Skip to main content
CVE-2026-0300 CRITICAL POC KEV PATCH THREAT CISA NEWS Act Now

Remote code execution in Palo Alto Networks PAN-OS User-ID Authentication Portal (Captive Portal) allows unauthenticated attackers to execute arbitrary code with root privileges on PA-Series and VM-Series firewalls via specially crafted packets. CISA KEV confirms active exploitation in the wild with publicly available exploit code. EPSS risk assessment is not provided, but the vulnerability achieves maximum impact with minimal attack complexity (CVSS 9.3, AV:N/AC:L/PR:N), making this a critical priority for immediate remediation. The attack surface is significantly reduced when access to the portal is restricted to trusted internal networks per vendor best practices.

Paloalto Memory Corruption Buffer Overflow RCE
NVD VulDB GitHub
CVSS 4.0
9.3
EPSS
14.9%
Threat
5.3
CVE-2026-44262 CRITICAL POC PATCH GHSA Act Now

Remote code execution in Scramble API documentation generator versions 0.13.2 through 0.13.21 allows unauthenticated attackers to execute arbitrary PHP code when documentation endpoints are publicly accessible and validation rules reference user-controlled input. Fixed in version 0.13.22. The CVSS score of 9.4 (Critical) reflects the network-accessible, low-complexity attack requiring no authentication, though exploitation requires specific configuration where documentation endpoints remain enabled and validation rules incorporate request-supplied data. No active exploitation (CISA KEV) or public POC identified at time of analysis, but the GitHub security advisory provides full technical details enabling reproduction.

PHP Code Injection RCE
NVD GitHub Exploit-DB VulDB
CVSS 3.1
9.4
EPSS
0.1%
CVE-2026-43948 CRITICAL PATCH GHSA Act Now

Complete account takeover in wger Python fitness management platform allows authenticated gym managers with no gym assignment (gym=None) to reset passwords of any other unaffiliated user and receive the new plaintext password in the HTTP response body. The vulnerability stems from a Django ORM authorization check that incorrectly evaluates None != None as False, bypassing the tenant isolation guard. Newly registered users default to gym=None state, making every public-registration wger deployment vulnerable. CVSS 9.9 Critical severity with scope change (cross-tenant impersonation). GitHub advisory GHSA-mhc8-p3jx-84mm confirms exploitation requires only low privilege (delegated gym.manage_gym permission) with no user interaction, enabling permanent victim lockout as original passwords are invalidated.

Authentication Bypass Python Docker
NVD GitHub
CVSS 3.1
9.9
EPSS
0.0%
CVE-2026-43186 CRITICAL PATCH Act Now

Heap buffer overflow in Linux kernel's IPv6 IOAM (In-situ Operations, Administration, and Maintenance) packet processing allows remote unauthenticated attackers to corrupt kernel memory and trigger system crashes. Attackers send crafted IPv6 packets with inconsistent IOAM trace headers (nodelen=0 with type bits set), causing __ioam6_fill_trace_data() to write ~100 bytes beyond allocated memory into skb_shared_info structures. Despite CVSS 9.8 critical rating, EPSS exploitation probability is low (0.05%, 16th percentile) and no active exploitation or public POC has been identified. Vendor patches available across multiple stable kernel branches (5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0).

Buffer Overflow Linux Memory Corruption Red Hat Suse
NVD VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-43125 CRITICAL PATCH Act Now

Remote unauthenticated attackers can cause critical out-of-bounds writes in the Linux kernel's Distributed Lock Manager (DLM) subsystem by sending malformed network messages with unvalidated length parameters to dlm_dump_rsb_name(). When the length exceeds DLM_RESNAME_MAXLEN, dlm_search_rsb_tree() writes beyond allocated buffers, enabling arbitrary code execution, denial of service, or information disclosure. Patches available for kernel versions 6.12.75, 6.18.16, 6.19.6, and 7.0. EPSS exploitation probability is very low (0.02%, 5th percentile), and no public exploit or active exploitation has been identified at time of analysis, despite the critical CVSS 9.8 score.

