. No active exploitation confirmed by CISA KEV at time of analysis.
PHP
Privilege Escalation
XXE
-
CVE-2026-41934
HIGH
CVSS 8.7
Remote code execution in Vvveb CMS versions before 1.0.8.2 enables low-privilege authenticated users (editor, author, contributor, or site_admin roles) to escalate privileges and execute arbitrary PHP code. Attackers exploit the admin code editor's insufficient file extension validation by first uploading a malicious .htaccess file that maps arbitrary extensions to the PHP handler, then uploading PHP code disguised with that extension. Once uploaded, the PHP code executes with web server privileges when accessed via HTTP, effectively bypassing authentication and achieving full system compromise. The vulnerability requires only low-privilege access (PR:L) with no attack complexity or user interaction (AC:L/UI:N), and vendor-released patch version 1.0.8.2 is confirmed available via GitHub. No public exploit code or active exploitation (KEV) confirmed at time of analysis.
PHP
RCE
Vvveb
-
CVE-2026-41288
HIGH
CVSS 7.3
Privilege escalation in WatchGuard Agent for Windows allows authenticated local users to gain NT AUTHORITY\SYSTEM privileges via incorrect permissions in the patch management component. CVSS 7.3 with low attack complexity and local attack vector. No active exploitation or public exploit code identified at time of analysis. EPSS data not available - real-world risk depends on defender endpoint deployment environments where local user access is already established.
Information Disclosure
Microsoft
Watchguard
-
CVE-2026-41287
HIGH
CVSS 7.1
Stack-based buffer overflow in WatchGuard Agent's discovery service allows adjacent network attackers to crash the agent service without authentication. Affects Windows installations prior to version 1.25.03.0000. Vendor patch released addressing the vulnerability. SSVC framework indicates no active exploitation observed and manual exploitation required. While CVSS 7.1 (High) reflects network-adjacent access with high availability impact, actual risk is limited to denial-of-service - no code execution or data compromise possible per the CVSS vector (VC:N/VI:N/VA:H).
Buffer Overflow
Microsoft
Stack Overflow
Watchguard
-
CVE-2026-41286
HIGH
CVSS 7.1
Stack-based buffer overflow in WatchGuard Agent discovery service on Windows enables adjacent attackers without authentication to crash the agent via crafted network packets. CVSS 7.1 (High) reflects adjacent network attack vector with high integrity impact. The vulnerability targets the discovery service component used for agent enrollment and network communication. No CISA KEV listing or public exploit code identified at time of analysis, though the local network attack vector limits exposure to adjacent attackers.
Buffer Overflow
Microsoft
Stack Overflow
Watchguard
-
CVE-2026-40562
HIGH
CVSS 7.5
HTTP Request Smuggling in Gazelle (Perl web server) versions through 0.49 enables attackers to smuggle malicious requests through reverse proxies by exploiting incorrect header precedence. Gazelle violates RFC 7230 by prioritizing Content-Length over Transfer-Encoding: chunked when both headers are present, allowing desynchronization between front-end proxies and the backend server. SSVC framework indicates the vulnerability is automatable with partial technical impact, while CVSS 7.5 reflects network-accessible unauthenticated exploitation with high integrity impact. A vendor patch is available via CPANSec.
Information Disclosure
Request Smuggling
-
CVE-2026-40326
HIGH
CVSS 7.1
Cross-Site Request Forgery in Masa CMS allows unauthenticated attackers to force logged-in administrators to create site bundles containing sensitive data including password hashes, user accounts, and configuration details. The bundles are saved to predictable public directories where any unauthenticated attacker can download them. This vulnerability affects versions 7.5.2 and earlier across multiple release branches. Fixed versions are available: 7.2.10, 7.3.15, 7.4.10, and 7.5.3. CVSS 7.1 HIGH with network attack vector requiring user interaction but no authentication.
CSRF
-
CVE-2026-40325
HIGH
CVSS 8.7
Cross-site request forgery (CSRF) in Masa CMS 7.5.2 and earlier allows remote attackers to restore deleted content through administrator sessions. By tricking an authenticated administrator into clicking a malicious link, attackers can restore previously deleted items from trash and relocate them anywhere in the site structure via the parentid parameter. This enables exposure of sensitive documents by moving them to public areas, restoration of malicious content, or disruption of site integrity. Fixed versions 7.2.10, 7.3.15, 7.4.10, and 7.5.3 are available. EPSS data not available; no confirmed active exploitation (CISA KEV) at time of analysis.
CSRF
-
CVE-2026-40309
HIGH
CVSS 7.2
Cross-Site Request Forgery in Masa CMS trash management allows remote attackers to permanently delete all trashed content through a logged-in administrator. An attacker tricks an authenticated admin into visiting a malicious page that submits a forged trash-emptying request, bypassing CSRF protections and causing irreversible data loss across all pending-deletion content. The vulnerability affects default administrative interfaces without requiring special configuration. No active exploitation confirmed at time of analysis, though the attack technique is well-documented for CSRF vulnerabilities. EPSS data not available.
CSRF
-
CVE-2026-40174
HIGH
CVSS 7.1
Cross-site request forgery (CSRF) in Masa CMS 7.5.2 and earlier allows remote attackers to manipulate user address records through forged requests when authenticated administrators interact with malicious content. The cUsers.updateAddress function lacks proper anti-CSRF token validation, enabling unauthorized addition, modification, or deletion of email addresses, phone numbers, and other contact data. Patches available in versions 7.2.10, 7.3.15, 7.4.10, and 7.5.3. EPSS data not provided; no CISA KEV listing indicates targeted rather than widespread exploitation; no public exploit identified at time of analysis.
CSRF
-
CVE-2026-34474
HIGH
CVSS 7.5
Remote unauthenticated attackers can retrieve plaintext administrator passwords and WLAN Pre-Shared Keys from ZTE ZXHN H298A (firmware 1.1) and H108N (firmware 2.6) routers via crafted HTTP requests to the web management interface. The vulnerability enables complete network compromise through credential theft without requiring authentication. Public exploit code exists (GitHub Gist), demonstrating active researcher interest, though no CISA KEV listing indicates targeted rather than widespread exploitation. EPSS data unavailable, but the combination of network attack vector, no authentication requirement, and credential exposure presents immediate risk to affected deployments.
Authentication Bypass
Information Disclosure
Zte
-
CVE-2026-34473
HIGH
CVSS 7.5
Remote denial-of-service in ZTE home routers (H8102E, H168N, H167A, and 15 other models) allows unauthenticated network attackers to crash the web management interface via oversized HTTP POST request with application/x-www-form-urlencoded content, requiring physical device reboot to restore service. ZTE claims devices patched since March 2021, but operator firmware timelines vary. EPSS data not available; no active exploitation confirmed (not in CISA KEV). Publicly available exploit details exist via GitHub gist.
Denial Of Service
Zte
-
CVE-2026-33441
HIGH
Malformed reference links in Mistune 3.2.0 trigger algorithmic complexity attacks in the parse_link_title() function, causing 100% CPU consumption and permanent process hangs. The vulnerability affects Python applications processing untrusted Markdown content, enabling remote denial-of-service through minimal-size payloads (the provided POC is under 200 bytes). A publicly available proof-of-concept demonstrates consistent exploitation discovered via coverage-guided fuzzing. Vendor patch 3.2.1 addresses the issue by implementing parsing limits and defensive checks.
Denial Of Service
Python
Suse
-
CVE-2026-33079
HIGH
CVSS 8.7
Regular Expression Denial of Service in mistune's link title parser enables attackers to freeze Python applications with 58-byte Markdown payloads. The LINK_TITLE_RE regex in mistune 3.0.0a1 through 3.2.0 exhibits catastrophic backtracking (O(2^N) time complexity) when parsing link titles with repeated escaped punctuation patterns, blocking a parser thread for approximately 6 seconds on modern hardware with exponential growth per additional byte pair. Publicly available exploit code exists (demonstrated in the GitHub advisory with working PoC), enabling trivial weaponization against web applications, documentation systems, Jupyter tooling, and API endpoints that process user-supplied Markdown. CVSS 8.7 (CVSS:4.0/AV:N/AC:L/PR:N/UI:N/VA:H) reflects the network-accessible, zero-prerequisite nature of the attack, though the High availability impact assumes single-threaded parsing or resource-constrained environments.
Denial Of Service
Python
Apple
Red Hat
Suse
-
CVE-2026-23928
HIGH
CVSS 7.3
Stored cross-site scripting (XSS) in Zabbix 6.0-7.4 allows authenticated attackers with high privileges to inject malicious JavaScript via monitored host data that executes when other users view dashboards containing Item history widgets (7.0+) or Plain text widgets (6.0). The attack requires the attacker to control a monitored host and the victim to open a dashboard with HTML display enabled in the affected widget. CVSS 7.3 reflects high impact but requires specific preconditions: high-privilege access (PR:H), user interaction (UI:P), and precise attack timing (AT:P). No CISA KEV listing or public exploit identified at time of analysis, with low immediate exploitation risk given the privilege requirements.
XSS
Zabbix
Suse
-
CVE-2026-23926
HIGH
CVSS 7.3
Stored Cross-Site Scripting (XSS) in Zabbix 7.0.x and 7.4.x allows authenticated administrators with non-super privileges to inject JavaScript payloads into maintenance period configurations. The malicious code executes when any user, including super admins, hovers over the affected maintenance period in the Host navigator widget tooltip, enabling session hijacking, credential theft, or unauthorized administrative actions with the victim's elevated privileges. Attack complexity is low and requires only user interaction (hovering), though exploit execution depends on victim access patterns. No public exploit code or active exploitation confirmed at time of analysis.
XSS
Suse
-
CVE-2026-23870
HIGH
CVSS 7.5
Remote denial of service in React Server Components (react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack) versions 19.0.0-19.0.5, 19.1.0-19.1.6, and 19.2.0-19.2.5 allows unauthenticated remote attackers to crash servers, trigger out-of-memory exceptions, or exhaust CPU resources by sending specially crafted HTTP requests to server function endpoints. The CVSS 7.5 score reflects network-accessible, low-complexity exploitation requiring no privileges or user interaction, with high availability impact. No public exploit code or active exploitation confirmed at time of analysis, though EPSS data unavailable and vulnerability disclosed by Meta directly.
Denial Of Service
-
CVE-2026-21661
HIGH
CVSS 8.4
Local privilege escalation in Johnson Controls AC2000 physical access control system (versions 10.6-12.x) allows authenticated local users to execute arbitrary code with elevated privileges by manipulating DLL search paths. The CWE-427 uncontrolled search path vulnerability enables attackers with low-privilege local access to plant malicious libraries that AC2000 loads during startup or operation, achieving high confidentiality and integrity impact. No public exploit code identified at time of analysis, and CVSS 4.0 local attack vector (AV:L) with low privileges required (PR:L) indicates this requires initial system access but minimal complexity once achieved.
Information Disclosure
Microsoft
-
CVE-2026-20188
HIGH
CVSS 7.5
Denial of service in Cisco Crosswork Network Controller (CNC) and Cisco Network Services Orchestrator (NSO) allows remote unauthenticated attackers to exhaust connection resources by flooding the system with connection requests, forcing a manual reboot to restore service. CVSS 7.5 (High) with network vector and no authentication required. No public exploit code identified at time of analysis, and EPSS data not available. The vulnerability stems from inadequate rate-limiting on incoming connections (CWE-400), affecting critical network orchestration infrastructure used for automation and service provisioning.
Denial Of Service
Cisco
-
CVE-2026-20185
HIGH
CVSS 7.7
Cisco SG350 and SG350X managed switches can be remotely crashed via crafted SNMP requests, forcing unexpected device reloads. Authenticated attackers with valid SNMP credentials (read-only or read-write community strings for SNMPv1/v2c, or user credentials for SNMPv3) can trigger a heap-based buffer overflow in SNMP response parsing. Cisco confirmed this vulnerability affects all three SNMP versions (v1, v2c, v3) and published advisory cisco-sa-sg350-snmp-dos-GEFZr2Tj. EPSS and KEV status not provided in available data; exploitation requires network access with low complexity but does require valid SNMP authentication.
Buffer Overflow
Denial Of Service
Heap Overflow
Cisco
-
CVE-2026-20167
HIGH
CVSS 7.7
Cisco IoT Field Network Director enables authenticated remote attackers with low-level privileges to crash remotely managed routers by submitting crafted requests through the web-based management interface. The vulnerability causes improper error handling that allows requesting unauthorized files from managed routers, forcing them to reload and creating a denial-of-service condition (CVSS 7.7, Changed Scope). No public exploit or active exploitation reported at time of analysis.
Authentication Bypass
Cisco
-
CVE-2026-20035
HIGH
CVSS 7.2
Server-Side Request Forgery (SSRF) in Cisco Unity Connection Web Inbox allows remote unauthenticated attackers to send arbitrary network requests sourced from the vulnerable server. The vulnerability affects the web UI component and requires no authentication, privileges, or user interaction (CVSS AV:N/AC:L/PR:N/UI:N), enabling attackers to abuse the server's network position for internal network reconnaissance, service enumeration, or attacks against backend systems. The changed scope (S:C) indicates impact extends beyond the vulnerable component to other network resources accessible from the Unity Connection server.
SSRF
Cisco
-
CVE-2026-20034
HIGH
CVSS 8.8
Remote code execution in Cisco Unity Connection allows authenticated remote attackers with low-privilege credentials to execute arbitrary code as root via crafted API requests to the web management interface. Successful exploitation enables complete device compromise. CVSS score of 8.8 reflects high impact across confidentiality, integrity, and availability, though exploitation requires valid user credentials (PR:L). No public exploit code or active exploitation confirmed at time of analysis. EPSS data not available in provided intelligence.
RCE
Cisco
-
CVE-2026-8018
HIGH
CVSS 8.1
Sandbox escape in Google Chrome prior to 148.0.7778.96 allows remote attackers to break out of Chrome's security sandbox via specially crafted network traffic targeting a policy enforcement weakness in DevTools. The vulnerability requires high attack complexity (CVSS AC:H) but no user interaction, enabling complete compromise of confidentiality, integrity, and availability if successfully exploited. Vendor patch released in Chrome 148.0.7778.96 per official Google Chrome stable channel update. Despite CVSS 8.1 (High), Chromium assigns Low security severity, suggesting limited real-world exploitability or significant attack prerequisites. No active exploitation (not in CISA KEV) or public exploit code identified at time of analysis.
Information Disclosure
Google
Red Hat
Suse
-
CVE-2026-8016
HIGH
CVSS 8.8
Remote code execution within Chrome's sandbox allows arbitrary code execution via a malicious HTML page exploiting a use-after-free vulnerability in WebRTC. Affects Chrome versions prior to 148.0.7778.96. Despite high CVSS 8.8 scoring and RCE capability, exploitation requires user interaction (visiting a crafted page) and is confined to Chrome's sandbox, limiting system-level impact. Vendor patch released in Chrome 148.0.7778.96. No evidence of active exploitation (not in CISA KEV) or public POC at time of analysis, though Chromium security team rated this as Low severity internally, suggesting limited real-world exploitability despite the technical impact.
RCE
Denial Of Service
Google
Use After Free
Memory Corruption
-
CVE-2026-8007
HIGH
CVSS 7.5
Privilege escalation in Google Chrome's Cast component (versions prior to 148.0.7778.96) allows remote attackers to elevate from renderer to higher-privilege browser process via specially crafted HTML page after initial renderer compromise. Despite 7.5 CVSS score, Chromium security team rates this as Low severity, indicating limited real-world impact. Vendor patch released in version 148.0.7778.96. No public exploit identified at time of analysis.
Privilege Escalation
Google
Red Hat
Suse
-
CVE-2026-8002
HIGH
CVSS 8.8
Remote code execution in Google Chrome on macOS versions prior to 148.0.7778.96 enables attackers to execute arbitrary code within the browser's sandbox through a malicious HTML page exploiting a use-after-free vulnerability in the Audio subsystem. The vulnerability requires user interaction (visiting a crafted webpage) but no authentication, with CVSS 8.8 rating reflecting high impact across confidentiality, integrity, and availability. Google has released patches in Chrome 148.0.7778.96; no active exploitation (KEV) or public POC has been identified at time of analysis, though the technical details are publicly accessible via Chromium issue tracker 495779613.
RCE
Denial Of Service
Google
Use After Free
Memory Corruption
-
CVE-2026-8001
HIGH
CVSS 8.3
Sandbox escape in Google Chrome prior to 148.0.7778.96 on Linux, Mac, and ChromeOS allows remote attackers who have already compromised the renderer process to break out of Chrome's sandbox via a crafted HTML page exploiting a use-after-free vulnerability in the printing subsystem. Despite the 8.3 CVSS score, Chromium rates this Low severity because exploitation requires a two-stage attack chain (initial renderer compromise followed by sandbox escape). Vendor patch released as Chrome 148.0.7778.96. No evidence of active exploitation or public POC identified at time of analysis.
Denial Of Service
Google
Use After Free
Memory Corruption
Red Hat
-
CVE-2026-8000
HIGH
CVSS 8.8
Remote code execution affects ChromeDriver in Google Chrome versions prior to 148.0.7778.96 on Windows platforms. Exploitation requires user interaction with a malicious HTML page, enabling remote attackers to achieve arbitrary code execution with high impact to confidentiality, integrity, and availability. Vendor-released patch available (version 148.0.7778.96). No active exploitation confirmed in CISA KEV at time of analysis, though CVSS base score of 8.8 reflects significant potential impact if users visit attacker-controlled content.
RCE
Google
Microsoft
Red Hat
Suse
-
CVE-2026-7997
HIGH
CVSS 7.8
Local privilege escalation in Google Chrome's macOS Updater component allows attackers to gain OS-level administrative privileges through malicious files. The flaw affects Chrome versions prior to 148.0.7778.96 on macOS and requires user interaction to exploit. Google has released Chrome 148.0.7778.96 to address this vulnerability. Despite the 7.8 CVSS score, Google rates this as Low severity, reflecting the local attack vector and user interaction requirement that significantly constrain real-world exploitation scenarios.
Privilege Escalation
Google
Red Hat
Suse
-
CVE-2026-7995
HIGH
CVSS 8.8
Remote code execution within Chrome's sandbox affects all versions prior to 148.0.7778.96 through an out-of-bounds read vulnerability in the AdFilter component. Attackers can execute arbitrary code by delivering a specially crafted HTML page, requiring only that a user visit the malicious page. Chrome has released version 148.0.7778.96 to address this vulnerability. No evidence of active exploitation (not in CISA KEV) or public proof-of-concept code at time of analysis, though the vulnerability's network-based attack vector and low complexity make it a realistic exploitation target once technical details become public.
RCE
Buffer Overflow
Information Disclosure
Google
Red Hat
-
CVE-2026-7994
HIGH
CVSS 7.8
Local privilege escalation in Google Chrome Chromoting (prior to 148.0.7778.96) on Windows allows attackers to gain elevated OS-level privileges by tricking users into opening a malicious file. While CVSS scores this as high severity (7.8), real-world risk is tempered by local access and required user interaction (CVSS: AV:L/UI:R). Vendor patch available in version 148.0.7778.96 released May 2026. No active exploitation (CISA KEV) or public exploit code identified at time of analysis.
Privilege Escalation
Google
Microsoft
Red Hat
Suse
-
CVE-2026-7992
HIGH
CVSS 8.8
Remote code execution in Google Chrome versions prior to 148.0.7778.96 on Linux and ChromeOS allows attackers to execute arbitrary code when users perform specific UI gestures on a malicious webpage. The vulnerability stems from insufficient input validation in Chrome's UI layer (CWE-20). Vendor patch available in Chrome 148.0.7778.96. No public exploit identified at time of analysis, though CVSS 8.8 reflects high impact across confidentiality, integrity, and availability.
RCE
Google
Red Hat
Suse
-
CVE-2026-7991
HIGH
CVSS 8.8
Remote code execution in Google Chrome prior to 148.0.7778.96 through a use-after-free vulnerability in the UI component. Attackers who have already compromised the renderer process can escape sandbox restrictions and execute arbitrary code by delivering a specially crafted HTML page requiring user interaction. Google has released patch version 148.0.7778.96. No active exploitation confirmed in CISA KEV at time of analysis, though the vulnerability requires prior renderer compromise which increases attack complexity beyond the CVSS AC:L rating suggests.