Buffer Overflow Linux Memory Corruption
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-43208 CRITICAL PATCH Act Now

Out-of-bounds memory access in Linux kernel RPS (Receive Packet Steering) subsystem allows remote unauthenticated attackers to trigger kernel crashes or potentially achieve code execution with SYSTEM privileges. The flaw stems from incorrect assumptions about RPS hash table sizing across receive queues, introduced in commit 48aa30443e52. Exploitation requires no authentication (CVSS AV:N/PR:N) but EPSS probability remains low at 0.02% (4th percentile), suggesting limited real-world targeting. Patches available for stable kernel branches 6.18.16, 6.19.6, and 7.0.

Linux Buffer Overflow Memory Corruption Red Hat Suse
NVD
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-43198 CRITICAL PATCH Act Now

Race condition in Linux kernel TCP/IPv6 stack allows remote unauthenticated attackers to trigger use-after-free conditions during IPv6-mapped IPv4 socket creation, potentially achieving arbitrary code execution or denial of service. The flaw occurs in tcp_v6_syn_recv_sock() where child socket visibility in the TCP hash table races with incomplete IPv6 structure initialization, causing other CPUs to access invalid memory via newinet->pinet6 pointing to listener data. Vendor patches available for kernel versions 6.18.16, 6.19.6, and 7.0. EPSS score of 0.02% (4th percentile) indicates low observed exploitation probability despite critical CVSS 9.8 rating, suggesting this requires specific IPv6-mapped IPv4 configuration and precise timing to exploit.

Information Disclosure Linux Race Condition
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-43185 CRITICAL PATCH Act Now

Heap buffer overflow in Linux kernel ksmbd SMB Direct negotiation allows remote unauthenticated attackers to achieve arbitrary code execution. The vulnerability stems from a signedness bug where a malicious SMB Direct client sends a crafted preferred_send_size value (0x80000000) that bypasses minimum size validation, then follows with an oversized message (>1420 bytes) triggering heap corruption. With CVSS 9.8 critical severity and network-accessible attack vector requiring no authentication, this represents a severe pre-auth remote code execution risk. EPSS score of 0.02% suggests limited observed exploitation activity. Vendor patches available across multiple stable kernel branches.

Buffer Overflow Linux Red Hat Suse
NVD
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-7908 CRITICAL PATCH Act Now

Sandbox escape in Google Chrome versions prior to 148.0.7778.96 allows remote attackers to break out of the browser's security sandbox through a use-after-free vulnerability in the Fullscreen API component. Attackers can deliver exploitation via a specially crafted HTML page requiring only user visit to the page (no additional interaction). With CVSS 9.6 (Critical) and scope change indicating containment breach, this represents a serious risk to browser security model integrity. No evidence of active exploitation (not in CISA KEV) and EPSS data not available at time of analysis.

Google Denial Of Service Use After Free Memory Corruption Red Hat +2
NVD VulDB
CVSS 3.1
9.6
EPSS
0.1%
CVE-2026-7910 CRITICAL PATCH Act Now

Use-after-free in the Views component of Google Chrome versions prior to 148.0.7778.96 enables site isolation bypass after renderer compromise. A remote attacker who has already compromised the renderer process can escape sandbox protections via a malicious HTML page, potentially accessing cross-origin data or executing code outside the renderer sandbox. Patch released by Google in version 148.0.7778.96. EPSS score of 0.02% (3rd percentile) indicates very low probability of exploitation in the wild currently, with no evidence of active exploitation or public proof-of-concept at time of analysis.

Google Denial Of Service Use After Free Memory Corruption Red Hat +2
NVD VulDB
CVSS 3.1
9.6
EPSS
0.0%
CVE-2026-29080 CRITICAL POC PATCH GHSA Act Now

SQL injection in Rucio's DID search API allows any authenticated user to execute arbitrary SQL on Oracle database backends, enabling complete database compromise. The vulnerability affects Rucio versions 1.27.0 through 40.1.0 when deployed with Oracle databases using the default json_meta plugin. Attackers can extract authentication tokens, password hashes (SHA-256 single-iteration, GPU-crackable), storage credentials, and all managed data. Data modification and potential remote code execution via Oracle PL/SQL features are possible. Vendor-confirmed vulnerability with patches released across four version branches. PostgreSQL and MySQL deployments are not affected due to proper SQLAlchemy parameterization on those database dialects.

SQLi PostgreSQL Java Python Oracle +1
NVD GitHub
CVSS 4.0
9.4
EPSS
0.1%
CVE-2026-43114 CRITICAL PATCH Act Now

A logic error in Linux kernel netfilter's AVX2-accelerated nft_set_pipapo matching allows incorrect element matching when flushing and reloading sets with composite keys (e.g., 'ipv4 . port'). The AVX2 code path prematurely returns non-matching entries during multi-field lookups, causing false collision reports when reinserting elements after a set flush. This affects netfilter firewall rule processing on systems with AVX2 CPU support. With CVSS 9.4 (AV:N/AC:L/PR:N/UI:N), the vector suggests critical network-accessible impact, though the description indicates this is a firewall rule management bug rather than a direct remote exploitation path. EPSS score of 0.02% (5th percentile) and no KEV listing suggest low real-world exploitation likelihood. Patches available across stable kernel branches 6.6.136, 6.12.83, 6.18.24, 6.19.14, and 7.0.

Information Disclosure Linux
NVD VulDB
CVSS 3.1
9.4
EPSS
0.0%
CVE-2026-44364 CRITICAL PATCH GHSA Act Now

A Cross-Site Request Forgery vulnerability in the MISP Modules website allowed an attacker to cause an authenticated user to submit unintended requests to the home endpoint. The vulnerability was due to the home blueprint being exempted from CSRF protection. This could allow modification of session query data in the context of the authenticated user. The issue was fixed by enabling CSRF protection for the affected blueprint and hardening query parsing. As reported by Bilal Teke.

CSRF
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.0%
CVE-2026-7875 CRITICAL PATCH Act Now

Path traversal in NanoClaw's container filesystem boundary allows compromised containers or prompt-injected agents to escape isolation and read arbitrary host files via crafted message IDs and attachment paths, with potential for recursive deletion of host directories during outbox cleanup. The vulnerability exploits insufficient validation of outbound attachment filenames and symlink resolution in the host-side message handling code. Upstream fix available (GitHub commit 7814e45) but released patched version not independently confirmed. No public exploit identified at time of analysis, though proof-of-concept test cases demonstrate both file exfiltration and destructive cleanup paths.

Path Traversal Nanoclaw
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.0%
CVE-2026-44109 CRITICAL PATCH GHSA Act Now

OpenClaw's Feishu webhook integration fails open when encryptKey is missing or callback tokens are blank, allowing remote unauthenticated attackers to bypass signature verification and replay protection mechanisms. Attackers can submit crafted webhook requests or malformed card-action callbacks directly to command dispatch without authentication, enabling arbitrary command execution. Vendor-confirmed authentication bypass; patch released in version 2026.4.15. No public exploit code or CISA KEV listing identified at time of analysis, but the fail-open behavior and network attack vector (CVSS AV:N/AC:L/PR:N) make this highly exploitable against misconfigured deployments.

Authentication Bypass Openclaw
NVD GitHub
CVSS 4.0
9.2
EPSS
0.2%
CVE-2026-43585 CRITICAL PATCH GHSA Act Now

Bearer token revocation bypass in OpenClaw gateway allows attackers to authenticate using rotated-out tokens until process restart. OpenClaw gateway HTTP and WebSocket handlers captured bearer authentication configuration at startup, failing to re-resolve credentials after SecretRef rotation. Attackers possessing a previously valid token can maintain unauthorized gateway access to /v1/* endpoints, /tools/invoke, plugin routes, and canvas upgrade paths even after operators rotate secrets, believing the old token is revoked. Fixed in version 2026.4.15. CVSS 9.2 reflects network-accessible attack with high complexity; no public exploit identified at time of analysis.