RCE
Denial Of Service
Google
Use After Free
Memory Corruption
-
CVE-2026-7990
HIGH
CVSS 7.8
Local privilege escalation in Google Chrome's Windows updater component allows unprivileged users to gain SYSTEM-level access by exploiting insufficient input validation when the updater processes a specially crafted malicious file. Affects all Chrome versions on Windows prior to 148.0.7778.96. Google has released a patched version (148.0.7778.96). No active exploitation confirmed by CISA KEV at time of analysis, though the local attack vector and medium severity rating suggest potential for targeted attacks in enterprise environments where Chrome auto-update may be delayed.
Privilege Escalation
Google
Microsoft
Red Hat
Suse
-
CVE-2026-7988
HIGH
CVSS 8.8
Remote code execution in Google Chrome's WebRTC implementation (versions prior to 148.0.7778.96) allows attackers to execute arbitrary code within the browser sandbox through a malicious HTML page exploiting type confusion in WebRTC. Patch available via Chrome 148.0.7778.96. Requires user interaction (visiting crafted page) but no authentication. CVSS 8.8 reflects high impact across confidentiality, integrity, and availability within sandbox constraints. No confirmed active exploitation or public POC identified at time of analysis.
RCE
Google
Memory Corruption
Red Hat
Suse
-
CVE-2026-7987
HIGH
CVSS 8.8
Remote code execution in Google Chrome's WebRTC component (versions prior to 148.0.7778.96) allows attackers to execute arbitrary code within the browser's sandbox by exploiting a use-after-free memory corruption vulnerability via a malicious HTML page. While sandboxed, successful exploitation achieves high confidentiality, integrity, and availability impact within the renderer process. EPSS data unavailable; not listed in CISA KEV, indicating no confirmed widespread exploitation at time of analysis. Vendor patch released as Chrome 148.0.7778.96.
RCE
Denial Of Service
Google
Use After Free
Memory Corruption
-
CVE-2026-7985
HIGH
CVSS 8.3
Sandbox escape in Google Chrome's GPU component affects versions prior to 148.0.7778.96. An attacker who has already compromised the renderer process can escalate privileges to break out of Chrome's sandbox by exploiting a use-after-free memory corruption vulnerability via a specially crafted HTML page. This requires high attack complexity and user interaction (visiting a malicious page). No active exploitation confirmed at time of analysis, and vendor-released patch (version 148.0.7778.96) is available. EPSS data not provided, but the combination of network vector, changed scope (S:C in CVSS), and sandbox escape capability makes this a priority update for Chrome deployments despite Chromium's 'Medium' internal severity rating.
Denial Of Service
Google
Use After Free
Memory Corruption
Red Hat
-
CVE-2026-7984
HIGH
CVSS 8.8
Remote code execution in Google Chrome's ReadingMode component (versions prior to 148.0.7778.96) allows attackers who have already compromised the renderer process to escape sandbox restrictions and execute arbitrary code on the underlying system. The vulnerability requires user interaction to visit a malicious webpage but exploitation complexity is low once renderer compromise is achieved. EPSS data not available; no CISA KEV listing identified at time of analysis, indicating no confirmed widespread exploitation. Vendor-released patch available in Chrome 148.0.7778.96.
RCE
Denial Of Service
Google
Use After Free
Memory Corruption
-
CVE-2026-7981
HIGH
CVSS 8.1
Out-of-bounds read in Chrome's codec implementation allows remote attackers to extract potentially sensitive data from process memory by delivering a malicious media file. Affects Chrome versions prior to 148.0.7778.96. The vulnerability requires user interaction (opening or playing a crafted file) but operates over the network. Google rated this as Medium severity within the Chromium security framework.
Buffer Overflow
Information Disclosure
Google
Red Hat
Suse
-
CVE-2026-7980
HIGH
CVSS 8.8
Remote code execution in Google Chrome's WebAudio implementation (versions before 148.0.7778.96) allows attackers to execute arbitrary code within the browser sandbox by exploiting a use-after-free vulnerability through a malicious HTML page. The vulnerability requires user interaction (visiting a crafted page) but no authentication. Google has released Chrome 148.0.7778.96 to address this issue. EPSS data not available; no KEV listing or public POC identified at time of analysis, suggesting limited real-world exploitation observed despite the high CVSS score.
RCE
Denial Of Service
Google
Use After Free
Memory Corruption
-
CVE-2026-7978
HIGH
CVSS 8.1
OS-level privilege escalation in Google Chrome for macOS allows remote attackers to gain elevated system privileges through malicious network traffic exploiting the Companion component. Affects all Chrome versions prior to 148.0.7778.96 on Mac. Vendor-released patch available (Chrome 148.0.7778.96). No public exploit or active exploitation confirmed at time of analysis, though high-complexity network-based attack vector (CVSS AV:N/AC:H) suggests specialized exploitation requirements despite unauthenticated remote access.
Privilege Escalation
Google
Red Hat
Suse
-
CVE-2026-7976
HIGH
CVSS 7.5
Remote code execution in Google Chrome versions prior to 148.0.7778.96 via malicious extension exploitation of use-after-free in Views component. Successful exploitation requires convincing a user to install a crafted Chrome extension, after which the attacker can execute arbitrary code with Chrome's privileges. Google has released Chrome 148.0.7778.96 to address this vulnerability. No evidence of active exploitation (not listed in CISA KEV) or public proof-of-concept code identified at time of analysis. CVSS 7.5 severity driven by high attack complexity and required user interaction, which moderates real-world exploitation risk despite potential for full system compromise.
RCE
Denial Of Service
Google
Use After Free
Memory Corruption
-
CVE-2026-7975
HIGH
CVSS 8.3
Sandbox escape in Google Chrome's DevTools component allows attackers who have already compromised the renderer process to break out of the browser sandbox and execute code on the underlying system. Affects all Chrome versions prior to 148.0.7778.96. Google has released version 148.0.7778.96 to patch this vulnerability. The attack requires high complexity and user interaction (visiting a malicious page), but successful exploitation enables complete system compromise with changed scope (S:C in CVSS vector), escalating from renderer-level access to full system access. No evidence of active exploitation (not in CISA KEV) or public proof-of-concept identified at time of analysis.
Denial Of Service
Google
Use After Free
Memory Corruption
Red Hat
-
CVE-2026-7974
HIGH
CVSS 8.8
Remote code execution in Google Chrome versions prior to 148.0.7778.96 allows attackers to execute arbitrary code within the browser's sandbox by exploiting a use-after-free vulnerability in the Blink rendering engine through a specially crafted HTML page. CVSS score of 8.8 reflects high impact across confidentiality, integrity, and availability, though exploitation requires user interaction (visiting a malicious webpage). EPSS data not available. Not listed in CISA KEV at time of analysis. Vendor-released patch available in Chrome 148.0.7778.96.
RCE
Denial Of Service
Google
Use After Free
Memory Corruption
-
CVE-2026-7973
HIGH
CVSS 8.8
Integer overflow in Chrome's Dawn graphics API (WebGPU) enables sandbox escape on Windows systems when users visit attacker-controlled web pages. Affects all Chrome versions prior to 148.0.7778.96 on Windows platforms. Vendor-released patch available in Chrome 148.0.7778.96 (confirmed by Google Stable Channel release). CVSS 8.8 reflects high impact but requires user interaction. No public exploit code or CISA KEV listing identified at time of analysis, indicating targeted or proof-of-concept stage exploitation risk rather than widespread active exploitation.
Buffer Overflow
Google
Microsoft
Red Hat
Suse
-
CVE-2026-7970
HIGH
CVSS 8.3
Sandbox escape in Google Chrome versions prior to 148.0.7778.96 allows remote attackers who have already compromised the renderer process to break out of Chrome's security sandbox through a use-after-free vulnerability in the TopChrome component. Attack requires user interaction with a malicious HTML page and has high attack complexity. EPSS data not available; no active exploitation confirmed at time of analysis. Vendor-released patch available in Chrome 148.0.7778.96.
Denial Of Service
Google
Use After Free
Memory Corruption
Red Hat
-
CVE-2026-7967
HIGH
CVSS 8.3
Sandbox escape in Google Chrome versions prior to 148.0.7778.96 allows attackers who have already compromised the renderer process to break out of Chrome's security sandbox through malicious HTML pages. The vulnerability stems from insufficient input validation in Chrome's Navigation component, requiring both network access and user interaction but enabling complete system compromise (high confidentiality, integrity, and availability impact) once the renderer is compromised. Vendor-released patch available in version 148.0.7778.96, announced via Google's stable channel update.
Information Disclosure
Google
Red Hat
Suse
-
CVE-2026-7963
HIGH
CVSS 8.3
Sandbox escape in Google Chrome versions prior to 148.0.7778.96 allows remote attackers who have already compromised the renderer process to break out of Chrome's security sandbox via crafted HTML pages exploiting ServiceWorker implementation flaws. This vulnerability requires high attack complexity and user interaction but enables complete system compromise once the initial renderer compromise is achieved. Vendor patch released in Chrome 148.0.7778.96 per official Chrome security bulletin.
Information Disclosure
Google
Red Hat
Suse
-
CVE-2026-7957
HIGH
CVSS 8.8
Remote code execution in Google Chrome's Media component on macOS and iOS versions prior to 148.0.7778.96 allows attackers to execute arbitrary code within the browser sandbox by exploiting an out-of-bounds write vulnerability. Attack requires the compromised renderer process prerequisite plus user interaction with a malicious HTML page. CVSS rates this 8.8 (High) due to network attack vector and no authentication required, though exploitation remains constrained by the sandbox boundary and requires initial renderer compromise. Vendor-released patch available in Chrome 148.0.7778.96. No active exploitation (CISA KEV) or public exploit code identified at time of analysis.
RCE
Buffer Overflow
Google
Memory Corruption
Apple
-
CVE-2026-7956
HIGH
CVSS 8.3
Sandbox escape in Google Chrome prior to 148.0.7778.96 allows remote attackers who have already compromised the renderer process to break out of Chrome's security sandbox via a use-after-free vulnerability in the Navigation component. This requires user interaction with a malicious HTML page and successful renderer compromise as a prerequisite, making it a two-stage attack requiring high attack complexity. Vendor-released patch available in Chrome 148.0.7778.96. No public exploit or active exploitation (CISA KEV) identified at time of analysis. CVSS 8.3 (High) reflects the severe post-compromise impact (sandbox escape enabling system-level access), but real-world risk depends heavily on successful initial renderer compromise.
Denial Of Service
Google
Use After Free
Memory Corruption
Red Hat
-
CVE-2026-7951
HIGH
CVSS 8.8
Remote code execution within Chrome's sandbox affects all versions prior to 148.0.7778.96 through an out-of-bounds write in the WebRTC component. Attackers can achieve arbitrary code execution by convincing users to visit a specially crafted HTML page, though execution remains confined to Chrome's sandbox. EPSS data not available for this recent CVE (May 2026). Vendor-released patch version 148.0.7778.96 addresses the vulnerability with Chromium security severity rated Medium despite 8.8 CVSS score.
RCE
Buffer Overflow
Google
Memory Corruption
Red Hat
-
CVE-2026-7948
HIGH
CVSS 7.5
Local privilege escalation in Google Chrome Chromoting (remote desktop component) allows authenticated Windows users to gain elevated system privileges through a race condition exploit triggered by a malicious file. Fixed in Chrome 148.0.7778.96. The vulnerability requires user interaction and high attack complexity (AC:H), limiting automated exploitation despite the 7.5 CVSS score. No public exploit identified at time of analysis, and not listed in CISA KEV.
Privilege Escalation
Google
Race Condition
Microsoft
Red Hat
-
CVE-2026-7940
HIGH
CVSS 8.8
Use-after-free in Chrome's V8 JavaScript engine enables remote code execution inside the sandbox when users install a malicious extension. Google Chrome versions prior to 148.0.7778.96 are vulnerable to arbitrary code execution through specially crafted Chrome Extensions exploiting memory corruption in V8. CVSS rates this 8.8 (High) with network attack vector requiring user interaction. Vendor-released patch available in Chrome 148.0.7778.96 per Google's May 2026 stable channel update. EPSS and KEV data not provided; exploitation requires social engineering to install malicious extension, limiting automated exploitation scenarios.
RCE
Denial Of Service
Google
Use After Free
Memory Corruption
-
CVE-2026-7938
HIGH
CVSS 8.8
Remote code execution in Google Chrome before 148.0.7778.96 allows unauthenticated attackers to execute arbitrary code within the Chrome sandbox by exploiting a use-after-free vulnerability in the CSS rendering engine through a malicious webpage. Requires victim interaction (visiting attacker-controlled page) but needs no authentication. Vendor-released patch available as Chrome 148.0.7778.96. EPSS score not provided; no CISA KEV listing indicates no confirmed widespread exploitation at time of analysis, though browser vulnerabilities are high-value targets.
RCE
Denial Of Service
Google
Use After Free
Memory Corruption
-
CVE-2026-7930
HIGH
CVSS 8.8
Privilege escalation in Google Chrome versions prior to 148.0.7778.96 enables remote attackers to elevate privileges through malicious HTML pages exploiting improper cookie validation. The vulnerability requires user interaction (clicking a link or visiting a malicious site) but no authentication, making it viable for phishing or watering-hole attacks. CVSS score of 8.8 indicates high severity across confidentiality, integrity, and availability. Vendor-released patch available in Chrome 148.0.7778.96 per Google's stable channel update. EPSS and KEV data not provided; exploitation status unknown at time of analysis.
Privilege Escalation
Google
Red Hat
Suse
-
CVE-2026-7929
HIGH
CVSS 7.5
Remote code execution in Google Chrome's MediaRecording component (versions prior to 148.0.7778.96) allows attackers to execute arbitrary code when victims perform specific UI interactions with a malicious webpage. The use-after-free vulnerability in memory management has been patched by Google in version 148.0.7778.96. EPSS data not available; no CISA KEV listing identified, suggesting no confirmed widespread exploitation at time of analysis, though publicly available exploit code exists per Chromium bug tracker disclosure.
RCE
Denial Of Service
Google
Use After Free
Memory Corruption
-
CVE-2026-7928
HIGH
CVSS 8.8
Remote code execution in Google Chrome for Windows below version 148.0.7778.96 allows unauthenticated attackers to execute arbitrary code within Chrome's sandbox via specially crafted HTML pages exploiting a use-after-free vulnerability in the WebRTC implementation. CVSS score of 8.8 reflects high impact across confidentiality, integrity, and availability. EPSS data not provided, but Google's 'High' severity classification and immediate patch release indicate active concern. No CISA KEV listing or public POC identified at time of analysis, though the vulnerability is already patched.
RCE
Denial Of Service
Google
Use After Free
Memory Corruption
-
CVE-2026-7927
HIGH
CVSS 8.8
Remote code execution in Google Chrome versions prior to 148.0.7778.96 occurs when attackers exploit a type confusion vulnerability in the JavaScript runtime through malicious web pages. The vulnerability requires only that users visit a crafted HTML page, making it highly accessible for social engineering attacks. No active exploitation confirmed by CISA KEV at time of analysis, though Google has released patches addressing this high-severity memory corruption flaw with confirmed public disclosure through Chromium issue tracker.
RCE
Google
Memory Corruption
Red Hat
Suse
-
CVE-2026-7926
HIGH
CVSS 8.8
Remote code execution in Google Chrome prior to version 148.0.7778.96 allows attackers to execute arbitrary code within the browser's sandbox by exploiting a use-after-free vulnerability in the Presentation API through a specially crafted HTML page. User interaction is required (visiting a malicious webpage). EPSS data not available for this recent CVE. No public exploit confirmed at time of analysis, though the vulnerability has been patched by Google in the stable channel release.
RCE
Denial Of Service
Google
Use After Free
Memory Corruption
-
CVE-2026-7925
HIGH
CVSS 7.8
Use-after-free memory corruption in Chrome Remote Desktop (Chromoting) on Windows enables local privilege escalation to SYSTEM via malicious file interaction. Attackers with local access can gain OS-level administrative control by inducing users to open specially crafted files processed by the Chromoting component. Patch available in Chrome 148.0.7778.96. No evidence of active exploitation (not in CISA KEV), but the local attack vector with low complexity and high impact warrants immediate patching for Windows Chrome deployments, especially in multi-user environments where privilege boundaries are critical.
Privilege Escalation
Denial Of Service
Google
Use After Free
Memory Corruption
-
CVE-2026-7923
HIGH
CVSS 8.3
Renderer sandbox escape in Google Chrome versions prior to 148.0.7778.96 leverages an out-of-bounds write in the Skia graphics library. An attacker who has already compromised Chrome's renderer process through other means (such as a separate browser vulnerability) can deliver a specially crafted HTML page to break out of Chrome's security sandbox, gaining elevated code execution on the underlying operating system. EPSS data not available; no CISA KEV listing identified. Google has released Chrome 148.0.7778.96 addressing this high-severity flaw, classified as CWE-787 (Out-of-bounds Write) affecting the Skia graphics rendering engine.
Buffer Overflow
Google
Memory Corruption
Red Hat
Suse
-
CVE-2026-7922
HIGH
CVSS 8.3
Sandbox escape in Google Chrome via ServiceWorker use-after-free allows remote attackers to break out of Chrome's security sandbox through a specially crafted HTML page. Affects all Chrome versions prior to 148.0.7778.96. EPSS data not yet available for this recent CVE. Google has released a patch in version 148.0.7778.96. While rated high severity by Chromium project, the attack complexity is high (AC:H) and requires user interaction (UI:R), limiting widespread exploitation risk despite the critical scope change (S:C) indicating sandbox escape capability.
Denial Of Service
Google
Use After Free
Memory Corruption
Red Hat
-
CVE-2026-7921
HIGH
CVSS 8.8
Remote code execution in Google Chrome prior to 148.0.7778.96 enables attackers to execute arbitrary code by exploiting a use-after-free vulnerability in the Passwords component through a malicious HTML page. User interaction (visiting the crafted page) is required. CVSS score of 8.8 reflects network-based attack requiring no authentication but requiring user interaction, with high impact to confidentiality, integrity, and availability. Vendor patch available in Chrome 148.0.7778.96. No public exploitation confirmed at time of analysis.
RCE
Denial Of Service
Google
Use After Free
Memory Corruption
-
CVE-2026-7920
HIGH
CVSS 8.3
Sandbox escape in Google Chrome versions prior to 148.0.7778.96 allows remote attackers who have already compromised the renderer process to break out of Chrome's security sandbox through a use-after-free vulnerability in the Skia graphics library. Exploitation requires user interaction with a malicious HTML page and successful prior renderer compromise, representing a second-stage attack rather than initial access. No active exploitation confirmed (not in CISA KEV), though the vulnerability's sandbox escape capability makes it valuable for targeted attack chains.
Denial Of Service
Google
Use After Free
Memory Corruption
Red Hat
-
CVE-2026-7919
HIGH
CVSS 8.3
Sandbox escape in Google Chrome versions prior to 148.0.7778.96 enables remote attackers who have already compromised the renderer process to break out of Chrome's security sandbox through a use-after-free vulnerability in the Aura UI framework. The attack requires user interaction with a malicious webpage and presents high attack complexity, but successfully chains renderer compromise with sandbox escape to achieve full system impact. No active exploitation confirmed (not in CISA KEV), though this vulnerability class is frequently targeted given Chrome's wide deployment and the high value of sandbox escapes.
Denial Of Service
Google
Use After Free
Memory Corruption
Red Hat
-
CVE-2026-7918
HIGH
CVSS 8.3
Sandbox escape in Google Chrome's GPU component prior to version 148.0.7778.96 allows remote attackers who have already compromised the renderer process to break out of Chrome's security sandbox via a use-after-free memory corruption vulnerability triggered by a malicious web page. This represents a critical second-stage attack where initial renderer compromise is chained with GPU exploitation to achieve full system access. Vendor-released patch available in Chrome 148.0.7778.96. No evidence of active exploitation (not in CISA KEV) or public proof-of-concept at time of analysis.
Denial Of Service
Google
Use After Free
Memory Corruption
Red Hat
-
CVE-2026-7917
HIGH
CVSS 8.3
Sandbox escape in Google Chrome on Windows allows attackers who have already compromised the renderer process to break out of Chrome's security sandbox via a use-after-free flaw in the Fullscreen API. Affects Chrome versions prior to 148.0.7778.96 on Windows platforms. Google has released a patch (version 148.0.7778.96) and rated this High severity. No evidence of active exploitation (not in CISA KEV) or public proof-of-concept code at time of analysis, though the vulnerability requires initial renderer compromise making it a second-stage exploitation vector.
Denial Of Service
Google
Use After Free
Memory Corruption
Microsoft
-
CVE-2026-7916
HIGH
CVSS 8.3
Sandbox escape in Google Chrome prior to 148.0.7778.96 enables compromised renderer processes to break out of browser security isolation via malicious HTML. This two-stage attack requires first exploiting a separate renderer vulnerability, then leveraging insufficient validation in the InterestGroups component to escalate privileges. The vulnerability is confirmed patched by Google (chromereleases advisory) with no public exploit code or active exploitation identified at time of analysis. CVSS 8.3 (High) reflects the severe impact of full sandbox escape, though the High attack complexity (requiring prior renderer compromise) limits immediate risk compared to single-stage remote code execution vulnerabilities.
Information Disclosure
Google
Red Hat
Suse
-
CVE-2026-7914
HIGH
CVSS 8.3
Sandbox escape in Google Chrome on Windows versions prior to 148.0.7778.96 allows attackers who have already compromised the renderer process to break out of Chrome's security sandbox via type confusion in the Accessibility subsystem. The attack requires user interaction with a malicious webpage and successful renderer compromise as a prerequisite, representing a critical escalation path in multi-stage attacks. Vendor-released patch available in Chrome 148.0.7778.96. No active exploitation confirmed (not in CISA KEV), and no public exploit code identified at time of analysis.
Information Disclosure
Google
Memory Corruption
Microsoft
Red Hat
-
CVE-2026-7913
HIGH
CVSS 7.8
Local privilege escalation in Google Chrome for Android prior to 148.0.7778.96 allows attackers to elevate privileges through malicious files exploiting insufficient policy enforcement in DevTools. The vulnerability requires user interaction to open a crafted file but grants no authentication requirement (PR:N) for the initial attack vector. Google released patch version 148.0.7778.96 addressing this high-severity flaw. EPSS data not available; no CISA KEV listing or public POC identified at time of analysis, suggesting exploitation remains theoretical or non-widespread.
Privilege Escalation
Google
Red Hat
Suse
-
CVE-2026-7911
HIGH
CVSS 8.3
Sandbox escape in Google Chrome for Windows versions prior to 148.0.7778.96 allows remote attackers who have already compromised the renderer process to break out of the Chrome sandbox via a use-after-free vulnerability in the Aura UI framework. The attack requires user interaction with a specially crafted HTML page and has high attack complexity (AC:H), but grants complete control over confidentiality, integrity, and availability with changed scope (S:C). No active exploitation confirmed in CISA KEV at time of analysis. EPSS data not provided, but the vulnerability targets a browser component with over 3 billion users globally.
Denial Of Service
Google
Use After Free
Memory Corruption
Microsoft
-
CVE-2026-7907
HIGH
CVSS 8.8
Remote code execution within Chrome's sandbox affects all versions prior to 148.0.7778.96 via crafted HTML pages exploiting a use-after-free vulnerability in DOM handling. Remote unauthenticated attackers can achieve arbitrary code execution with high integrity and confidentiality impact by convincing users to visit a malicious webpage. Vendor patch released (Chrome 148.0.7778.96). No confirmed active exploitation (not in CISA KEV), but the low attack complexity (AC:L) and publicly disclosed bug tracker entry (Chromium issue 496292089) increase exploitation risk. EPSS data not provided but RCE in widely-deployed browser warrants immediate patching despite sandbox containment limiting full system compromise.
RCE
Denial Of Service
Google
Use After Free
Memory Corruption
-
CVE-2026-7906
HIGH
CVSS 8.8
Remote code execution in Google Chrome versions prior to 148.0.7778.96 allows attackers to execute arbitrary code within the browser's sandbox through a use-after-free vulnerability in SVG rendering. User interaction (visiting a malicious webpage) is required, but no authentication is needed. Vendor-released patch available in Chrome 148.0.7778.96. No public exploit identified at time of analysis, though CVSS score of 8.8 reflects high impact if successfully exploited.
RCE
Denial Of Service
Google
Use After Free
Memory Corruption
-
CVE-2026-7905
HIGH
CVSS 8.3
Renderer process compromise in Google Chrome for Android before 148.0.7778.96 enables sandbox escape through malicious HTML pages exploiting insufficient input validation in the Media component. Attacker requires user interaction to compromise the renderer first, then can break out of Chrome's security sandbox to execute code with broader system privileges. Vendor-released patch available in Chrome 148.0.7778.96 per Google's May 2026 stable channel update.
Information Disclosure
Google
Red Hat
Suse
-
CVE-2026-7903
HIGH
CVSS 8.8
Integer overflow in Chrome's ANGLE graphics layer (Mac/Windows) enables heap corruption via malicious web pages. Remote attackers can achieve arbitrary code execution by tricking users into visiting crafted HTML content. Google patched this in Chrome 148.0.7778.96, marking it high severity. Users must interact with the malicious page, but no authentication is required. EPSS data not available; no CISA KEV listing indicates exploitation not yet confirmed in the wild, though the Chromium bug tracker may contain additional context.
Buffer Overflow
Google
Microsoft
Red Hat
Suse
-
CVE-2026-7902
HIGH
CVSS 8.8
Remote code execution within Chrome's V8 sandbox affects all versions prior to 148.0.7778.96 when users visit malicious web pages. The out-of-bounds memory access vulnerability in V8 JavaScript engine enables arbitrary code execution with user interaction (visiting crafted HTML), rated high severity by Chromium team. EPSS and KEV data not available, but Google confirmed the vulnerability and released patches. Attack complexity is low (CVSS AC:L) with no authentication required, making this exploitable at scale once proof-of-concept becomes public.
RCE
Buffer Overflow
Google
Memory Corruption
Red Hat
-
CVE-2026-7901
HIGH
CVSS 8.8
Remote code execution in Google Chrome for macOS (versions prior to 148.0.7778.96) allows attackers to execute arbitrary code within the browser's sandbox by exploiting a use-after-free vulnerability in the ANGLE graphics library through a malicious HTML page. The vulnerability requires user interaction (visiting a crafted webpage) but can be exploited remotely without authentication. Google has released Chrome 148.0.7778.96 to address this high-severity memory corruption issue, which affects the confidentiality, integrity, and availability of sandboxed browser processes.
RCE
Denial Of Service
Google
Use After Free
Memory Corruption
-
CVE-2026-7900
HIGH
CVSS 8.3
Heap buffer overflow in Chrome's ANGLE graphics layer enables sandbox escape for attackers who have already compromised the renderer process, requiring user interaction with a malicious webpage. Chrome 148.0.7778.96 patches this High-severity vulnerability. No active exploitation confirmed (not in CISA KEV), and CVSS 8.3 reflects the Changed scope indicating successful sandbox breakout - a critical security boundary failure that elevates renderer compromise to broader system access.
Buffer Overflow
Google
Heap Overflow
Red Hat
Suse
-
CVE-2026-7899
HIGH
CVSS 8.8
Out-of-bounds memory access in Chrome's V8 JavaScript engine enables remote code execution within the browser sandbox when users visit malicious websites. Affects all Chrome versions prior to 148.0.7778.96 across Windows, macOS, and Linux. Google released patches in the stable channel update (build 148.0.7778.96) per May 2026 advisory. No active exploitation confirmed at time of analysis, but CVSS 8.8 indicates high severity and the vulnerability requires only user interaction (visiting a crafted webpage) with no authentication needed.
RCE
Buffer Overflow
Information Disclosure
Google
Red Hat
-
CVE-2026-7898
HIGH
CVSS 8.8
Remote code execution in Google Chrome's Chromoting component (remote desktop feature) on Linux allows unauthenticated attackers to execute arbitrary code through specially crafted network packets when a user interacts with a malicious remote desktop session. Fixed in Chrome 148.0.7778.96. Vendor rates severity as Critical. No public exploit code identified at time of analysis, but the use-after-free class (CWE-416) is well-understood and exploitable. CVSS 8.8 reflects network attack vector with low complexity requiring only user interaction, enabling full system compromise (high confidentiality, integrity, and availability impact).
RCE
Denial Of Service
Google
Use After Free
Memory Corruption
-
CVE-2026-7897
HIGH
CVSS 7.5
Remote code execution in Google Chrome for iOS prior to version 148.0.7778.96 through use-after-free memory corruption in the mobile UI handler. Exploitation requires convincing a user to perform specific UI gestures while viewing a malicious HTML page. Google confirms Critical severity and has released a patched version. EPSS data unavailable; not currently listed in CISA KEV. Attack complexity is rated High due to the required user interaction pattern, limiting opportunistic exploitation but enabling targeted attacks via social engineering.
RCE
Denial Of Service
Google
Use After Free
Memory Corruption
-
CVE-2026-7896
HIGH
CVSS 8.8
Heap corruption in Google Chrome prior to 148.0.7778.96 allows remote attackers to execute arbitrary code via a maliciously crafted HTML page exploiting an integer overflow in the Blink rendering engine. The vulnerability requires user interaction (visiting a malicious webpage) but no authentication, enabling drive-by attacks against default Chrome installations. Google has assigned this a Critical severity rating and released version 148.0.7778.96 to address the issue. No active exploitation (CISA KEV) or public POC has been identified at time of analysis, though the technical details are publicly documented in the Chromium issue tracker.
Buffer Overflow
Google
Red Hat
Suse
-
CVE-2026-7841
HIGH
CVSS 8.8
Remote code execution in GeoVision GV-ASWeb 6.2.0 allows authenticated users with System Setting permissions to execute arbitrary commands by bypassing frontend restrictions through crafted HTTP POST requests to the ASWebCommon.srf backend endpoint. This authenticated network-accessible vulnerability achieves full system compromise (confidentiality, integrity, and availability impact) with low attack complexity. No public exploit code or active exploitation confirmed at time of analysis, though EPSS data unavailable for risk contextualization.
RCE
Code Injection
-
CVE-2026-7448
HIGH
CVSS 7.2
Stored Cross-Site Scripting in LatePoint Calendar Booking Plugin for WordPress allows unauthenticated remote attackers to inject malicious JavaScript via the 'first_name' parameter in appointment booking forms, affecting all versions through 5.5.0. The injected scripts persist in the database and execute whenever administrators or other users view booking records, potentially enabling session hijacking, privilege escalation, or further attacks against site administrators. The CVSS vector indicates network-accessible exploitation with no authentication required and changed scope, enabling attacks beyond the vulnerable component. EPSS score not provided; no confirmation of active exploitation (not in CISA KEV) or public exploit code at time of analysis.
WordPress
XSS
-
CVE-2026-7332
HIGH
CVSS 7.2
Stored cross-site scripting (XSS) in LatePoint WordPress booking plugin (versions ≤5.5.0) allows unauthenticated attackers to inject malicious scripts via the 'booking_form_page_url' parameter that execute when administrators view activity logs. The vulnerability exploits a design flaw where the latepoint_order_intent_created action hook writes unsanitized input to the database before Stripe Connect validation occurs, meaning no functional payment integration is required for exploitation. Wordfence reported this issue with source code references demonstrating the flawed input handling in activities_controller.php and activities_helper.php. CVSS 7.2 with scope change (S:C) reflects potential for attackers to pivot from stored XSS to administrative session hijacking.
WordPress
XSS
-
CVE-2026-6788
HIGH
CVSS 8.5
Local privilege escalation in WatchGuard Agent for Windows allows authenticated users to execute arbitrary code with elevated system privileges through DLL hijacking. The agent searches for dependencies in user-controllable directories, enabling attackers with standard user credentials to plant malicious DLLs that load when the service starts. WatchGuard has released version 1.25.03.0000 to address this uncontrolled search path vulnerability (CWE-427).
Information Disclosure
Microsoft
Watchguard
-
CVE-2026-6787
HIGH
CVSS 8.5
Hard-coded cryptographic key in WatchGuard Agent for Windows enables local authenticated attackers to inject malicious code into existing agent processes, achieving high-impact confidentiality, integrity, and availability compromise. WatchGuard Agent versions prior to 1.25.03.0000 are affected. CVSS v4.0 score of 8.5 reflects local attack vector with low complexity and low privilege requirements, though no active exploitation (KEV) or public POC has been identified at time of analysis. The vulnerability's CWE-321 classification indicates embedded cryptographic material that could be extracted and reused for process injection attacks.
Information Disclosure
Microsoft
Watchguard
-
CVE-2026-6691
HIGH
CVSS 8.6
Heap buffer overflow in MongoDB C Driver's Cyrus SASL integration allows local attackers to achieve code execution before authentication by providing a maliciously crafted username in a MongoDB URI with GSSAPI authentication. The vulnerability triggers during username canonicalization via unsafe string copying, requiring no privileges or user interaction. Exploitable against any application using the affected driver that processes untrusted MongoDB connection strings. No active exploitation confirmed (not in CISA KEV). EPSS data not provided. Vendor has acknowledged the issue via JIRA tracking (CDRIVER-6134).
Buffer Overflow
-
CVE-2026-6210
HIGH
CVSS 8.7
Type confusion in Qt SVG renderer allows remote denial of service through malicious SVG images. Attackers can craft SVG files with self-referencing marker elements that trigger out-of-bounds heap reads and infinite recursion, crashing applications that parse the SVG. Affects Qt 6.7.0-6.8.7 and 6.9.0-6.11.0. Vendor patch available via code review platform. CVSS 8.7 reflects network delivery vector with no authentication required, though actual exploitation requires victim to open or render the crafted SVG file.
Denial Of Service
Memory Corruption
Red Hat
Suse
-
CVE-2026-1719
HIGH
CVSS 7.5
SQL injection in Gravity Bookings Premium for WordPress (≤2.5.9) allows unauthenticated remote attackers to extract sensitive database information including user credentials, customer data, and booking records. The vulnerability requires no authentication (CVSS PR:N) and has low attack complexity, enabling widespread exploitation. Reported by Wordfence security research; no CISA KEV listing or public exploit code identified at time of analysis, but the trivial exploitation requirements (network accessible, no auth, no user interaction) make this a high-priority patching target for WordPress sites using this booking plugin.
WordPress
SQLi
-
CVE-2025-71261
HIGH
CVSS 8.6
Man-in-the-middle attacks and denial of service against SUSE Harvester (SUSE Virtualization) affect all versions prior to 1.8.0 due to disabled TLS certificate verification in the Rancher integration registration client. Network-positioned attackers can intercept cluster registration traffic to steal credentials or trigger memory buffer overflow crashes. The vulnerability is limited to the initial cluster registration phase and does not affect ongoing operational connectivity between Harvester and Rancher Manager. Vendor-released patch available in version 1.8.0 with full certificate validation enabled by default. No active exploitation confirmed; no public exploit code identified at time of analysis.
Buffer Overflow
Denial Of Service
-
CVE-2025-71256
HIGH
CVSS 7.5
Remote denial of service in Unisoc T8100/T9100/T8200/T8300 chipset NR modem implementations allows unauthenticated network attackers to crash device cellular connectivity via malformed protocol input. The improper input validation in the 5G New Radio modem stack enables trivial remote service disruption requiring no user interaction or authentication. EPSS data not available; no evidence of active exploitation (not in CISA KEV). Affects mobile devices using these specific Unisoc chipset models in 5G NR mode.
Denial Of Service
-
CVE-2025-71255
HIGH
CVSS 7.5
Remote denial of service in Unisoc modem IMS implementation across 16 chipset families (SC7731E through T8300) allows unauthenticated network attackers to crash mobile device modem services via crafted IMS traffic. The improper input validation vulnerability (CVSS 7.5) enables high-impact availability attacks against millions of deployed Android smartphones and IoT devices using Unisoc chipsets. No public exploit identified at time of analysis, with EPSS data unavailable for this recently disclosed January 2025 vulnerability.
Denial Of Service
-
CVE-2025-71254
HIGH
CVSS 7.5
Remote denial of service in Unisoc modem IMS (IP Multimedia Subsystem) implementation allows unauthenticated network attackers to crash telephony services on affected chipsets through malformed input. Affects 16 Unisoc chipset models spanning SC and T series (SC7731E through T8300) used in budget and mid-range mobile devices. No public exploit identified at time of analysis. CVSS 7.5 (High) reflects network accessibility and service disruption potential, though EPSS data unavailable for risk prioritization.
Denial Of Service
-
CVE-2025-71253
HIGH
CVSS 7.5
Remote denial of service in Unisoc modem IMS stack allows network attackers to crash affected devices through malformed input without authentication. Affects 16 Unisoc chipset families (SC7731E, SC9832E, SC9863A, T-series T310 through T8300) used in mobile devices. No authentication, user interaction, or special configuration required (CVSS AV:N/AC:L/PR:N/UI:N). No public exploit code or CISA KEV listing identified at time of analysis, though EPSS data unavailable for risk quantification.
Denial Of Service
-
CVE-2025-71252
HIGH
CVSS 7.5
Remote denial of service in Unisoc Modem IMS stack allows unauthenticated network attackers to crash mobile devices through improper input validation. Affects 16 Unisoc chipset families (SC7731E through T8300) widely deployed in budget smartphones and IoT devices across global markets. No authentication, user interaction, or elevated privileges required for exploitation. EPSS data and KEV status not available; no public exploit identified at time of analysis.
Denial Of Service
-
CVE-2025-71251
HIGH
CVSS 7.5
Remote attackers can crash Unisoc chipset IMS (IP Multimedia Subsystem) implementations through network-accessible malformed input, causing complete denial of service with no authentication required. Affects 17 Unisoc chipset models (SC7731E, SC9832E, SC9863A, T-series T310 through T8300) used in mobile devices. CVSS 7.5 (High) reflects direct network exposure and ease of exploitation (AV:N/AC:L/PR:N), though impact is limited to availability. No public exploit code identified at time of analysis, and EPSS data not available for assessment.
Denial Of Service
-
CVE-2025-31951
HIGH
CVSS 8.8
Command injection in HCL BigFix RunBookAI 11.2 allows authenticated remote attackers to execute arbitrary operating system commands. The vulnerability stems from unvalidated input handling in a component that processes commands, enabling command smuggling techniques to bypass input validation. HCL has released a vendor advisory (KB0130444) addressing this issue, which poses significant risk given the product's role in IT automation and runbook orchestration across enterprise environments.
Command Injection
-
CVE-2026-44456
MEDIUM
CVSS 6.5
Hono's bodyLimit() middleware fails to reliably enforce maxSize restrictions on chunked or unknown-length HTTP requests (Transfer-Encoding: chunked), allowing oversized payloads to reach application handlers and return HTTP 200 instead of 413 Payload Too Large. Versions prior to 4.12.16 are vulnerable when handlers do not fully read the request body, read only initial chunks before returning, or catch and suppress read errors. This bypasses the documented guarantee that oversized requests are rejected before business logic execution.
Denial Of Service
Information Disclosure
-
CVE-2026-44455
MEDIUM
CVSS 4.7
HTML injection via unvalidated JSX tag names in hono allows attackers to inject arbitrary HTML elements and attributes when untrusted input is used as tag names during server-side rendering. The vulnerability affects hono versions prior to 4.12.16 when the `jsx()` or `createElement()` APIs process attacker-controlled tag names, potentially enabling XSS attacks. User interaction (rendering untrusted content) is required, and the issue is limited to applications that dynamically construct tag names from external sources rather than using static or allowlisted tags.
XSS
-
CVE-2026-44439
MEDIUM
CVSS 6.6
Server-side request forgery in Playwright Capture before version 1.39.6 allows remote attackers to access local files and internal network resources through browser-side redirection mechanisms when processing untrusted URLs. An attacker-controlled page can abuse window.location.href and similar navigation primitives to redirect the capture process to file:// URLs or private IP addresses, potentially leaking responses through screenshots, saved content, or logs. The vulnerability is mitigated by request routing checks introduced in version 1.39.6 that block secondary requests to local files, non-global IP addresses, and .local domains.
SSRF
-
CVE-2026-44437
MEDIUM
CVSS 6.9
Angular SSR applications fail to properly validate URL-encoded path traversal sequences in the X-Forwarded-Prefix header, allowing attackers to trigger open redirects or steer server-side HTTP requests to unintended endpoints when the application is configured to trust proxy headers and deployed behind an unsanitized proxy. Exploitation requires the upstream proxy to forward the X-Forwarded-Prefix header without stripping encoded dots (%2e%2e), and the Angular application must perform internal redirects or use relative URLs in server-side HttpClient requests. Vendor-released patches are available for all supported versions.
Path Traversal
Open Redirect
-
CVE-2026-44425
MEDIUM
CVSS 5.4
## Summary
The device list endpoint accepts user-controlled identifiers in two places that are passed directly as BSON/SQL keys in the database layer without validation:
1. The `name` field of each filter property in the base64-encoded `filter`
query parameter.
2. The `sort_by` query param...
Denial Of Service
Information Disclosure
-
CVE-2026-44424
MEDIUM
CVSS 6.5
## Summary
`GET /api/devices/:uid` returns the full device object whenever the caller is authenticated, without verifying that the device belongs to the caller's namespace (tenant). Any authenticated user (JWT or API Key) who knows or can guess a device UID can read device metadata from any other na...
Authentication Bypass
Docker
-
CVE-2026-44423
MEDIUM
CVSS 6.5
## Summary
`GET /api/sessions/:uid` returns the full session object for any authenticated caller, without scoping by the caller's tenant. An authenticated user can read session records (SSH username, device UID, remote IP, terminal type, authenticated flag, timestamps) belonging to any other namespa...
Authentication Bypass
-
CVE-2026-44374
MEDIUM
CVSS 4.3
### Impact
The unprocessed entities read endpoints in `@backstage/plugin-catalog-backend-module-unprocessed` do not enforce permission authorization checks. Any authenticated user can access unprocessed entity records regardless of ownership. This is
an information disclosure vulnerability ...
Authentication Bypass
Information Disclosure
-
CVE-2026-44373
MEDIUM
CVSS 5.3
A proxy route rule like:
```ts
routeRules: {
"/api/orders/**": { proxy: { to: "http://upstream/orders/**" } }
}
```
is intended to limit the proxy to URLs under `/api/orders/`. Before the patch, an attacker could bypass that scope by sending percent-encoded path traversal (`..%2f`) in the URL, c...
Python
Path Traversal
-
CVE-2026-44372
MEDIUM
CVSS 5.3
A redirect route rule like:
```ts
routeRules: {
"/legacy/**": { redirect: "/**" }
}
```
is intended to rewrite paths within the same host. Before the patch, an attacker could turn the rewrite into a cross-host redirect by sliding an extra slash in after the rule prefix. Example exploit:
```
GET...
Open Redirect
-
CVE-2026-44368
MEDIUM
CVSS 6.9
### Impact
The `mul_mod` function implements multiplication via a binary expansion loop whose execution time depends on the Hamming weight of the second operand (the exponent). An attacker who can measure the time of secret‑sharing operations (e.g., via a remote service) could progressively recover ...
Information Disclosure
-
CVE-2026-44363
MEDIUM
CVSS 5.8
An unsafe remote resource fetching vulnerability existed in MISP Modules expansion modules. The html_to_markdown module accepted arbitrary HTTP(S) URLs without sufficient validation, which could allow Server-Side Request Forgery against loopback, private, or link-local network resources. Additionall...
SSRF
-
CVE-2026-44306
MEDIUM
CVSS 5.3
Statamic CMS versions before 5.73.21 and 6.0-6.14.x disclose whether an email address is registered via differential responses from the forgot password endpoint, enabling unauthenticated attackers to enumerate valid user accounts and facilitate downstream credential-based attacks. The vulnerability has a CVSS score of 5.3 (low confidentiality impact) and no public exploit code or active exploitation has been identified.
Information Disclosure
-
CVE-2026-44305
MEDIUM
CVSS 6.8
Man-in-the-middle attacks can intercept LDAP credentials in Lemur when LDAP TLS is enabled because the authentication module globally disables TLS certificate verification using `ldap.OPT_X_TLS_NEVER`. Attackers positioned between Lemur and the LDAP server can capture plaintext usernames and passwords, modify LDAP group responses to grant admin access, and compromise the entire PKI infrastructure managed by Lemur. The vulnerability affects Lemur versions before 1.9.0 and is confirmed fixed in version 1.9.0.
RCE
Python
OpenSSL
-
CVE-2026-44301
MEDIUM
CVSS 6.2
Hugo static site generator versions 0.43.0 through 0.160.x allow unrestricted file system access when building sites with Node-based asset pipelines (PostCSS, Babel, TailwindCSS), enabling arbitrary code execution through these tools to read or write files outside the project directory. The vulnerability affects only users who deploy Node asset pipelines; those building trusted sites or not using these pipelines are unaffected. A vendor-released patch in v0.161.0 enforces Node's permission model with strict filesystem defaults.
Path Traversal
-
CVE-2026-44245
MEDIUM
CVSS 6.1
### Summary
Vue 3's v-html directive is the framework-documented mechanism for injecting raw HTML, and it intentionally disables the auto-escaping that {{ }} interpolation provides. The PropertyCard.vue component uses v-html for the else branch of the URL check, meaning any non-URL string value flow...
XSS
Kubernetes
-
CVE-2026-44226
MEDIUM
CVSS 5.3
PyLoad-ng WebUI discloses internal Python stack traces and source file paths to unauthenticated remote attackers via a global exception handler on the `/web/<path:filename>` endpoint. An attacker can request non-existent templates or craft malformed requests to trigger server exceptions and extract implementation details in HTTP responses without authentication. This information disclosure facilitates reconnaissance for follow-on attacks but does not enable direct code execution or data theft.
Python
Information Disclosure
-
CVE-2026-44223
MEDIUM
CVSS 6.5
### Summary
The `extract_hidden_states` speculative decoding proposer in vLLM returns a tensor with an incorrect shape after the first decode step, causing a `RuntimeError` that crashes the EngineCore process. The crash is triggered when any request in the batch uses sampling penalty parameters (`r...
Denial Of Service
Python
-
CVE-2026-44117
MEDIUM
CVSS 6.3
Server-side request forgery in OpenClaw before 2026.4.20 allows unauthenticated remote attackers to relay unintended requests through QQBot direct media upload endpoints (uploadC2CMedia and uploadGroupMedia) by sending crafted image URLs that bypass SSRF protections. The vulnerability affects QQBot outbound media handling and does not expose arbitrary local files, but could allow attackers to make configured QQBot media delivery requests to unintended destinations.
SSRF
-
CVE-2026-44116
MEDIUM
CVSS 6.9
Server-side request forgery in OpenClaw before version 2026.4.22 allows remote attackers to bypass SSRF protection in the Zalo plugin's sendPhoto function by providing malicious photo URLs, enabling unauthorized access to internal resources. The vulnerability affects the Zalo Bot API integration and requires network access but involves time-based attack complexity; no public exploit code or active exploitation has been confirmed.
Authentication Bypass
SSRF
-
CVE-2026-43975
MEDIUM
CVSS 6.5
Path traversal vulnerability in Apache Wicket's FolderUploadsFileManager allows unauthenticated attackers to read arbitrary files or write files outside the intended upload directory by exploiting unsanitized uploadFieldId and clientFileName parameters. Affected versions 8.0.0-8.17.0, 9.0.0-9.22.0, and 10.0.0-10.8.0 are vulnerable to remote file access and modification without authentication or user interaction. Vendor-released patch available in version 10.9.0.
Apache
Path Traversal
-
CVE-2026-43583
MEDIUM
CVSS 6.0
OpenClaw versions 2026.4.10 through 2026.4.13 fail to persist session context when recovering queued outbound media after service restart, allowing authenticated attackers to bypass group tool policy enforcement and weaken channel media restrictions. The vulnerability affects the delivery queue recovery mechanism, which replays queued messages without the original requester's session context needed for policy validation. Exploitation requires authenticated access and prior knowledge of queued delivery entries, with CVSS 6.0 and confirmed patch available in version 2026.4.14.
Authentication Bypass
-
CVE-2026-43582
MEDIUM
CVSS 4.9
Server-side request forgery in OpenClaw browser navigation policy before version 2026.4.10 allows authenticated attackers to bypass hostname validation through DNS rebinding attacks, enabling pivots to internal network resources via unallowlisted hostnames. The vulnerability exploits inconsistent hostname resolution between validation checks and actual network requests made by the Chromium engine, with fix confirmed in upstream commit 121c452d and released in version 2026.4.10.
SSRF
-
CVE-2026-43580
MEDIUM
CVSS 4.9
OpenClaw before version 2026.4.10 allows authenticated attackers to bypass Server-Side Request Forgery (SSRF) policy enforcement through incomplete navigation guard coverage in browser press and type interactions. Attackers can trigger unauthorized navigation actions, including pressKey and type-submit flows, that skip post-action security checks, potentially enabling SSRF attacks against restricted endpoints.
Authentication Bypass
SSRF
-
CVE-2026-43579
MEDIUM
CVSS 6.0
OpenClaw before version 2026.4.10 allows operators with write permissions to persist Nostr profile configuration without requiring admin authority through unprotected HTTP mutation endpoints. Attackers holding the operator.write scope can modify profile settings via PUT and POST routes that should require operator.admin scope, enabling unauthorized configuration changes. This is a privilege escalation vulnerability affecting the Nostr plugin HTTP API layer.
Authentication Bypass
-
CVE-2026-43576
MEDIUM
CVSS 4.9
Server-side request forgery via unvalidated WebSocket URL in OpenClaw before 2026.4.5 allows authenticated attackers to pivot connections to arbitrary hosts through the Chrome DevTools Protocol (CDP) /json/version endpoint. The webSocketDebuggerUrl response field lacks validation, enabling second-hop SSRF attacks where an attacker can redirect browser profile connections to untrusted targets on internal or external networks. No public exploit code identified at time of analysis, but the vulnerability is straightforward to trigger once authenticated to the CDP endpoint.
SSRF
Open Redirect
-
CVE-2026-43282
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
RDMA/ionic: Fix potential NULL pointer dereference in ionic_query_port
The function ionic_query_port() calls ib_device_get_netdev() without
checking the return value which could lead to NULL pointer dereference,
Fix it by checking...
Denial Of Service
Linux
Null Pointer Dereference
Red Hat
Suse
-
CVE-2026-43277
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
APEI/GHES: ensure that won't go past CPER allocated record
The logic at ghes_new() prevents allocating too large records, by
checking if they're bigger than GHES_ESTATUS_MAX_SIZE (currently, 64KB).
Yet, the allocation is done with...
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43275
MEDIUM
CVSS 4.7
In the Linux kernel, the following vulnerability has been resolved:
scsi: ufs: core: Flush exception handling work when RPM level is zero
Ensure that the exception event handling work is explicitly flushed during
suspend when the runtime power management level is set to UFS_PM_LVL_0.
When the RPM...
Denial Of Service
Linux
Race Condition
Red Hat
Suse
-
CVE-2026-43273
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
ceph: supply snapshot context in ceph_zero_partial_object()
The ceph_zero_partial_object function was missing proper snapshot
context for its OSD write operations, which could lead to data
inconsistencies in snapshots.
Reproducer...
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43272
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
ring-buffer: Fix possible dereference of uninitialized pointer
There is a pointer head_page in rb_meta_validate_events() which is not
initialized at the beginning of a function. This pointer can be dereferenced
if there is a failu...
Denial Of Service
Linux
Null Pointer Dereference
Red Hat
Suse
-
CVE-2026-43271
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
md-cluster: fix NULL pointer dereference in process_metadata_update
The function process_metadata_update() blindly dereferences the 'thread'
pointer (acquired via rcu_dereference_protected) within the wait_event()
macro.
While th...
Denial Of Service
Linux
Null Pointer Dereference
Red Hat
Suse
-
CVE-2026-43270
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
media: mtk-mdp: Fix a reference leak bug in mtk_mdp_remove()
In mtk_mdp_probe(), vpu_get_plat_device() increases the reference
count of the returned platform device. Add platform_device_put()
to prevent reference leak.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43269
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
drm/atmel-hlcdc: fix memory leak from the atomic_destroy_state callback
After several commits, the slab memory increases. Some drm_crtc_commit
objects are not freed. The atomic_destroy_state callback only put the
framebuffer. Use ...
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43268
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
hfsplus: pretend special inodes as regular files
Since commit af153bb63a33 ("vfs: catch invalid modes in may_open()")
requires any inode be one of S_IFDIR/S_IFLNK/S_IFREG/S_IFCHR/S_IFBLK/
S_IFIFO/S_IFSOCK type, use S_IFREG for spe...
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43267
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
wifi: rtw89: fix potential zero beacon interval in beacon tracking
During fuzz testing, it was discovered that bss_conf->beacon_int
might be zero, which could result in a division by zero error in
subsequent calculations. Set a de...
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43266
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
EFI/CPER: don't go past the ARM processor CPER record buffer
There's a logic inside GHES/CPER to detect if the section_length
is too small, but it doesn't detect if it is too big.
Currently, if the firmware receives an ARM proces...
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43265
MEDIUM
CVSS 5.5
Denial of service in Linux kernel KVM x86 nested virtualization allows local privileged attackers to crash virtual machines by manipulating vCPU state through userspace MP_STATE and injected event stuffing. When a vCPU is awakened from a blocking state in L2 (nested guest mode) with an already-injected event, the kernel generates spurious KVM_EXIT_UNKNOWN exits that typically terminate the VM. The vulnerability stems from insufficient validation of impossible vCPU states that userspace can artificially create, despite architectural safeguards that should prevent injected events during blocking. CVSS 5.5 (local, low complexity, high availability impact); EPSS 0.02% indicates minimal widespread exploitation likelihood.
Linux
Code Injection
Red Hat
Suse
-
CVE-2026-43264
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
fbdev: of: display_timing: fix refcount leak in of_get_display_timings()
of_parse_phandle() returns a device_node with refcount incremented,
which is stored in 'entry' and then copied to 'native_mode'. When the
error paths at line...
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43262
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
gfs2: fiemap page fault fix
In gfs2_fiemap(), we are calling iomap_fiemap() while holding the inode
glock. This can lead to recursive glock taking if the fiemap buffer is
memory mapped to the same inode and accessing it triggers ...
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43261
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
arm64: Add support for TSV110 Spectre-BHB mitigation
The TSV110 processor is vulnerable to the Spectre-BHB (Branch History
Buffer) attack, which can be exploited to leak information through
branch prediction side channels. This co...
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43259
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
phy: fsl-imx8mq-usb: set platform driver data
Add missing platform_set_drvdata() as the data will be used in remove().
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43257
MEDIUM
CVSS 5.5
Denial of service in Linux kernel media cx88 driver allows local authenticated attackers to exhaust system resources by triggering a missing DMA unmapping in the snd_cx88_hw_params() error path. The vulnerability causes resource leaks when audio hardware parameter initialization fails, potentially rendering the audio subsystem unavailable. CVSS 5.5 reflects local attack vector with low complexity; EPSS 0.02% indicates minimal real-world exploitation probability despite vendor-released patches across multiple kernel versions.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43255
MEDIUM
CVSS 5.5
A use-after-free condition in the libertas USB wireless driver allows local attackers with user privileges to cause a denial of service by triggering a kernel warning and potential crash through rapid firmware loading or repeated usb_tx_block() calls while a USB request is still active. The vulnerability stems from insufficient synchronization of USB URB submissions, enabling concurrent requests on the same URB without enforcing completion of prior transmissions.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43252
MEDIUM
CVSS 5.5
Denial of service via kernel warning in MPTCP path manager occurs when combining endpoint removal with fullmesh and flag-setting operations through netlink in the Linux kernel. A local attacker with low privileges can trigger a WARNING in net/mptcp/pm_kernel.c:1074 by sending a crafted sequence of netlink commands, causing the system to emit a kernel warning and potentially become unstable. No known public exploit code exists, but the low CVSS (5.5) and minimal EPSS (0.03%) indicate this is a local DoS with limited real-world impact.
Information Disclosure
Linux
Debian
Ubuntu
Red Hat
-
CVE-2026-43251
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
HID: prodikeys: Check presence of pm->input_ep82
Fake USB devices can send their own report descriptors for which the
input_mapping() hook does not get called. In this case, pm->input_ep82 stays
NULL, which leads to a crash later...
Denial Of Service
Linux
Null Pointer Dereference
Red Hat
Suse
-
CVE-2026-43247
MEDIUM
CVSS 5.5
Kernel panic via SError interrupt in Linux kernel media driver (chips-media wave5) when device enters autosuspend during video decoding operations. Local authenticated attackers can trigger a denial of service by queuing buffers to the wave5 video decoder while autosuspend timeout occurs, causing the CPU to access suspended hardware and generate an unrecoverable asynchronous SError, crashing the system. No privilege escalation or code execution; impact limited to availability.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43246
MEDIUM
CVSS 5.5
Memory leak in the tw9906 media driver's probe function allows local authenticated attackers to cause denial of service through memory exhaustion. The vulnerability occurs in tw9906_probe() when an error path fails to free memory allocated by v4l2_ctrl_handler_init() and v4l2_ctrl_new_std(), potentially leading to kernel memory depletion on repeated device probe attempts. Vendor-released patches are available across multiple stable kernel branches.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43244
MEDIUM
CVSS 5.5
Denial of service in Linux kernel KCM (kernel connection multiplexer) subsystem when processing messages with zero-fragment skbs in frag_list after partial sendmsg failures. A local authenticated attacker can trigger a kernel warning and potentially crash the system by sending a malformed message that fails during data copy, leaving an empty skb in the fragment list. The vulnerability requires local access and low-level socket manipulation, affecting systems running vulnerable Linux kernel versions prior to patching.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43243
MEDIUM
CVSS 5.5
A denial of service vulnerability in the Linux kernel's AMD display driver (drm/amd/display) allows local authenticated users to crash the system by accessing link encoder functionality on DisplayPort over USB-C (DPIA) links without proper signal type validation. The vulnerability affects kernel versions before the patches released in stable branches 6.12.75, 6.18.16, 6.19.6, and 7.0. No public exploit code has been identified, and real-world exploitation probability is very low (EPSS 0.02%), suggesting this is primarily an edge-case denial of service affecting specific hardware configurations with DPIA displays.
Denial Of Service
Linux
Red Hat
Amd
Suse
-
CVE-2026-43242
MEDIUM
CVSS 5.5
Memory leak in the Linux kernel's TI K3 SoC info driver (soc/ti/k3-socinfo) fails to release an allocated mmio regmap, causing denial of service through resource exhaustion on probe failures and driver unbind. Local attackers with low privileges can trigger probe deferral or driver unbind to exhaust kernel memory, affecting systems running vulnerable Linux kernel versions. The vulnerability has a low EPSS score (0.02%) but enables practical local DoS against systems where low-privilege users can control driver lifecycle.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43240
MEDIUM
CVSS 5.5
Linux kernel x86 architecture fails to validate IMA measurement list memory bounds during kexec boot with restricted memory parameters, causing kernel panic when the carried-over IMA buffer falls outside truncated RAM. Authenticated local users with kexec privileges can trigger a denial of service. The fix adds a sanity check to validate the previous kernel's IMA kexec buffer against actual memory bounds before restoration, aligning x86 behavior with other architectures.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43238
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
net/sched: act_skbedit: fix divide-by-zero in tcf_skbedit_hash()
Commit 38a6f0865796 ("net: sched: support hash selecting tx queue")
added SKBEDIT_F_TXQ_SKBHASH support. The inclusive range size is
computed as:
mapping_mod = queu...
Denial Of Service
Linux
Red Hat
Suse
-
CVE-2026-43235
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
media: iris: Add missing platform data entries for SM8750
Two platform-data fields for SM8750 were missed:
- get_vpu_buffer_size = iris_vpu33_buf_size
Without this, the driver fails to allocate the required internal
buf...
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43234
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
team: avoid NETDEV_CHANGEMTU event when unregistering slave
syzbot is reporting
unregister_netdevice: waiting for netdevsim0 to become free. Usage count = 3
ref_tracker: netdev@ffff88807dcf8618 has 1/2 users at
__netde...
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43231
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
media: radio-keene: fix memory leak in error path
Fix a memory leak in usb_keene_probe(). The v4l2 control handler is
initialized and controls are added, but if v4l2_device_register() or
video_register_device() fails afterward, th...
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43229
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
media: chips-media: wave5: Fix device cleanup order to prevent kernel panic
Move video device unregistration to the beginning of the remove function
to ensure all video operations are stopped before cleaning up the worker
thread a...
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43228
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
hfs: Replace BUG_ON with error handling for CNID count checks
In a06ec283e125 next_id, folder_count, and file_count in the super block
info were expanded to 64 bits, and BUG_ONs were added to detect
overflow. This triggered an err...
Buffer Overflow
Linux
Red Hat
Suse
-
CVE-2026-43227
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
clocksource/drivers/sh_tmu: Always leave device running after probe
The TMU device can be used as both a clocksource and a clockevent
provider. The driver tries to be smart and power itself on and off, as
well as enabling and disa...
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43225
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
staging: rtl8723bs: fix memory leak on failure path
cfg80211_inform_bss_frame() may return NULL on failure. In that case,
the allocated buffer 'buf' is not freed and the function returns early,
leading to potential memory leak.
Fi...
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43224
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
io_uring/zcrx: fix sgtable leak on mapping failures
In an unlikely case when io_populate_area_dma() fails, which could only
happen on a PAGE_POOL_32BIT_ARCH_WITH_64BIT_DMA machine,
io_zcrx_map_area() will have an initialised and n...
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43223
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
media: pvrusb2: fix URB leak in pvr2_send_request_ex
When pvr2_send_request_ex() submits a write URB successfully but fails to
submit the read URB (e.g. returns -ENOMEM), it returns immediately without
waiting for the write URB to...
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43221
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
ipmi: ipmb: initialise event handler read bytes
IPMB doesn't use i2c reads, but the handler needs to set a value.
Otherwise an i2c read will return an uninitialised value from the bus
driver.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43220
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
iommu/amd: serialize sequence allocation under concurrent TLB invalidations
With concurrent TLB invalidations, completion wait randomly gets timed out
because cmd_sem_val was incremented outside the IOMMU spinlock, allowing
CMD_CO...
Information Disclosure
Linux
Red Hat
Amd
Suse
-
CVE-2026-43219
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
net: cpsw_new: Fix potential unregister of netdev that has not been registered yet
If an error occurs during register_netdev() for the first MAC in
cpsw_register_ports(), even though cpsw->slaves[0].ndev is set to NULL,
cpsw->slav...
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43218
MEDIUM
CVSS 5.5
Memory leak in Linux kernel tw9903 media driver probe function allows local authenticated attackers to cause denial of service through repeated device initialization failures. The v4l2_ctrl_handler_init() and v4l2_ctrl_new_std() allocations are not freed in one error path of tw9903_probe(), enabling exhaustion of kernel memory. CVSS 5.5 (local, low complexity, requires low privileges). EPSS score of 0.02% indicates minimal exploitation probability.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43217
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
media: iris: gen2: Add sanity check for session stop
In iris_kill_session, inst->state is set to IRIS_INST_ERROR and
session_close is executed, which will kfree(inst_hfi_gen2->packet).
If stop_streaming is called afterward, it wil...
Denial Of Service
Linux
Red Hat
Suse
-
CVE-2026-43216
MEDIUM
CVSS 5.5
Denial of service in the Linux kernel's net subsystem via deadlock in skb_may_tx_timestamp() when socket timestamp completion occurs in interrupt context while sk_callback_lock is write-locked, affecting local attackers with user privileges on systems with network drivers that complete TX timestamps from dedicated interrupt handlers.
Denial Of Service
Linux
Null Pointer Dereference
Red Hat
Suse
-
CVE-2026-43210
MEDIUM
CVSS 5.5
Local denial of service in Linux kernel ring-buffer tracing code allows authenticated local users to crash the system by triggering invalid memory access through malformed event length fields. The vulnerability exists in rb_read_data_buffer(), which validates possibly corrupted ring buffers at boot but fails to verify event lengths are within acceptable ranges before calculating buffer offsets. EPSS exploitation probability is very low at 0.02%, and no public exploit code or active exploitation has been identified.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43209
MEDIUM
CVSS 5.5
Denial of service in Linux kernel minix filesystem implementation allows local authenticated users to crash the system via crafted minix superblock structures due to missing validation of s_log_zone_size and other superblock fields in the minix_check_superblock() function.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43204
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
ASoC: qcom: q6asm: drop DSP responses for closed data streams
'Commit a354f030dbce ("ASoC: qcom: q6asm: handle the responses
after closing")' attempted to ignore DSP responses arriving
after a stream had been closed.
However, tho...
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43202
MEDIUM
CVSS 5.5
Memory leak in Linux kernel fbdev vt8500lcdfb driver allows local authenticated users to cause denial of service via unfreed DMA-allocated buffer on error path. The vulnerability exists in the framebuffer initialization code where dma_alloc_coherent() allocation for fbi->fb.screen_buffer is not properly freed if an error occurs during probe, leading to memory exhaustion on repeated device initialization attempts. Local privilege required; no remote or unauthenticated attack vector.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43201
MEDIUM
CVSS 5.5
Denial of service in Linux kernel APEI/GHES ARM processor error handling allows local authenticated attackers to trigger kernel oops by crafting malformed ARM Processor Error records with incomplete or oversized section data, causing out-of-bounds memory dereference. CVSS 5.5 (local, low complexity, authenticated, availability impact only) with EPSS 0.02% indicates low real-world exploitation probability despite public patch availability.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43200
MEDIUM
CVSS 5.5
Denial of service in Linux kernel PCI endpoint configfs interface allows local attackers with low privileges to crash the kernel via swapped parameters in pci_primary_epc_epf_unlink() and pci_secondary_epc_epf_unlink() functions. When executing the unlink command in configfs, incorrect parameter ordering causes invalid memory access and kernel panic. CVSS 5.5 (local, low complexity, low privilege) with EPSS 0.02% suggests limited real-world exploitation despite confirmed availability of patches across multiple kernel branches.
Denial Of Service
Linux
Red Hat
Amd
Suse
-
CVE-2026-43195
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu: validate user queue size constraints
Add validation to ensure user queue sizes meet hardware requirements:
- Size must be a power of two for efficient ring buffer wrapping
- Size must be at least AMDGPU_GPU_PAGE_SIZE t...
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43193
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
nfsd: fix nfs4_file refcount leak in nfsd_get_dir_deleg()
Claude pointed out that there is a nfs4_file refcount leak in
nfsd_get_dir_deleg(). Ensure that the reference to "fp" is released
before returning.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43192
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
dm mpath: Add missing dm_put_device when failing to get scsi dh name
When commit fd81bc5cca8f ("scsi: device_handler: Return error pointer in
scsi_dh_attached_handler_name()") added code to fail parsing the path if
scsi_dh_attache...
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43191
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Adjust PHY FSM transition to TX_EN-to-PLL_ON for TMDS on DCN35
[Why]
A backport of the change made for DCN401 that addresses an issue where
we turn off the PHY PLL when disabling TMDS output, which causes the
OTG ...
Information Disclosure
Linux
Red Hat
Amd
Suse
-
CVE-2026-43189
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
media: v4l2-async: Fix error handling on steps after finding a match
Once an async connection is found to be matching with an fwnode, a
sub-device may be registered (in case it wasn't already), its bound
operation is called, ancil...
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43188
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
ceph: do not propagate page array emplacement errors as batch errors
When fscrypt is enabled, move_dirty_folio_in_page_array() may fail
because it needs to allocate bounce buffers to store the encrypted
versions of each folio. Eac...
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43183
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
media: cx25821: Fix a resource leak in cx25821_dev_setup()
Add release_mem_region() if ioremap() fails to release the memory
region obtained by cx25821_get_resources().
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43182
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
media: ccs: Avoid possible division by zero
Calculating maximum M for scaler configuration involves dividing by
MIN_X_OUTPUT_SIZE limit register's value. Albeit the value is presumably
non-zero, the driver was missing the check it...
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43181
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
gpio: sysfs: fix chip removal with GPIOs exported over sysfs
Currently if we export a GPIO over sysfs and unbind the parent GPIO
controller, the exported attribute will remain under /sys/class/gpio
because once we remove the paren...
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43179
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
erofs: fix incorrect early exits for invalid metabox-enabled images
Crafted EROFS images with metadata compression enabled can trigger
incorrect early returns, leading to folio reference leaks.
However, this does not cause system...
Denial Of Service
Linux
Red Hat
Suse
-
CVE-2026-43177
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
media: ipu6: Fix RPM reference leak in probe error paths
Several error paths in ipu6_pci_probe() were jumping directly to
out_ipu6_bus_del_devices without releasing the runtime PM reference.
Add pm_runtime_put_sync() before cleani...
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43175
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
clk: rs9: Reserve 8 struct clk_hw slots for for 9FGV0841
The 9FGV0841 has 8 outputs and registers 8 struct clk_hw, make sure
there are 8 slots for those newly registered clk_hw pointers, else
there is going to be out of bounds wri...
Buffer Overflow
Denial Of Service
Linux
Null Pointer Dereference
Red Hat
-
CVE-2026-43174
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
io_uring/zcrx: fix post open error handling
Closing a queue doesn't guarantee that all associated page pools are
terminated right away, let the refcounting do the work instead of
releasing the zcrx ctx directly.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43173
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
net: ethernet: xscale: Check for PTP support properly
In ixp4xx_get_ts_info() ixp46x_ptp_find() is called
unconditionally despite this feature only existing on
ixp46x, leading to the following splat from tcpdump:
root@OpenWrt:~# ...
Denial Of Service
Linux
Null Pointer Dereference
Red Hat
Suse
-
CVE-2026-43171
MEDIUM
CVSS 5.5
Integer underflow in the Linux kernel's EFI/CPER firmware error logging function (cper_print_fw_err) allows local authenticated attackers to trigger denial of service via memory dump of unmapped regions, disclose kernel memory contents, or cause system crash when processing malformed EFI firmware error records with invalid offsets. The vulnerability stems from insufficient validation of error record length before subtracting an offset, causing integer wraparound that permits dumping of arbitrary kernel memory regions.
Information Disclosure
Linux
Integer Overflow
Red Hat
Suse
-
CVE-2026-43170
MEDIUM
CVSS 5.5
Kernel panic occurs in Linux kernel USB gadget driver (dwc3) when vbus_draw function executes PMIC power-supply APIs from atomic context, causing sleep operations in non-sleepable context. The vulnerability affects Linux kernel versions prior to 5.13 and various stable series (6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0) and is resolved by deferring vbus_draw operations to workqueue context. Local authenticated users with privilege level PR:L can trigger denial of service by invoking affected USB gadget functionality, with EPSS exploitation probability at 0.02% percentile indicating extremely low practical risk despite moderate CVSS severity.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43169
MEDIUM
CVSS 5.5
Denial of service via kernel panic in the DRM buddy allocator when rounded allocation sizes exceed available memory. Local authenticated attackers can trigger a BUG_ON() crash by requesting contiguous or large-aligned GPU memory allocations that, after power-of-two or block-size rounding, exceed the total VRAM size. Example: a 9GB contiguous allocation request on 10GB VRAM rounds to 16GB, causing immediate kernel panic. No authentication bypass or privilege escalation; requires local access and appropriate user permissions to invoke DRM allocator.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43168
MEDIUM
CVSS 5.5
Denial of service via incomplete xattr cleanup in the Linux kernel OCFS2 filesystem causes memory corruption when processing reflinked files with extended attributes. A local user with standard privileges can trigger this vulnerability through crafted xattr operations, resulting in system crashes or data integrity issues. The flaw affects Linux kernel versions from 2.6.32 through multiple recent releases (5.10, 5.15, 6.1, 6.6, 6.12, 6.18, 6.19), with vendor-released patches available for supported stable branches.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43167
MEDIUM
CVSS 5.5
Resource leak in Linux kernel xfrm (IPsec) subsystem allows local authenticated users to exhaust kernel memory and trigger denial of service by preventing proper cleanup of IPsec hardware offload device references during network device unregistration. The vulnerability affects XFRM state management when IPsec hardware offloading is configured, particularly when the hardware offload capability (NETIF_F_HW_ESP) is disabled after state creation but before device removal.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43137
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
ASoC: SOF: Intel: hda: Fix NULL pointer dereference
If there's a mismatch between the DAI links in the machine driver and
the topology, it is possible that the playback/capture widget is not
set, especially in the case of loopback...
Denial Of Service
Linux
Null Pointer Dereference
Red Hat
Intel
-
CVE-2026-43136
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
HID: logitech-hidpp: Check maxfield in hidpp_get_report_length()
Do not crash when a report has no fields.
Fake USB gadgets can send their own HID report descriptors and can define report
structures without valid fields. This ca...
Denial Of Service
Linux
Red Hat
Suse
-
CVE-2026-43135
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
media: cx23885: Add missing unmap in snd_cx23885_hw_params()
In error path, add cx23885_alsa_dma_unmap() to release the
resource acquired by cx23885_alsa_dma_map().
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43132
MEDIUM
CVSS 5.5
Denial of service in Linux kernel dm-verity subsystem allows local authenticated users to crash the system by triggering dm_bufio_client_create() failure in verity_fec_ctr(), which incorrectly passes an error pointer to dm_bufio_client_destroy(). The vulnerability requires local access and authenticated privileges but no user interaction, affecting dm-verity configurations with forward error correction enabled.
Denial Of Service
Linux
Red Hat
Suse
-
CVE-2026-43131
MEDIUM
CVSS 5.5
Null pointer dereference in the Linux kernel AMD power management (drm/amd/pm) subsystem causes denial of service when SMU (System Management Unit) is disabled during RAS (Reliability, Availability, and Serviceability) initialization. Local authenticated attackers with low privileges can trigger this crash on affected systems, resulting in kernel panic and system unavailability. EPSS exploitation probability is very low (0.02%), indicating this requires specific configuration and local access.
Denial Of Service
Linux
Null Pointer Dereference
Red Hat
Amd
-
CVE-2026-43130
MEDIUM
CVSS 5.5
Hard-lockup in Linux kernel IOMMU/VT-d subsystem when flushing device IOTLB during PCIe link-down events affects systems using scalable mode with PASID support. Local authenticated attackers can trigger denial of service by causing PCIe device disconnection followed by resource cleanup operations, such as releasing VFIO group file descriptors, which deadlock the system while attempting ATS invalidation on inaccessible devices. Patch available across multiple stable kernel series.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43129
MEDIUM
CVSS 5.5
Linux kernel page fault in ima_restore_measurement_list() when the second-stage kernel is booted via kexec with memory-limiting command lines such as 'mem=<size>' allows local authenticated users to cause a denial of service by triggering an out-of-bounds memory access. The vulnerability occurs on x86_64 architectures when the IMA measurement buffer from the previous kernel falls outside the addressable RAM of the new kernel, resulting in a kernel panic during early IMA restoration.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43127
MEDIUM
CVSS 5.5
A circular locking dependency in the Linux kernel's ntfs3 filesystem driver allows local authenticated attackers with low privileges to cause a denial of service (system hang or crash) by triggering simultaneous operations that deadlock between the MFT run lock and bitmap read-write lock. The vulnerability affects kernel versions prior to 6.18.16, 6.19.6, and 7.0, and requires local access with user-level privileges to exploit.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43124
MEDIUM
CVSS 5.5
Denial of service via null pointer dereference in Linux kernel's pstore persistent storage subsystem occurs when the vmap() function fails but the persistent_ram_vmap() function incorrectly returns success if a non-zero offset is present, allowing subsequent buffer access to dereference invalid memory and cause system crashes. Affects Linux kernel versions prior to 5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, and 7.0. No public exploit identified at time of analysis, but vendor-released patches are available across multiple stable branches.
Denial Of Service
Linux
Null Pointer Dereference
Red Hat
Suse
-
CVE-2026-43123
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
fbcon: check return value of con2fb_acquire_newinfo()
If fbcon_open() fails when called from con2fb_acquire_newinfo() then
info->fbcon_par pointer remains NULL which is later dereferenced.
Add check for return value of the functi...
Denial Of Service
Linux
Null Pointer Dereference
Red Hat
Suse
-
CVE-2026-43122
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
ACPI: processor: Update cpuidle driver check in __acpi_processor_start()
Commit 7a8c994cbb2d ("ACPI: processor: idle: Optimize ACPI idle
driver registration") moved the ACPI idle driver registration to
acpi_processor_driver_init()...
Denial Of Service
Linux
Null Pointer Dereference
Red Hat
Suse
-
CVE-2026-43121
MEDIUM
CVSS 4.7
In the Linux kernel, the following vulnerability has been resolved:
io_uring/zcrx: fix user_ref race between scrub and refill paths
The io_zcrx_put_niov_uref() function uses a non-atomic
check-then-decrement pattern (atomic_read followed by separate
atomic_dec) to manipulate user_refs. This is ser...
Buffer Overflow
Linux
Race Condition
Red Hat
Suse
-
CVE-2026-43119
MEDIUM
CVSS 5.5
Data race conditions in the Linux kernel Bluetooth subsystem allow local authenticated attackers to cause denial of service by triggering concurrent access to hdev->req_status without proper synchronization. The vulnerability exists in the HCI synchronous command processing path where __hci_cmd_sync_sk() and multiple other functions access the same variable across different workqueues without holding locks, potentially causing memory corruption or system hangs.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43118
MEDIUM
CVSS 5.5
Data corruption in Linux kernel btrfs filesystem log replay allows local authenticated attackers to cause files to retain incorrect sizes after crash recovery. When a file is truncated to zero bytes, fssynced, and then a hardlink is created, the file incorrectly retains its pre-truncation size after a power failure and log replay, resulting in data integrity violation with availability impact.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43115
MEDIUM
CVSS 5.5
Denial of service in Linux kernel tiny SRCU (Synchronize-RCU) subsystem allows local authenticated attackers to trigger a system hang or crash by invoking call_srcu() while holding scheduler locks, causing a circular lock dependency and potential deadlock. The vulnerability affects kernel versions before 6.19.14 and 7.0, with EPSS score of 0.02% indicating low real-world exploitation probability despite moderate CVSS severity.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43109
MEDIUM
CVSS 5.5
Linux kernel shadow stack implementation fails to check for errors from mmap_read_lock_killable() in shstk_pop_sigframe(), allowing a local authenticated attacker to trigger a denial of service by causing the function to proceed with a failed lock acquisition. The vulnerability affects multiple stable kernel versions prior to patched releases 6.18.24, 6.19.14, and 7.0, with EPSS exploitation probability of 0.02% suggesting low real-world exploit likelihood despite the availability of a vendor patch.
Information Disclosure
Linux
-
CVE-2026-43108
MEDIUM
CVSS 5.5
A denial of service vulnerability in the Linux kernel's Qualcomm PD mapper service registry causes system crashes due to mismatched string element length validation in servreg_loc_pfr_req_ei. When a process daemon crashes and triggers a service registry location request, the QMI decoder rejects the reason field because its declared maximum length (65 bytes) is smaller than the actual field size (81 bytes), causing a decoding error and system halt. This affects all Linux kernel versions prior to the patch, triggered by local processes with standard user privileges.
Denial Of Service
Linux
Red Hat
Suse
-
CVE-2026-43107
MEDIUM
CVSS 5.5
Denial of service in Linux kernel xfrm (IPsec transform) subsystem allows local authenticated attackers to trigger a kernel panic via improper netlink message size calculation when handling XFRM_MSG_GETAE requests for states with interface ID set. The xfrm_aevent_msgsize() function fails to account for XFRMA_IF_ID attribute space, causing build_aevent() to exceed buffer bounds and hit a BUG_ON assertion, resulting in kernel crash. EPSS exploitation probability is very low at 0.02% despite the local attack vector, suggesting limited real-world impact.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43105
MEDIUM
CVSS 5.5
Memory leak in the Linux kernel's Direct Rendering Manager (DRM) vc4 driver allows local authenticated attackers to exhaust kernel memory and trigger a denial of service condition. The vulnerability stems from a missing kfree() call in vc4_free_hang_state() that fails to release a separately allocated BO (buffer object) array, enabling persistent memory exhaustion through repeated hang state operations.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43104
MEDIUM
CVSS 5.5
Memory leak in the Linux kernel's vc4 DRM driver allows local authenticated attackers to cause denial of service via memory exhaustion in hang state error handling. The vc4_save_hang_state() function fails to free allocated kernel_state memory on early return paths, enabling a local user with limited privileges to trigger repeated memory leaks and degrade system availability.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43103
MEDIUM
CVSS 5.5
Denial of service in Linux kernel lapbether driver allows local authenticated attackers to crash the system by triggering a device type change that violates the ARPHRD_ETHER requirement when transmitting data. The vulnerability exists in the lapbeth_data_transmit() function which assumes the underlying device type remains Ethernet; a local user with low privileges can manipulate the bonding driver to change the device type, causing the kernel to reach an unhandled state and crash. EPSS score of 0.02% indicates low real-world exploitation probability despite the vulnerability being patched across multiple kernel versions.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43102
MEDIUM
CVSS 5.5
Memory leak in the Airoha QDMA RX packet processing function allows local authenticated attackers to cause a denial of service through resource exhaustion. The vulnerability occurs when page pool fragments fail to properly return to the pool during error handling in airoha_qdma_rx_process(), allowing an attacker with local access and low privileges to exhaust kernel memory and crash the system. EPSS exploitation probability is extremely low at 0.02%, reflecting the local-only attack vector and privilege requirement.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43100
MEDIUM
CVSS 5.5
Null pointer dereference in Linux kernel bridge VLAN filtering code allows local authenticated attackers to trigger a denial of service via a crafted RTM_NEWLINK netlink message with BR_BOOLOPT_FDB_LOCAL_VLAN_0 flag when CONFIG_BRIDGE_VLAN_FILTERING is disabled. The vulnerability occurs because br_fdb_delete_locals_per_vlan_port() and br_fdb_insert_locals_per_vlan_port() dereference a NULL vlan group pointer without validation, causing a kernel panic. No public exploit code identified at time of analysis.
Denial Of Service
Linux
Null Pointer Dereference
Red Hat
Canonical
-
CVE-2026-43098
MEDIUM
CVSS 5.5
Denial of service via NULL pointer dereference in the NFC s3fwrn5 driver's UART receive handler allows local authenticated attackers to crash the system. The vulnerability exists in s3fwrn82_uart_read() which consumes bytes from the serial device before allocating a fresh receive buffer; if memory allocation fails after bytes are already consumed, the function incorrectly reports success while leaving the receive buffer NULL, causing a NULL dereference on the next skb_put_u8() call. This affects Linux kernel versions 5.11 and later, with patches available for stable branches 6.6.136, 6.12.83, 6.18.24, 6.19.14, and 7.0.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43096
MEDIUM
CVSS 5.5
Infinite vCPU fault loop in the Linux kernel's mshv (Microsoft Hypervisor) subsystem allows a local guest VM process to permanently spin a host vCPU thread, exhausting host CPU resources. The flaw exists in mshv_handle_gpa_intercept(), which unconditionally attempts page remaps on all movable-memory faults regardless of access permission - when a guest writes to a read-only Guest Physical Address region, the remap succeeds but the region retains its read-only designation, causing an immediate re-fault in a tight loop. Affected kernel versions run from commit b9a66cd5ccbb9fade15d0e427e19470d8ad35b75 through the fix commits; patched releases 6.19.14 and 7.0 are available. No public exploit has been identified and EPSS is 0.01%, consistent with the local, hypervisor-specific attack surface.
Denial Of Service
Linux
Red Hat
Suse
-
CVE-2026-43095
MEDIUM
CVSS 5.5
Linux kernel ASoC SDCA subsystem crashes on sound card teardown due to IRQ lifecycle mismanagement, causing a local denial of service. IRQ handlers registered via devm_request_threaded_irq() during component probe retain stale references to freed card and kcontrol structures after the sound card is torn down, resulting in null or dangling pointer dereferences and kernel panic. Exploitation requires local low-privilege access and SDCA-capable audio hardware; no public exploit exists and EPSS is extremely low at 0.02% (5th percentile).
Denial Of Service
Linux
Red Hat
Suse
-
CVE-2026-43094
MEDIUM
CVSS 5.5
NULL pointer dereference in the Linux kernel ixgbevf driver crashes Hyper-V guest VMs during device probe, causing a kernel panic and complete denial of service. The regression was introduced when commit a7075f501bd3 added a .negotiate_features callback to ixgbe_mac_operations and populated it for the standard ops table (ixgbevf_mac_ops) but omitted it from the Hyper-V-specific table (ixgbevf_hv_mac_ops), leaving that pointer NULL on Hyper-V guests. Any Linux system running on Microsoft Hyper-V with an Intel ixgbevf virtual NIC is subject to an automatic kernel crash at module load or boot; no public exploit has been identified at time of analysis and EPSS is 0.02%, reflecting a narrow but reliable impact on the specific deployment combination.
Denial Of Service
Linux
Null Pointer Dereference
Microsoft
Red Hat
-
CVE-2026-43092
MEDIUM
CVSS 5.5
The AF_XDP socket subsystem (xsk) in the Linux kernel fails to validate that a network device's MTU fits within the usable UMEM frame space at bind time, allowing a local low-privileged user to trigger a kernel denial of service. Usable frame space - chunk size minus headroom and tailroom - can fall below a standard 1500-byte MTU when 2k chunks are used, a gap that became exploitable once tailroom subtraction was introduced. The kernel also omits validation of hardware zero-copy capabilities via net_device::xdp_zc_max_segs. No public exploit has been identified and EPSS is 0.02% (5th percentile), indicating low immediate exploitation risk.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43090
MEDIUM
CVSS 5.5
Reference count leak in the Linux kernel's xfrm IPsec subsystem allows a local low-privileged attacker to exhaust kernel memory, resulting in denial of service. The defect resides in xfrm_migrate_policy_find(), where xfrm_pol_hold_rcu() is called twice - once implicitly by the lookup path (which already returns a held reference) and once redundantly - creating a refcount imbalance that prevents memory reclamation. Discovered by the Linux Verification Center using Syzkaller fuzzing; no public exploit identified at time of analysis, and EPSS is very low at 0.02% (5th percentile), indicating minimal observed exploitation activity.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43077
MEDIUM
CVSS 5.5
Local denial-of-service in the Linux kernel's AEAD crypto socket interface (`algif_aead`) allows a low-privileged local user to crash the kernel by submitting a decryption request where the minimum receive buffer size check fails to account for the authentication tag length. The CVSS vector (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) confirms this is a locally exploitable, high-availability-impact issue with no confidentiality or integrity risk. Patches have been released across multiple Linux LTS stable branches (5.10.254, 5.15.204, 6.1.170, 6.6.136, 6.12.83, 6.18.24, 6.19.14, 7.0) and Ubuntu has issued multiple USN advisories (USN-8277-1 through USN-8281-1). No public exploit code has been identified and EPSS is 0.02%, indicating no public exploitation activity.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-42572
MEDIUM
CVSS 5.3
## Summary
A missing authorization directive on the `GET /api/v1/stable/dags/tasks` endpoint caused Hatchet's tenant-membership check to be skipped for this route. A user authenticated to any tenant on the same Hatchet instance could query the endpoint with another tenant's UUID and a DAG UUID belo...
Authentication Bypass
-
CVE-2026-42549
MEDIUM
CVSS 4.4
### Summary
The `make:controller` CLI command calls `mkdir(..., recursive: true)` on a path built from the user-supplied controller name, **before** Nette's class-name validation runs. The class-file write is correctly rejected by Nette when the name contains `/`, but the recursive directory creatio...
PHP
Path Traversal
Microsoft
-
CVE-2026-42545
MEDIUM
CVSS 5.9
Granian worker process aborts when a WSGI application returns invalid HTTP response header names or values due to unhandled panic in the header conversion path. An attacker who can influence WSGI application output, such as by injecting user-controlled data into response headers like Location or Content-Disposition, can trigger worker process denial of service. The vulnerability affects Granian versions 0.2.0 through 2.7.3; patch available in version 2.7.4. Proof of concept demonstrates crashes via headers containing spaces, CRLF injection, or null bytes.
Denial Of Service
Python
-
CVE-2026-42509
MEDIUM
CVSS 6.1
Cross-site scripting (XSS) vulnerability in Apache Wicket allows unauthenticated remote attackers to inject malicious JavaScript through crafted strings that break out of JavaScript sequence contexts. Affected versions include Wicket 8.0.0-8.17.0, 9.0.0-9.22.0, and 10.0.0-10.8.0. User interaction (e.g., clicking a malicious link) is required for exploitation. EPSS score of 0.03% (8th percentile) indicates low empirical exploitation probability despite network-accessible attack vector.
XSS
Apache
-
CVE-2026-42458
MEDIUM
CVSS 5.3
Reflected cross-site scripting (XSS) in OpenMage Magento LTS versions up to 20.17.0 allows authenticated admin users to inject arbitrary JavaScript via the Import/Export Dataflow Profiles run interface. The vulnerability exists in the System → Import/Export → Dataflow Profiles page where unsanitized filename parameters are reflected into HTML context, enabling cookie theft and admin panel defacement. The exploitation requires admin panel access and user interaction to click a malicious link, but no network-based unauthenticated exploitation is possible.
PHP
XSS
-
CVE-2026-42184
MEDIUM
CVSS 6.1
Origin confusion in Tauri's is_local_url() function on Windows and Android allows remote attackers to invoke local-only IPC commands by hosting content on a domain whose first subdomain matches the application's custom URI scheme. An attacker can register a domain like http://app.evil.com/ to bypass origin validation when the target application uses an app:// custom protocol, gaining unauthorized access to backend functionality intended only for the application's own frontend. A public proof-of-concept demonstrates successful command invocation through this bypass.
Google
SSRF
Microsoft
-
CVE-2026-41931
MEDIUM
CVSS 6.9
Vvveb before version 1.0.8.2 allows unauthenticated remote attackers to disclose sensitive server information including absolute file paths, internal class namespaces, line numbers, and source code excerpts by accessing the admin password-reset endpoint and triggering a fatal error caused by missing namespace imports. The debug exception handler renders full stack traces to unauthenticated requests, enabling reconnaissance attacks without authentication or user interaction. No active exploitation confirmed, but the vulnerability is easily discoverable and exploitable over the network.
Information Disclosure
-
CVE-2026-40332
MEDIUM
CVSS 5.3
Open redirect vulnerability in Masa CMS allows unauthenticated remote attackers to craft malicious URLs on trusted Masa CMS domains that redirect victims to attacker-controlled sites via improper validation of scheme-relative URLs (paths beginning with //). This can be exploited for phishing attacks and potential token exposure in certain authentication flows. The vulnerability affects versions prior to 7.2.10, 7.3.15, 7.4.10, and 7.5.3, with CVSS 5.3 (CVSS:4.0/AV:N/AC:L/PR:N/UI:P).
Information Disclosure
Open Redirect
-
CVE-2026-40001
MEDIUM
CVSS 5.2
Local privilege escalation in ZTE PROCESS Guard Service allows authenticated local users to escalate privileges and achieve arbitrary code execution through improper access control enforcement, affecting the cloud computer client. The vulnerability requires local access and authenticated user context but operates across system boundaries, potentially compromising system integrity. No active exploitation has been confirmed at time of analysis, though the combination of privilege escalation and RCE capability makes this a moderate-priority local threat.
Privilege Escalation
RCE
Path Traversal
Zte
-
CVE-2026-36358
MEDIUM
CVSS 5.4
Stored cross-site scripting in Juzaweb CMS 5.0.0 allows authenticated remote attackers to inject arbitrary JavaScript via the Add Banner Ads function, exploitable with user interaction (page visit). The vulnerability enables credential theft, session hijacking, and defacement of administrative interfaces. A proof-of-concept is publicly available on GitHub, though exploitation requires authenticated access and victim interaction with a malicious payload.
XSS
RCE
-
CVE-2026-35255
MEDIUM
CVSS 6.6
Malicious environment variable injection in Oracle Cloud Native Environment Command Line Interface v2.3.2 allows local authenticated users with low privileges to execute arbitrary code through user interaction, compromising systems running the affected CLI tool. The vulnerability requires local access and user action but results in high-impact code execution with full confidentiality and integrity compromise.
RCE
Code Injection
Oracle
-
CVE-2026-35254
MEDIUM
CVSS 6.1
Oracle OCI CLI version 3.77 allows local attackers with user interaction to place imported files outside the intended directory, compromising file integrity and enabling potential code execution or data exfiltration. The vulnerability requires local access and user interaction but carries high integrity impact through arbitrary file placement. No active exploitation or public exploit code has been identified at the time of analysis.
Path Traversal
Oracle
Suse
-
CVE-2026-35253
MEDIUM
CVSS 4.7
Oracle Macaron Tool v0.22.0 fails to properly validate host addresses in HTTP requests, allowing unauthenticated remote attackers to cause information disclosure through crafted network traffic. The vulnerability requires user interaction (UI:R) and affects the confidentiality of the tool's host validation mechanism. No active exploitation has been publicly confirmed.
Open Redirect
Oracle
-
CVE-2026-23927
MEDIUM
CVSS 5.1
Zabbix Agent 2 allows remote attackers with high privileges to inject malicious Oracle TNS connection strings via the 'service' parameter, enabling credential theft from saved database sessions. The vulnerability requires network access and high-level privileges but can lead to disclosure of Oracle database credentials if they are stored in named sessions. CVSS 5.1 reflects the requirement for authenticated attacker access (PR:H), though the impact to stored credentials is significant.
Information Disclosure
Oracle
-
CVE-2026-20219
MEDIUM
CVSS 5.4
Insecure direct object reference (IDOR) in Cisco Slido REST API allows authenticated remote attackers to view other users' social profile data and manipulate quiz or poll results. The vulnerability requires valid authentication but no user interaction, affecting confidentiality and integrity of user data and poll integrity. Cisco has released a patched version; no public exploit code or active exploitation has been identified at the time of analysis.
Authentication Bypass
Cisco
-
CVE-2026-20195
MEDIUM
CVSS 5.3
Unauthenticated remote attackers can enumerate valid user accounts on Cisco Identity Services Engine through an identity management API endpoint by analyzing differentiated error responses to crafted requests. The vulnerability enables account enumeration with no authentication required, network-accessible attack surface, and low complexity exploitation, resulting in partial information disclosure of valid usernames on affected systems.
Information Disclosure
Cisco
-
CVE-2026-20193
MEDIUM
CVSS 4.3
Cisco Identity Services Engine allows authenticated read-only administrators to bypass role-based access control on RADIUS Policy API endpoints and gain unauthorized read access to sensitive policy details through direct API calls. The vulnerability affects ISE software across versions due to improper RBAC enforcement on API endpoints, enabling privilege escalation from read-only to unauthorized data disclosure. CVSS score is 4.3 with low attack complexity, but exploitation requires valid administrative credentials.
Authentication Bypass
Cisco
-
CVE-2026-20189
MEDIUM
CVSS 4.3
Cisco Prime Infrastructure log file download functionality fails to enforce proper authorization checks, allowing authenticated remote attackers to download arbitrary log files beyond their access level. An attacker with valid web management interface credentials can submit crafted URL requests to the affected download service API to retrieve sensitive logs, resulting in confidential information disclosure. CVSS score of 4.3 reflects low immediate impact but legitimate data exposure risk for organizations using this management platform.
Authentication Bypass
Cisco
-
CVE-2026-20172
MEDIUM
CVSS 4.3
Cisco Enterprise Chat and Email (ECE) Lite Agent feature allows authenticated remote attackers with Agent role credentials to upload files containing malicious scripts or HTML, which are then served to other users without adequate content validation. Successful exploitation enables stored cross-site scripting (XSS) attacks in victim browsers. The vulnerability requires valid user credentials and Agent role privileges but no user interaction on the victim side, affecting confidentiality and integrity but not availability.
Cisco
File Upload
-
CVE-2026-20169
MEDIUM
CVSS 6.4
Cisco IoT Field Network Director's web-based management interface allows authenticated remote attackers with low privileges to execute arbitrary commands and access files on managed routers via insufficient input validation in the web interface. The vulnerability enables file creation, deletion, read operations, and execution of limited commands in user EXEC mode on remote routers. CVSS 6.4 (medium severity); no active exploitation or public POC identified at time of analysis.
Command Injection
Cisco
-
CVE-2026-20168
MEDIUM
CVSS 6.5
Authenticated remote attackers with low privileges can read arbitrary files via insufficient access controls in the web-based management interface of Cisco IoT Field Network Director. Exploitation requires valid login credentials and submission of crafted input through the management UI; successful attacks result in unauthorized file disclosure but do not enable modification or system disruption. No public exploit code or active exploitation has been identified at time of analysis.
Information Disclosure
Cisco
-
CVE-2026-8033
MEDIUM
CVSS 5.5
Information disclosure in PicoTronica e-Clinic Healthcare System ECHS 5.7 allows remote unauthenticated attackers to extract sensitive data via the Response Header Handler in the /cdemos/echs/api/v2/ endpoint. The vulnerability has been publicly disclosed with exploit code available, and a patch (version 5.7.1) has been released by the vendor.
Information Disclosure
-
CVE-2026-8032
MEDIUM
CVSS 5.5
Hard-coded administrative credentials in PicoTronica e-Clinic Healthcare System ECHS 5.7 enable remote attackers to bypass authentication and gain privileged access to the healthcare management platform. The vulnerability resides in the /cdemos/echs/priv/echs.js file where the ADMIN_KEY parameter contains static credentials, allowing network-level exploitation without authentication (AV:N/PR:N). Public exploit documentation exists, though CISA KEV does not list active exploitation. EPSS data unavailable, but the combination of healthcare sector targeting, authentication bypass capability, and public POC elevates real-world risk despite moderate CVSS 7.3 scoring.
Authentication Bypass
-
CVE-2026-8031
MEDIUM
CVSS 5.5
Missing authentication in PicoTronica e-Clinic Healthcare System ECHS 5.7 allows remote unauthenticated attackers to access the /cdemos/echs/api/v2/patient-records API endpoint and retrieve sensitive patient information. Publicly available exploit code exists for this vulnerability. The vendor released patched version 5.7.1 to address the issue.
Authentication Bypass
-
CVE-2026-8027
MEDIUM
CVSS 5.3
Authorization bypass in FlowiseAI Flowise up to version 3.0.12 allows authenticated users to manipulate userId, organizationId, workspaceId, and email parameters in the User Controller Handler, potentially gaining unauthorized access to other users' data or organizational resources. The vulnerability requires valid user authentication and remote network access, resulting in confidentiality impact with low attack complexity. No active exploitation in CISA KEV has been confirmed at time of analysis.
Authentication Bypass
-
CVE-2026-8026
MEDIUM
CVSS 6.3
Information disclosure in FlowiseAI Flowise up to version 3.0.12 allows remote attackers to extract sensitive data through the Login function in the API Response Handler component. The vulnerability requires high attack complexity and is difficult to exploit, but successful exploitation results in confidentiality impact without authentication requirements. No public confirmation of active exploitation has been identified at time of analysis.
Information Disclosure
-
CVE-2026-8021
MEDIUM
CVSS 4.2
Script injection in UI in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who convinced a user to engage in specific UI gestures to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: Low)
RCE
Google
Code Injection
Red Hat
Suse
-
CVE-2026-8020
MEDIUM
CVSS 5.3
Uninitialized Use in GPU in Google Chrome on Android prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)
Information Disclosure
Google
Red Hat
Suse
-
CVE-2026-8019
MEDIUM
CVSS 5.4
Insufficient policy enforcement in WebApp in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
Information Disclosure
Google
Red Hat
Suse
-
CVE-2026-8015
MEDIUM
CVSS 5.4
Inappropriate implementation in Media in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
Information Disclosure
Google
Red Hat
Suse
-
CVE-2026-8014
MEDIUM
CVSS 4.3
Inappropriate implementation in Preload in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)
Information Disclosure
Google
Red Hat
Suse
-
CVE-2026-8013
MEDIUM
CVSS 4.3
Insufficient validation of untrusted input in FedCM in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)
Information Disclosure
Google
Red Hat
Suse
-
CVE-2026-8012
MEDIUM
CVSS 5.4
Inappropriate implementation in MHTML in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: Low)
XSS
Google
Red Hat
Suse
-
CVE-2026-8011
MEDIUM
CVSS 4.3
Insufficient policy enforcement in Search in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)
Information Disclosure
Google
Red Hat
Suse
-
CVE-2026-8010
MEDIUM
CVSS 6.3
Insufficient validation of untrusted input in SiteIsolation in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: Low)
Authentication Bypass
Google
Red Hat
Suse
-
CVE-2026-8009
MEDIUM
CVSS 5.0
Inappropriate implementation in Cast in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Low)
Authentication Bypass
Google
Red Hat
Suse
-
CVE-2026-8008
MEDIUM
CVSS 5.4
Inappropriate implementation in DevTools in Google Chrome prior to 148.0.7778.96 allowed an attacker who convinced a user to install a malicious extension to perform UI spoofing via a crafted Chrome Extension. (Chromium security severity: Low)
Information Disclosure
Google
Red Hat
Suse
-
CVE-2026-8006
MEDIUM
CVSS 5.4
Insufficient policy enforcement in DevTools in Google Chrome prior to 148.0.7778.96 allowed an attacker who convinced a user to install a malicious extension to perform UI spoofing via a crafted Chrome Extension. (Chromium security severity: Low)
Information Disclosure
Google
Red Hat
Suse
-
CVE-2026-8005
MEDIUM
CVSS 4.3
Insufficient validation of untrusted input in Cast in Google Chrome prior to 148.0.7778.96 allowed an attacker on the local network segment to bypass same origin policy via malicious network traffic. (Chromium security severity: Low)
Authentication Bypass
Google
Red Hat
Suse
-
CVE-2026-8004
MEDIUM
CVSS 4.3
Insufficient policy enforcement in DevTools in Google Chrome prior to 148.0.7778.96 allowed an attacker who convinced a user to install a malicious extension to leak cross-origin data via a crafted Chrome Extension. (Chromium security severity: Low)
Information Disclosure
Google
Red Hat
Suse
-
CVE-2026-8003
MEDIUM
CVSS 5.4
Insufficient validation of untrusted input in TabGroups in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to perform UI spoofing via malicious network traffic. (Chromium security severity: Low)
Information Disclosure
Google
Red Hat
Suse
-
CVE-2026-7999
MEDIUM
CVSS 4.3
Inappropriate implementation in V8 in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)
Information Disclosure
Google
Red Hat
Suse
-
CVE-2026-7998
MEDIUM
CVSS 5.4
Insufficient validation of untrusted input in Dialog in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
Information Disclosure
Google
Red Hat
Suse
-
CVE-2026-7996
MEDIUM
CVSS 4.2
Insufficient validation of untrusted input in SSL in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
Information Disclosure
Google
Red Hat
Suse
-
CVE-2026-7993
MEDIUM
CVSS 4.2
Insufficient validation of untrusted input in Payments in Google Chrome on Android prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromium security severity: Medium)
Information Disclosure
Google
Red Hat
Suse
-
CVE-2026-7989
MEDIUM
CVSS 4.2
Insufficient data validation in DataTransfer in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to perform arbitrary read/write via a crafted HTML page. (Chromium security severity: Medium)
Information Disclosure
Google
Red Hat
Suse
-
CVE-2026-7986
MEDIUM
CVSS 4.3
Insufficient policy enforcement in Autofill in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
Information Disclosure
Google
Red Hat
Suse
-
CVE-2026-7983
MEDIUM
CVSS 4.3
Out of bounds read in Dawn in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
Buffer Overflow
Information Disclosure
Google
Red Hat
Suse
-
CVE-2026-7982
MEDIUM
CVSS 6.5
Uninitialized Use in WebCodecs in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)
Information Disclosure
Google
Red Hat
Suse
-
CVE-2026-7979
MEDIUM
CVSS 4.3
Inappropriate implementation in Media in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
Information Disclosure
Google
Red Hat
Suse
-
CVE-2026-7977
MEDIUM
CVSS 6.3
Inappropriate implementation in Canvas in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: Medium)
Privilege Escalation
Google
Red Hat
Suse
-
CVE-2026-7972
MEDIUM
CVSS 4.3
Uninitialized Use in GPU in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
Information Disclosure
Google
Red Hat
Suse
-
CVE-2026-7971
MEDIUM
CVSS 6.3
Inappropriate implementation in ORB in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to bypass site isolation via a crafted HTML page. (Chromium security severity: Medium)
Privilege Escalation
Google
Red Hat
Suse
-
CVE-2026-7969
MEDIUM
CVSS 4.3
Integer overflow in Chrome's Network component prior to version 148.0.7778.96 allows remote attackers to bypass same-origin policy after compromising the renderer process via a crafted HTML page. The vulnerability requires renderer compromise and user interaction, limiting real-world risk despite network-accessible attack surface. No active exploitation has been confirmed; a vendor patch is available.
Buffer Overflow
Google
Red Hat
Suse
-
CVE-2026-7964
MEDIUM
CVSS 4.2
Insufficient input validation in the FileSystem API in Google Chrome prior to version 148.0.7778.96 allows a remote attacker with a compromised renderer process to perform arbitrary file read and write operations through a malicious HTML page. The vulnerability requires prior renderer compromise and user interaction with a crafted page, limiting its attack surface despite network-accessible vectors. Vendor has released a patched version.
Information Disclosure
Google
Red Hat
Suse
-
CVE-2026-7962
MEDIUM
CVSS 5.4
Insufficient policy enforcement in DirectSockets API in Google Chrome prior to version 148.0.7778.96 allows remote attackers to perform arbitrary read and write operations through a crafted malicious Chrome extension. The vulnerability requires user interaction (extension installation) but affects the core security model of the browser's socket access control, exposing local network resources to unauthorized access by untrusted extensions.
Information Disclosure
Google
Red Hat
Suse
-
CVE-2026-7961
MEDIUM
CVSS 4.3
Google Chrome prior to version 148.0.7778.96 contains insufficient validation of untrusted input in the Permissions system, allowing attackers on the local network segment to leak cross-origin data through malicious network traffic. The vulnerability requires network adjacency but no user interaction or authentication, affecting confidentiality with medium Chromium severity. Patch is available from Google.
Information Disclosure
Google
Red Hat
Suse
-
CVE-2026-7960
MEDIUM
CVSS 5.3
Information disclosure in Google Chrome prior to 148.0.7778.96 allows remote attackers who have compromised the renderer process to extract potentially sensitive data from process memory through a race condition triggered by a crafted HTML page. The vulnerability requires renderer process compromise and user interaction but results in high confidentiality impact with no integrity or availability consequences. Chromium security team rates this as Medium severity; no active exploitation has been publicly confirmed.
Information Disclosure
Google
Race Condition
Red Hat
Suse
-
CVE-2026-7958
MEDIUM
CVSS 5.4
Uncontrolled XSS vulnerability in Google Chrome's ServiceWorker implementation prior to version 148.0.7778.96 allows attackers to inject arbitrary scripts or HTML into web pages when users install a malicious Chrome extension, bypassing same-origin policy protections. The vulnerability requires user interaction (extension installation) but can be exploited remotely with low attack complexity. CVSS score of 5.4 reflects medium severity; no active exploitation has been publicly reported.
XSS
Google
Red Hat
Suse
-
CVE-2026-7955
MEDIUM
CVSS 5.3
Uninitialized memory use in the GPU component of Google Chrome prior to version 148.0.7778.96 allows remote attackers who have compromised the renderer process to extract potentially sensitive information from process memory through a malicious HTML page. The vulnerability requires renderer process compromise as a precondition and user interaction to trigger, but once achieved, enables confidentiality breach with no code execution or denial of service impact. Vendor-released patch available in Chrome 148.0.7778.96.
Information Disclosure
Google
Red Hat
Suse
-
CVE-2026-7953
MEDIUM
CVSS 6.1
Unvalidated Omnibox input in Google Chrome prior to version 148.0.7778.96 enables remote attackers to inject arbitrary scripts and HTML (universal XSS) via malicious network traffic, affecting users who click on crafted links. The vulnerability requires user interaction but crosses security boundaries due to its scope impact. No active exploitation has been publicly confirmed, though a patch is available from Google.
Google
Code Injection
Red Hat
Suse
-
CVE-2026-7952
MEDIUM
CVSS 4.2
Insufficient policy enforcement in Chrome Extensions prior to version 148.0.7778.96 allows a remote attacker with a compromised renderer process to bypass discretionary access controls via a crafted HTML page, potentially leading to unauthorized information disclosure or modification. The vulnerability requires user interaction and a pre-existing renderer compromise, limiting its practical exploitation scope. A vendor-released patch is available in Chrome 148.0.7778.96 and later.
Authentication Bypass
Google
Red Hat
Suse
-
CVE-2026-7950
MEDIUM
CVSS 5.4
Out-of-bounds read and write in the GFX component of Google Chrome prior to version 148.0.7778.96 allows remote attackers to perform arbitrary memory read and write operations through malicious network traffic. The vulnerability requires user interaction (clicking a link or visiting a malicious page) but does not require authentication. Chromium rated the security severity as Medium; CVSS 5.4 reflects moderate impact (confidentiality and integrity compromise without availability loss). No active exploitation confirmed in CISA KEV at time of analysis.
Buffer Overflow
Information Disclosure
Google
Red Hat
Suse
-
CVE-2026-7947
MEDIUM
CVSS 4.2
UI spoofing via insufficient input validation in Google Chrome prior to 148.0.7778.96 allows a remote attacker who has already compromised the renderer process to craft malicious HTML pages that deceive users about the legitimate UI elements. The attack requires renderer process compromise as a prerequisite and user interaction with the crafted page, limiting real-world applicability to multi-stage attacks. Chromium assessed this as medium severity; no public exploit code or active exploitation has been identified.
Information Disclosure
Google
Red Hat
Suse
-
CVE-2026-7946
MEDIUM
CVSS 4.3
Insufficient policy enforcement in Chrome's WebUI on Linux, Mac, Windows, and ChromeOS prior to 148.0.7778.96 allows a remote attacker with a compromised renderer process to bypass site isolation via a crafted HTML page, potentially exposing sensitive cross-site data. The vulnerability requires user interaction (UI:R) and prior renderer compromise, limiting its standalone exploitability. Vendor-released patch available in version 148.0.7778.96.
Authentication Bypass
Google
Microsoft
Red Hat
Suse
-
CVE-2026-7943
MEDIUM
CVSS 4.2
Insufficient input validation in ANGLE (Almost Native Graphics Layer Engine) in Google Chrome prior to version 148.0.7778.96 allows remote attackers who have compromised the renderer process to perform arbitrary memory read and write operations via a crafted HTML page. The vulnerability requires renderer process compromise as a precondition, user interaction, and high attack complexity, making it a post-exploitation vector rather than a primary attack surface. Patch is available from vendor.
Information Disclosure
Google
Red Hat
Suse
-
CVE-2026-7942
MEDIUM
CVSS 4.3
Integer overflow in ANGLE graphics library in Google Chrome prior to version 148.0.7778.96 allows remote attackers to leak cross-origin data by delivering a crafted HTML page that triggers the vulnerability. The vulnerability requires user interaction (visiting a malicious webpage) but can bypass same-origin policy protections, exposing sensitive data from other domains. No public exploit code or active exploitation has been confirmed at analysis time.
Information Disclosure
Google
Red Hat
Suse
-
CVE-2026-7941
MEDIUM
CVSS 4.4
Insufficient input validation in Google Chrome on Android prior to version 148.0.7778.96 allows local attackers to inject arbitrary scripts or HTML via a crafted Chrome Extension, leading to Universal Cross-Site Scripting (UXSS). The vulnerability requires user interaction and local system access but poses a medium risk due to its ability to bypass same-origin policy protections within the browser context. No public exploit has been identified at the time of analysis.
Google
Code Injection
Red Hat
Suse
-
CVE-2026-7939
MEDIUM
CVSS 5.4
Google Chrome versions prior to 148.0.7778.96 contain an XSS vulnerability in the SanitizerAPI that allows remote attackers to inject arbitrary scripts or HTML through crafted HTML pages. The vulnerability requires user interaction (visiting a malicious page) but carries medium severity due to its ability to compromise confidentiality and integrity. No public exploit code or active exploitation in CISA KEV has been identified at the time of analysis.
XSS
Google
Red Hat
Suse
-
CVE-2026-7936
MEDIUM
CVSS 4.3
Out-of-bounds memory read in Google Chrome's V8 JavaScript engine allows remote attackers to disclose sensitive information via a crafted HTML page. Affects Chrome versions prior to 148.0.7778.96. The vulnerability requires user interaction (opening a malicious page) but operates over the network with no authentication required. While classified as medium severity by Chromium, the impact is limited to information disclosure without code execution capability.
Buffer Overflow
Information Disclosure
Google
Red Hat
Suse
-
CVE-2026-7935
MEDIUM
CVSS 5.4
UI spoofing vulnerability in Google Chrome prior to 148.0.7778.96 allows remote attackers to deceive users through crafted HTML pages that manipulate the speech interface, potentially disclosing sensitive information or causing denial of service. The vulnerability requires user interaction (clicking or interacting with the malicious page) and affects the speech component's visual presentation. Chromium severity is rated Medium; no active exploitation has been publicly confirmed.
Information Disclosure
Google
Red Hat
Suse
-
CVE-2026-7934
MEDIUM
CVSS 4.2
Insufficient input validation in Google Chrome's Popup Blocker prior to version 148.0.7778.96 enables a remote attacker with a compromised renderer process to bypass navigation restrictions and access restricted content via a crafted HTML page. The vulnerability requires renderer process compromise and user interaction, limiting real-world exploitability despite its authentication bypass classification. No public exploit code or active exploitation has been identified at the time of analysis.
Authentication Bypass
Google
Red Hat
Suse
-
CVE-2026-7933
MEDIUM
CVSS 4.3
Out-of-bounds read in WebCodecs video processing in Google Chrome versions prior to 148.0.7778.96 allows remote attackers to leak sensitive memory contents via a crafted video file. The vulnerability requires user interaction to open a malicious video, but affects all users regardless of authentication. Chrome 148.0.7778.96 and later versions patch this information disclosure vulnerability, which could expose cryptographic keys, session tokens, or other sensitive data resident in adjacent memory.
Buffer Overflow
Information Disclosure
Google
Red Hat
Suse
-
CVE-2026-7932
MEDIUM
CVSS 4.4
Insufficient policy enforcement in Chrome's Downloads feature prior to version 148.0.7778.96 allows local attackers with user interaction to bypass navigation restrictions and access sensitive download locations via a crafted HTML page, potentially leading to information disclosure or file manipulation. The vulnerability requires local access and user engagement with a malicious page, limiting its scope to targeted social engineering rather than remote mass exploitation.
Authentication Bypass
Google
Red Hat
Suse
-
CVE-2026-7931
MEDIUM
CVSS 5.4
UI spoofing in Google Chrome on iOS prior to version 148.0.7778.96 allows remote attackers to deceive users through crafted HTML pages that manipulate the browser interface. The vulnerability stems from insufficient validation of untrusted input and has a CVSS score of 5.4 (medium severity). Exploitation requires user interaction with a malicious webpage but can result in information disclosure and denial of service on affected iOS devices.
Information Disclosure
Google
Apple
Red Hat
Suse
-
CVE-2026-7924
MEDIUM
CVSS 6.5
Uninitialized memory use in Dawn (GPU abstraction layer) in Google Chrome prior to version 148.0.7778.96 allows remote attackers to read potentially sensitive information from process memory by opening a crafted HTML page. The vulnerability requires user interaction (clicking/viewing the malicious page) but no authentication, and has a high confidentiality impact. Chromium security team classified this as high severity; no public exploit code or active exploitation has been confirmed at time of analysis.
Information Disclosure
Google
Red Hat
Suse
-
CVE-2026-7915
MEDIUM
CVSS 4.3
Insufficient data validation in DevTools in Google Chrome on Android prior to version 148.0.7778.96 allows remote attackers to bypass navigation restrictions by sending a crafted HTML page, requiring user interaction to open the malicious page. The vulnerability has a low CVSS score (4.3) due to limited confidentiality impact and requirement for user click, but affects all Android users running vulnerable versions. A vendor-released patch is available.
Authentication Bypass
Google
Red Hat
Suse
-
CVE-2026-7912
MEDIUM
CVSS 4.2
Integer overflow in the GPU component of Google Chrome on Android prior to version 148.0.7778.96 enables a remote attacker whose renderer process has been compromised to execute arbitrary read and write operations via a malicious HTML page. The vulnerability requires prior compromise of the renderer process and user interaction, limiting its standalone exploitability but creating a significant secondary threat following renderer exploitation. Chromium security team rated this as high severity; no public exploit code or active exploitation has been identified at time of analysis.
Buffer Overflow
Google
Red Hat
Suse
-
CVE-2026-7904
MEDIUM
CVSS 4.3
Out-of-bounds memory read in Google Chrome's font handling allows remote attackers to leak sensitive information via a crafted HTML page when users visit a malicious website. Chrome versions prior to 148.0.7778.96 are affected. The vulnerability requires user interaction (clicking a link or visiting a page) but occurs over the network without authentication. Information disclosure risk is limited (CVSS C:L) with no impact on integrity or availability, but the Chromium security severity designation of High indicates concern about potential information leakage in real-world exploitation.
Buffer Overflow
Information Disclosure
Google
Red Hat
Suse
-
CVE-2026-7573
MEDIUM
CVSS 5.0
Authorization bypass in the GetUserRoles gRPC API endpoint in Velocidex Velociraptor below version 0.76.5 allows authenticated low-privilege users to retrieve complete ACL policies, roles, and permissions for any user across all organizations by supplying targeted Name and Org parameters. The vulnerability affects any organization running vulnerable versions where users have valid authentication credentials, enabling privilege escalation through unauthorized access to sensitive authorization metadata.
Authentication Bypass
Suse
-
CVE-2026-7572
MEDIUM
CVSS 4.4
Off-by-one error in Velocidex Velociraptor before version 0.76.5 on Windows and Linux causes denial of service when parsing specially crafted .evtx files through the parse_evtx VQL plugin. Local attackers with user-level privileges can crash the Velociraptor process by uploading or providing malformed event log files, disrupting forensic investigations and incident response operations. The vulnerability requires user interaction (file upload/selection) but grants an attacker both integrity and availability impact despite the CVSS 4.4 (Medium) rating.
Denial Of Service
Microsoft
Suse
-
CVE-2026-7457
MEDIUM
CVSS 6.4
Stored cross-site scripting in LatePoint calendar booking plugin for WordPress versions up to 5.5.0 allows authenticated customers to inject malicious scripts via unsanitized profile fields (first name, last name, phone, notes) that execute in administrators' browsers when notification templates are previewed. Exploitation requires customer-level access and admin interaction to preview a notification template, but achieves code execution in a high-privilege context (administrator or agent browser session) with scope change from single user to multiple users.
WordPress
XSS
-
CVE-2026-6863
MEDIUM
CVSS 6.8
Velociraptor versions prior to 0.76.4 allow authenticated users with reader role in the root organization to bypass cross-organization authorization controls via HTTP API GET requests, enabling them to read arbitrary files from other organizations regardless of their permissions in those target organizations. The vulnerability requires high privilege context (authenticated reader in root org) but has high confidentiality impact across organization boundaries. This is a horizontal privilege escalation affecting multi-tenant deployments where organizational isolation is a critical security boundary.
Authentication Bypass
Suse
-
CVE-2026-6860
MEDIUM
CVSS 6.9
Wildcard TLS certificate validation in Eclipse Vert.x allows remote attackers to bypass Server Name Indication (SNI) hostname verification by presenting arbitrary subdomains matching wildcard patterns, potentially disclosing sensitive server configuration and enabling certificate reuse across unintended service endpoints. The vulnerability affects Vert.x versions using unbounded SNI cache mechanisms without proper hostname validation constraints, and is fixed by implementing bounded LRU caching with proper synchronization and hostname matching enforcement.
Information Disclosure
-
CVE-2026-6672
MEDIUM
CVSS 6.4
Stored Cross-Site Scripting in SliceWP Affiliates plugin for WordPress (versions up to 1.2.7) allows authenticated contributors and above to inject arbitrary JavaScript via unsanitized shortcode attributes in the 'slicewp_affiliate_url' shortcode. The injected scripts execute in the browsers of all users accessing the affected page, enabling account compromise, credential theft, or malware distribution. No public exploit code or active exploitation has been identified, but the vulnerability is straightforward to exploit given the low attack complexity and requires only contributor-level WordPress access.
WordPress
XSS
-
CVE-2026-6420
MEDIUM
CVSS 6.3
Keylime verifier uses a hardcoded challenge nonce instead of cryptographically random values for TPM quote attestation, allowing local attackers with root access on enrolled machines to capture valid quotes and replay them to bypass detection after system compromise. The vulnerability affects only push-model deployments and requires root privileges on the monitored endpoint; exploitation enables information disclosure and system integrity evasion with CVSS 6.3 severity.
Information Disclosure
Red Hat
Suse
-
CVE-2026-6344
MEDIUM
CVSS 4.9
Fluent Forms plugin for WordPress up to version 6.2.1 allows authenticated administrators to read arbitrary files readable by the web server through path traversal in the getAttachments() method of EmailNotificationActions. The vulnerability stems from insufficient validation of file-upload URLs in admin notification configurations, permitting attackers to supply traversal sequences like <upload_baseurl>/../../<target> to access sensitive files such as wp-config.php containing database credentials and authentication salts. While unauthenticated users can trigger email notifications, the exploit requires administrator-level access to configure the malicious notification attachment.
PHP
WordPress
Path Traversal
-
CVE-2026-5753
MEDIUM
CVSS 6.5
Missing authorization in All-in-One WP Migration Unlimited Extension for WordPress versions up to 2.83 allows authenticated subscribers to create scheduled export jobs without capability verification, enabling attackers to exfiltrate full site backups by redirecting notifications to attacker-controlled email addresses and leveraging exposed backup filenames for download. This results in complete site data disclosure including sensitive information accessible to low-privilege authenticated users.