Authentication Bypass Openclaw
NVD GitHub
CVSS 4.0
9.2
EPSS
0.1%
CVE-2026-43575 CRITICAL PATCH Act Now

Authentication bypass in OpenClaw 2026.2.21 through 2026.4.9 allows remote unauthenticated attackers to access the sandbox noVNC helper route and gain unauthorized control of interactive browser sessions. The vulnerability exposes session credentials by failing to enforce bridge authentication on the /sandbox/novnc endpoint. OpenClaw is an open-source AI agent framework. Patch available in version 2026.4.10 and later. No evidence of active exploitation (not in CISA KEV) and EPSS data not available at time of analysis.

Authentication Bypass Openclaw
NVD GitHub
CVSS 4.0
9.2
EPSS
0.1%
CVE-2026-41930 CRITICAL PATCH Act Now

Hard-coded credentials in Vvveb's Docker deployment expose the entire application database to unauthenticated remote attackers. Versions prior to 1.0.8.2 ship with pre-configured phpMyAdmin credentials in docker-compose-apache.yaml, allowing direct database access without authentication. Attackers gain unrestricted read/write access to administrator password hashes, customer PII, and order data, enabling account takeover and data manipulation. CVSS 9.2 (Critical) reflects network-accessible attack with low complexity. Patch available in version 1.0.8.2 with vendor advisory confirmed by GitHub Security Advisory GHSA-g38h-mr9p-fjmf.

Authentication Bypass Docker Apache
NVD GitHub VulDB
CVSS 4.0
9.2
EPSS
0.1%
CVE-2026-44351 CRITICAL PATCH GHSA Act Now

{ sub: 'attacker', admin: true, iat: 1777372426, exp: 1777372486 }

Authentication Bypass Node.js
NVD GitHub
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-43578 CRITICAL PATCH Act Now

Privilege escalation in OpenClaw 2026.3.31 through 2026.4.9 allows remote unauthenticated attackers to maintain elevated execution context by injecting malicious async completion events that bypass heartbeat owner-downgrade detection. The flaw stems from incomplete pattern matching in local background exec completion filtering, enabling attackers to submit untrusted completion content that prevents proper privilege de-escalation after operations complete. Vendor-released patch available in version 2026.4.10 and later. No evidence of active exploitation (not in CISA KEV) or public exploit code at time of analysis, but CVSS 9.1 critical rating reflects network-accessible attack surface with no authentication required.

Privilege Escalation Openclaw
NVD GitHub
CVSS 4.0
9.1
EPSS
0.1%
CVE-2026-5081 CRITICAL Act Now

Predictable session ID generation in Apache::Session::Generate::ModUniqueId 1.54-1.94 allows remote unauthenticated attackers to forge session tokens and hijack user sessions. The vulnerability stems from using Apache mod_unique_id values as session identifiers-these values are deterministic and constructed from publicly observable or easily guessable components (server IP, process ID, timestamp, counter). With CVSS 9.1 and SSVC automation classification, this enables systematic session hijacking at scale despite no confirmed active exploitation.

Apache Information Disclosure
NVD VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-43117 CRITICAL PATCH Act Now

A kernel crash occurs in Linux btrfs filesystem tracepoint code when OverlayFS is layered on top of btrfs. The btrfs_sync_file() event handler incorrectly dereferences dentry->d_sb, which resolves to the overlay superblock instead of the underlying btrfs superblock, causing a kernel panic during fsid assignment. This affects Linux kernel versions from initial git commit (1da177e4c3f4) through multiple stable branches until patched releases 6.6.136, 6.12.83, 6.18.24, 6.19.14, and 7.0. EPSS score of 0.02% (5th percentile) indicates very low observed exploitation probability. Vendor patches are available across all affected stable kernel branches.

Denial Of Service Linux
NVD VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-40010 CRITICAL PATCH GHSA Act Now

Session fixation in Apache Wicket AuthenticatedWebSession allows remote unauthenticated attackers to hijack user sessions and escalate privileges by fixing session identifiers before authentication completes. Affects Wicket 8.0.0-8.17.0, 9.0.0-9.22.0, and 10.0.0-10.8.0. EPSS score of 0.02% (5th percentile) indicates low observed exploitation probability despite critical CVSS 9.1, suggesting this requires specific deployment conditions. Not listed in CISA KEV; no public POC identified at time of analysis. Apache has published vendor advisories with fix versions across all three major release branches.