WordPress
Authentication Bypass
Information Disclosure
-
CVE-2026-3291
MEDIUM
CVSS 6.9
Samsung Print Service Plugin for Android is potentially vulnerable to information disclosure when using an outdated version of the application via mobile devices. HP is releasing updates to mitigate these potential vulnerabilities.
Information Disclosure
Google
Samsung
HP
-
CVE-2026-3208
MEDIUM
CVSS 5.3
Unauthenticated attackers can retrieve PIX payment QR code images for arbitrary WooCommerce orders via the unprotected 'mp_pix_image' API endpoint in Mercado Pago payments for WooCommerce plugin versions up to 8.7.11, exposing sensitive merchant data including PIX keys, transaction amounts, merchant identity, and Mercado Pago transaction references. The vulnerability requires no authentication, user interaction, or special configuration, and exploits a missing capability check in the WordPress REST API handler. No public exploit code or active exploitation has been confirmed at the time of analysis.
WordPress
Authentication Bypass
-
CVE-2026-2306
MEDIUM
CVSS 4.3
Authenticated subscribers can create arbitrary database tables in WordPress installations running Ninja Tables plugin version 5.2.6 and earlier via missing authorization checks on the createFluentCartTable function. This allows low-privileged users to pollute the database and cause resource exhaustion without requiring administrative access, affecting any site where subscribers have plugin interaction permissions.
WordPress
Authentication Bypass
Denial Of Service
-
CVE-2025-71295
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
fs/buffer: add alert in try_to_free_buffers() for folios without buffers
try_to_free_buffers() can be called on folios with no buffers attached
when filemap_release_folio() is invoked on a folio belonging to a mapping
with AS_RELE...
Denial Of Service
Linux
Null Pointer Dereference
Red Hat
Suse
-
CVE-2025-71294
MEDIUM
CVSS 5.5
Null pointer dereference in the AMD GPU (amdgpu) DRM subsystem can cause denial of service when the SDMA block is disabled and buffer_funcs initialization is skipped, allowing local authenticated users to crash the kernel via uninitialized function pointer access.
Denial Of Service
Linux
Null Pointer Dereference
Red Hat
Suse
-
CVE-2025-71286
MEDIUM
CVSS 5.5
Memory allocation underflow in the Linux kernel ASoC SOF (Sound Open Firmware) ipc4-topology module allows local authenticated users to trigger a denial of service via bytes control handling that fails to account for the full data structure size. The vulnerability affects kernel versions prior to specific stable releases (6.6.128, 6.12.75, 6.18.16, 6.19.6, and 7.0) where the allocation size calculation omits the sof_ipc4_control_data structure, potentially causing memory exhaustion or kernel crash when processing audio topology configuration.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2025-71285
MEDIUM
CVSS 5.5
Null pointer dereference in the Linux kernel QRTR (Qualcomm IPC Router) driver via MHI auto_queue feature causes denial of service on Qualcomm X1E80100 CRD machines during boot. The vulnerability occurs when the MHI stack invokes the DL (downlink) callback before the QRTR client driver is fully probed, accessing uninitialized driver structures. A local privileged attacker can trigger kernel panic by exploiting the race condition between MHI buffer auto-queuing and driver initialization, affecting systems relying on QRTR over MHI transport.
Denial Of Service
Linux
Null Pointer Dereference
Red Hat
Suse
-
CVE-2025-71274
MEDIUM
CVSS 4.7
Use-after-free vulnerability in the Linux kernel rpmsg subsystem allows local attackers with low privileges to cause denial of service by exploiting a race condition between driver_override_show() and driver_override_store() functions. The show function reads the driver_override string without holding the device_lock while the store function modifies and frees it under lock, creating a window for memory corruption. The vulnerability requires local access and non-default timing conditions (AC:H), limiting real-world exploitation probability to 0.02% per EPSS scoring.
Information Disclosure
Linux
Race Condition
Red Hat
Suse
-
CVE-2025-71273
MEDIUM
CVSS 5.5
Memory leak in rtw88 WiFi driver allows local authenticated attackers to cause denial of service via supported band allocation failure. The rtw_set_supported_band() function in the rtl8821ce WiFi driver failed to free allocated memory in error paths during hardware registration, enabling a local privilege escalation attack that exhausts kernel memory. EPSS exploitation probability is very low (0.02%), indicating this is a hardening fix rather than a critical vulnerability.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2025-71272
MEDIUM
CVSS 5.5
Resource leak in Linux kernel's most_register_interface() function allows local attackers with low privileges to cause denial of service through memory exhaustion. The vulnerability occurs when most_register_interface() fails during early initialization stages, returning error codes without properly releasing allocated device resources via put_device(). Patch versions 6.12.75, 6.18.16, 6.19.6, and 7.0 address this issue.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2025-71271
MEDIUM
CVSS 5.5
Memory leak in hfsplus filesystem driver causes denial of service when superblock setup fails during mount operations. The vulnerability affects Linux kernels when hfsplus is mounted and the setup_bdev_super() function fails after superblock allocation but before hfsplus_fill_super() completes, leaving filesystem-specific data unfreed. Local authenticated users can trigger this condition to exhaust kernel memory and crash the system.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2025-52613
MEDIUM
CVSS 4.6
HCL BigFix Service Management (SM) contains an insecure or outdated WSGI server implementation that exposes the application to known security weaknesses. Authenticated local attackers with high complexity conditions can achieve limited information disclosure and integrity compromise (CVSS 4.6). No active exploitation or public POC identified at time of analysis.
Authentication Bypass
Information Disclosure
-
CVE-2025-31978
MEDIUM
CVSS 4.6
HCL BigFix Service Management fails to sanitize spreadsheet data (CSV, XLS, XLSX) before export, allowing authenticated users to inject formulas or malicious content that executes when recipients open the files in spreadsheet applications. An attacker with legitimate service management access can craft payloads in data fields that, when exported and opened by targeted users, may exfiltrate information or trigger unintended actions-though modern Excel versions mitigate this with untrusted content warnings. CVSS 4.6 reflects moderate risk limited to authenticated users and required user interaction (opening the file).
Information Disclosure
-
CVE-2025-31976
MEDIUM
CVSS 4.8
HCL BigFix Service Management (SM) exposes insufficiently protected credentials during backend internal application communication, allowing network-based attackers to potentially exfiltrate and misuse them. The vulnerability affects all versions of the product and requires specific attack conditions (high complexity), resulting in limited confidentiality and integrity impact without availability compromise. No public exploit code or active exploitation has been confirmed.
Information Disclosure
-
CVE-2025-31970
MEDIUM
CVSS 5.3
HCL DFXAnalytics fails to enforce strict Content-Security-Policy (CSP) directives for object-src and base-uri, enabling attackers to inject and execute arbitrary scripts through cross-site scripting (XSS) vectors without authentication or user interaction. This network-accessible vulnerability affects all versions and results in information disclosure with a CVSS score of 5.3; no active exploitation has been reported.
XSS
-
CVE-2025-31960
MEDIUM
CVSS 5.3
HCL BigFix Service Management (SM) leaks sensitive information through improper error handling in its reporting module. Unauthenticated remote attackers can trigger unhandled exceptions by submitting invalid or out-of-range values to the consumer_company parameter during report-viewing requests, exposing application details in error messages. CVSS score is moderate (5.3) but reflects low confidentiality impact with no integrity or availability impact.
Information Disclosure
-
CVE-2026-44405
LOW
CVSS 3.4
Paramiko through version 4.0.0 before commit a448945 accepts SHA-1-based RSA signatures (ssh-rsa algorithm) in host key verification and authentication contexts, violating modern cryptographic standards and enabling signature forgery attacks. The vulnerability affects SSH clients and servers using Paramiko for key exchange and authentication, allowing remote attackers on the same network segment to potentially forge host keys or perform man-in-the-middle attacks by exploiting the deprecated SHA-1 hash algorithm. No public exploit code has been identified at time of analysis, though the issue is cryptographically fundamental and OSTIF security audit documentation exists.
Information Disclosure
-
CVE-2026-44242
LOW
CVSS 3.7
Memory exhaustion in Micronaut Core's ResourceBundleMessageSource allows unauthenticated remote attackers to exhaust heap memory by sending HTTP requests with crafted Accept-Language headers that populate an unbounded bundleCache. Vulnerable applications must explicitly register a ResourceBundleMessageSource bean and serve HTML error responses; each unique locale value creates a persistent cache entry (100-200 bytes for non-matching locales, or several KB if bundles match), and sustained attack over thousands of requests causes gradual heap degradation with partial availability impact (CVSS 3.7, AC:H). The sibling messageCache is properly bounded at 100 entries, but bundleCache uses an uncontrolled ConcurrentHashMap, allowing unbounded growth keyed by (Locale, baseName) pairs derived from untrusted HTTP headers.
Denial Of Service
Java
-
CVE-2026-44111
LOW
CVSS 2.3
OpenClaw before version 2026.4.15 allows authenticated users with access to the memory tool to read arbitrary Markdown files within the workspace root by bypassing path restrictions in the QMD backend's memory_get function. The vulnerability enables attackers to access workspace Markdown files outside canonical memory locations or indexed QMD result sets, effectively circumventing the intended memory-path policy. No public exploit code or active exploitation has been identified.
Authentication Bypass
Canonical
-
CVE-2026-43089
None
In the Linux kernel, the following vulnerability has been resolved:
xfrm_user: fix info leak in build_mapping()
struct xfrm_usersa_id has a one-byte padding hole after the proto
field, which ends up never getting set to zero before copying out to
userspace. Fix that up by zeroing out the whole st...
Information Disclosure
Linux
-
CVE-2026-43088
None
In the Linux kernel, the following vulnerability has been resolved:
net: af_key: zero aligned sockaddr tail in PF_KEY exports
PF_KEY export paths use `pfkey_sockaddr_size()` when reserving sockaddr
payload space, so IPv6 addresses occupy 32 bytes on the wire. However,
`pfkey_sockaddr_fill()` initi...
Information Disclosure
Linux
-
CVE-2026-43087
None
In the Linux kernel, the following vulnerability has been resolved:
pinctrl: mcp23s08: Disable all pin interrupts during probe
A chip being probed may have the interrupt-on-change feature enabled on
some of its pins, for example after a reboot. This can cause the chip to
generate interrupts for pi...
Denial Of Service
Linux
-
CVE-2026-43086
None
In the Linux kernel, the following vulnerability has been resolved:
ipvs: fix NULL deref in ip_vs_add_service error path
When ip_vs_bind_scheduler() succeeds in ip_vs_add_service(), the local
variable sched is set to NULL. If ip_vs_start_estimator() subsequently
fails, the out_err cleanup calls i...
Information Disclosure
Linux
-
CVE-2026-43085
None
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nfnetlink_log: initialize nfgenmsg in NLMSG_DONE terminator
When batching multiple NFLOG messages (inst->qlen > 1), __nfulnl_send()
appends an NLMSG_DONE terminator with sizeof(struct nfgenmsg) payload via
nlmsg_put(), ...
Information Disclosure
Linux
-
CVE-2026-43082
None
In the Linux kernel, the following vulnerability has been resolved:
net: txgbe: leave space for null terminators on property_entry
Lists of struct property_entry are supposed to be terminated with an
empty property, this driver currently seems to be allocating exactly the
amount of entry used.
Ch...
Information Disclosure
Linux
-
CVE-2026-43081
None
In the Linux kernel, the following vulnerability has been resolved:
net: ipa: fix GENERIC_CMD register field masks for IPA v5.0+
Fix the field masks to match the hardware layout documented in
downstream GSI (GSI_V3_0_EE_n_GSI_EE_GENERIC_CMD_*).
Notably this fixes a WARN I was seeing when I tried ...
Information Disclosure
Linux
-
CVE-2026-43080
None
In the Linux kernel, the following vulnerability has been resolved:
l2tp: Drop large packets with UDP encap
syzbot reported a WARN on my patch series [1]. The actual issue is an
overflow of 16-bit UDP length field, and it exists in the upstream code.
My series added a debug WARN with an overflow c...
Buffer Overflow
Linux
Debian
-
CVE-2026-43079
None
In the Linux kernel, the following vulnerability has been resolved:
perf/x86/intel/uncore: Skip discovery table for offline dies
This warning can be triggered if NUMA is disabled and the system
boots with fewer CPUs than the number of CPUs in die 0.
WARNING: CPU: 9 PID: 7257 at uncore.c:1157 unco...
Buffer Overflow
Linux
Intel
-
CVE-2026-42448
LOW
CVSS 3.5
Path traversal vulnerability in Magic Wormhole receive command allows authenticated attackers to write files outside the intended output directory when the specified output directory already exists, enabling arbitrary file write with low complexity via network delivery of a specially crafted transfer request.
Path Traversal
-
CVE-2026-8028
LOW
CVSS 2.9
FlowiseAI Flowise up to version 3.0.12 allows remote unauthenticated information disclosure through manipulation of the account verification endpoint. An attacker can exploit improper input validation in the verify function of the account service to extract sensitive information over the network. Publicly available exploit code exists, and the vendor has recommended upgrading to address this issue.
Information Disclosure
-
CVE-2026-8022
LOW
CVSS 3.1
Inappropriate implementation in MHTML in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who convinced a user to engage in specific UI gestures to leak cross-origin data via a crafted MHTML page. (Chromium security severity: Low)
XSS
Google
-
CVE-2026-8017
LOW
CVSS 3.1
Side-channel information leakage in Media in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)
Information Disclosure
Google
-
CVE-2026-7968
LOW
CVSS 3.1
Insufficient validation of untrusted input in CORS handling in Google Chrome prior to version 148.0.7778.96 allows a remote attacker who has compromised the renderer process to bypass the same-origin policy via a crafted HTML page, potentially leading to unauthorized information disclosure. The vulnerability requires renderer process compromise and user interaction, resulting in a CVSS score of 3.1 (low severity). No public exploit code or active exploitation has been identified at the time of analysis.
Authentication Bypass
Google
-
CVE-2026-7966
LOW
CVSS 3.1
Insufficient input validation in SiteIsolation allows remote attackers who have compromised the Chrome renderer process to bypass site isolation protections via a crafted HTML page, potentially leaking sensitive data across site boundaries. The vulnerability affects Chrome versions prior to 148.0.7778.96 and requires prior renderer compromise and user interaction, resulting in low real-world exploitation probability despite the authentication bypass classification.
Authentication Bypass
Google
-
CVE-2026-7965
LOW
CVSS 3.1
Google Chrome versions prior to 148.0.7778.96 contain insufficient input validation in DevTools that allows remote attackers with a compromised renderer process to leak cross-origin data through crafted HTML pages. The vulnerability requires user interaction and a pre-compromised renderer, limiting real-world exploitation but presenting a significant attack chaining vector for multi-stage exploits. Patch available from vendor.
Information Disclosure
Google
-
CVE-2026-7959
LOW
CVSS 3.1
Bypass of Chrome's site isolation security feature in versions prior to 148.0.7778.96 allows a remote attacker with a compromised renderer process to access cross-site data via a crafted HTML page. The vulnerability requires renderer process compromise as a precondition, limiting real-world risk despite the criticality of bypassing site isolation. Vendor-released patch: version 148.0.7778.96 and later.
Authentication Bypass
Google
-
CVE-2026-7954
LOW
CVSS 3.1
Google Chrome prior to version 148.0.7778.96 contains a race condition in shared storage that allows a remote attacker with a compromised renderer process to leak cross-origin data through a crafted HTML page. The vulnerability requires user interaction and renderer compromise but can disclose sensitive information across origin boundaries, classified as medium severity by Chromium security team.
Information Disclosure
Google
Race Condition
-
CVE-2026-7949
LOW
CVSS 3.1
Out-of-bounds read in Skia graphics library within Google Chrome prior to version 148.0.7778.96 allows remote attackers who have compromised the renderer process to leak cross-origin data through a crafted Chrome Extension. The vulnerability requires user interaction and relies on renderer compromise, limiting real-world exploitation despite the information disclosure impact. Chromium classified this as Medium severity; no active exploitation has been publicly confirmed.
Buffer Overflow
Information Disclosure
Google
-
CVE-2026-7945
LOW
CVSS 3.1
Insufficient validation of Cross-Origin-Opener-Policy (COOP) headers in Google Chrome prior to version 148.0.7778.96 allows a remote attacker with a compromised renderer process to bypass site isolation protections via a crafted HTML page. The vulnerability requires renderer compromise and user interaction, limiting real-world exploitation to targeted attacks against users whose Chrome renderer is already under attacker control. Chromium rates the security severity as Medium; vendor patch is available.
Authentication Bypass
Google
-
CVE-2026-7944
LOW
CVSS 3.1
Insufficient validation of untrusted input in the Persistent Cache of Google Chrome prior to version 148.0.7778.96 allows a remote attacker who has already compromised the renderer process to bypass site isolation protections via a specially crafted HTML page, enabling unauthorized disclosure of sensitive information from other sites. The vulnerability requires prior renderer compromise and user interaction, limiting real-world exploitability despite network-accessible attack vector. No public exploit code or active exploitation has been identified.
Authentication Bypass
Google
-
CVE-2026-7937
LOW
CVSS 3.1
Insufficient policy enforcement in Chrome DevTools prior to version 148.0.7778.96 allows attackers to bypass navigation restrictions through a malicious extension, requiring user installation and interaction. The vulnerability has a low CVSS score (3.1) due to high attack complexity and user interaction requirements, resulting in limited confidentiality impact with no integrity or availability effects. Patch is available from Google.
Authentication Bypass
Google
-
CVE-2026-7909
LOW
CVSS 3.1
Site isolation bypass in Google Chrome prior to version 148.0.7778.96 allows a remote attacker with a compromised renderer process to circumvent Chrome's site isolation security boundary through a crafted HTML page. The vulnerability requires user interaction and a pre-compromised renderer, limiting real-world impact despite being triggered remotely. No public exploit code or active exploitation has been confirmed at the time of analysis.
Authentication Bypass
Google
-
CVE-2025-62345
LOW
CVSS 2.7
HCL BigFix RunBookAI 11.2 contains weak input handling in a text input component that may disclose sensitive information to high-privilege users. The vulnerability stems from continued reliance on less-secure input validation mechanisms, creating operational risk through potential misconfiguration. While the CVSS score is low (2.7) due to requirement for high-privilege access and limited confidentiality impact, the information disclosure channel could expose credentials or operational data to authenticated administrators.
Information Disclosure
-
CVE-2025-59854
LOW
CVSS 3.1
HCL DFXAnalytics relies on the obsolete X-XSS-Protection security header instead of implementing a modern Content Security Policy, allowing attackers with low privileges to potentially exploit browser-specific XSS protections or bypass intended security controls. The vulnerability requires high attack complexity and authenticated access, limiting practical exploitation but indicating security posture degradation in a production analytics platform.
XSS
-
CVE-2025-59853
LOW
CVSS 3.1
HCL DFXAnalytics exposes detailed stack traces in application responses due to improper error handling, allowing authenticated remote attackers with low privileges to gain insights into the application's internal structure, code logic, and environment configurations. The vulnerability requires high attack complexity and produces limited confidentiality impact, resulting in a CVSS score of 3.1. No active exploitation or public exploit code has been identified at the time of analysis.
Information Disclosure
-
CVE-2025-59852
LOW
CVSS 3.7
HCL DFXAnalytics transmits sensitive data over the network without encryption, allowing network-positioned attackers to intercept and read confidential information. The vulnerability requires high attack complexity (likely man-in-the-middle positioning) but affects all versions of the product when unencrypted channels are in use. No active exploitation has been reported, and the low CVSS score (3.7) reflects limited confidentiality impact with no integrity or availability compromise.
Information Disclosure
-
CVE-2025-59851
LOW
CVSS 3.7
HCL DFXAnalytics contains unpatched third-party libraries with known vulnerabilities that could allow remote attackers with high effort to gain limited unauthorized access. The application fails to update or isolate vulnerable dependencies, potentially enabling exploitation of publicly disclosed security flaws in embedded components to bypass authentication or extract sensitive information.
Authentication Bypass
-
CVE-2025-31984
LOW
CVSS 3.7
HCL BigFix Service Management lacks secure X-Content-Type-Options HTTP headers, allowing browsers to perform MIME-type sniffing that could lead to malicious content being interpreted as executable code. The vulnerability requires local authentication, high attack complexity, and user interaction, affecting confidentiality and availability with a CVSS score of 3.7. No active exploitation or public exploit code is documented at time of analysis.
Information Disclosure