Session Fixation Apache Information Disclosure
NVD VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-43197 CRITICAL PATCH Act Now

Out-of-bounds memory reads in Linux kernel netconsole subsystem allow information disclosure and system crashes via unterminated console messages. The vulnerability affects Linux kernel 6.6+ including 6.18.x and 6.19.x branches, triggered by netconsole's failure to validate message buffer boundaries when converting to NBCON console infrastructure. Vendor patches available for 6.18.16, 6.19.6, and 7.0. EPSS score of 0.02% suggests minimal real-world exploitation despite CVSS 9.1 rating. No public exploit identified at time of analysis.

Buffer Overflow Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-43083 CRITICAL PATCH Act Now

Out-of-bounds memory access in Linux kernel IOAM6 networking code allows remote unauthenticated attackers to read sensitive kernel memory or crash systems via crafted IPv6 packets with IOAM trace options. The vulnerability triggers when RX queue indices from ingress devices exceed TX queue counts on egress devices, causing array boundary violations in network qdisc operations. Additionally, a missing spinlock enables race conditions in queue statistics access from concurrent softirq and process contexts. EPSS probability is very low (0.02%, 4th percentile) with no evidence of active exploitation. Vendor patches available across multiple stable kernel branches.

Buffer Overflow Linux Information Disclosure
NVD VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-42555 CRITICAL PATCH GHSA Act Now

Spring Expression Language injection in Valtimo (open-source business process platform) allows authenticated ADMIN users to execute arbitrary OS commands and exfiltrate credentials. The vulnerability exists in DocumentMigrationService (versions 12.0.0-12.31.0 and 13.0.0-13.22.0) and the Condition framework (13.4.0-13.22.0), both of which use StandardEvaluationContext to evaluate user-supplied SpEL expressions without restrictions. Attackers can invoke Runtime.exec(), access environment variables containing database passwords and API keys, and load arbitrary Java classes. Vendor-released patches are available (12.32.0, 13.23.0). No public exploit identified at time of analysis, EPSS data not available.

Code Injection Java RCE
NVD GitHub
CVSS 3.1
9.1
EPSS
0.2%
CVE-2026-29090 CRITICAL POC PATCH GHSA Act Now

SQL injection in Rucio's DID search API allows any authenticated user to execute arbitrary SQL against the PostgreSQL metadata database when the postgres_meta plugin is configured. The vulnerability exists in FilterEngine.create_postgres_query where attacker-controlled filter parameters are interpolated directly into raw SQL via Python str.format. Exploitation enables complete database compromise including extraction of authentication tokens, password hashes (SHA-256 single-iteration, GPU-crackable), storage credentials, and session hijacking. Remote code execution is possible via PostgreSQL COPY...FROM PROGRAM if database privileges permit. CVSS 9.9 (Critical) reflects the scope change and cascading impact across confidentiality, integrity, and availability. No public exploit identified at time of analysis, but attack complexity is low (AC:L) requiring only basic authenticated access.

PostgreSQL Python SQLi RCE
NVD GitHub
CVSS 4.0
9.0
EPSS
0.0%
CVE-2026-43581 CRITICAL PATCH Act Now

Chrome DevTools Protocol exposure in OpenClaw sandbox browser allows adjacent network attackers to remotely control sandboxed Chrome instances and access sensitive data. The CDP relay binds to 0.0.0.0 without source IP restrictions in versions before 2026.4.10, enabling attackers on the same Docker network to bypass sandbox isolation and execute arbitrary JavaScript in browser contexts. Vendor-released patch available (v2026.4.10); no public exploit identified at time of analysis. CVSS 9.0 reflects adjacent network attack vector with high confidentiality, integrity, and availability impact across virtual and system scopes.

Information Disclosure Google Chrome
NVD GitHub
CVSS 4.0
9.0
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy