Skip to main content
CVE-2026-42589 CRITICAL POC PATCH GHSA Act Now

Unauthenticated remote code execution in Gotenberg 8.29.1 allows network attackers to execute arbitrary OS commands via newline injection in PDF metadata keys. The `/forms/pdfengines/metadata/write` endpoint passes user-controlled JSON metadata keys directly to ExifTool without control-character validation. Embedding `\n` in a key splits ExifTool's stdin stream, injecting arbitrary flags including `-if` which evaluates Perl expressions. Attack returns HTTP 200 with valid PDF output, evading basic monitoring. CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) reflects critical network-accessible RCE. No vendor-released patch identified at time of analysis — GitHub advisory GHSA-rqgh-gxv4-6657 confirms the issue but CPE data shows no fixed version. Publicly available exploit code exists in Python and bash with OOB exfiltration. Default Docker image `gotenberg/gotenberg:8` runs the vulnerable process as uid 1001 with root group membership, amplifying post-exploitation impact.

Command Injection Python RCE Docker Google
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-6722 CRITICAL POC PATCH NEWS Act Now

Use-after-free memory corruption in PHP 8.2.x enables remote attackers to achieve high-impact exploitation through network-accessible attack vectors, despite high attack complexity and specific timing requirements. PHP 8.2.31 addresses this vulnerability along with seven other security issues in a coordinated security release. The CVSS v4.0 score of 9.5 reflects both confidentiality and integrity impact across vulnerable and subsequent systems, with high availability impact. No public exploit code or active exploitation confirmed at time of analysis, but the vendor urgency indicator (U:Red) and release coordinator emphasis (RE:M) signal critical priority for organizations running PHP 8.2.x in production environments.

Microsoft PHP Use After Free Memory Corruption Information Disclosure
NVD GitHub VulDB
CVSS 4.0
9.5
EPSS
0.3%
CVE-2026-42826 CRITICAL PATCH NEWS NO ACTION HOSTED Monitor

Unauthorized information disclosure in Azure DevOps allows remote unauthenticated attackers to access sensitive data via network requests and potentially compromise the system with high confidentiality, integrity, and availability impact. The vulnerability carries a maximum CVSS 10.0 score with scope change, indicating cross-boundary impact. Microsoft has released an official patch, and no active exploitation has been reported via CISA KEV at the time of analysis.

Microsoft Information Disclosure
NVD VulDB
CVSS 3.1
10.0
EPSS
0.1%
CVE-2026-33109 CRITICAL PATCH NEWS NO ACTION HOSTED Monitor

Remote code execution in Azure Managed Instance for Apache Cassandra allows authenticated attackers with low privileges to execute arbitrary code across tenant boundaries. The vulnerability involves improper access control (CWE-284) enabling scope escape with complete compromise of confidentiality, integrity, and availability. Microsoft has released a patch per MSRC advisory. CVSS 9.9 (Critical) reflects network-based attack with low complexity, low privileges required, and changed scope indicating container/tenant escape potential.

Authentication Bypass Microsoft Apache
NVD VulDB
CVSS 3.1
9.9
EPSS
0.1%
CVE-2026-35428 CRITICAL PATCH NEWS NO ACTION HOSTED Monitor

Command injection in Azure Cloud Shell enables remote attackers to execute arbitrary commands and spoof user sessions when victims interact with malicious content. The vulnerability requires user interaction (UI:R) but no authentication (PR:N), allowing network-based attackers to achieve high impact across confidentiality, integrity, and availability with scope change (S:C), indicating potential container escape or cross-tenant impact. Microsoft has released a patch per MSRC advisory. EPSS data not available, no CISA KEV listing identified, suggesting targeted rather than widespread exploitation at time of analysis.

Microsoft Command Injection
NVD VulDB
CVSS 3.1
9.6
EPSS
0.1%
CVE-2026-33823 CRITICAL PATCH NEWS NO ACTION HOSTED Monitor

Authorization bypass in Microsoft Teams enables authenticated attackers to escalate privileges across security boundaries and access sensitive information from other tenants or user contexts. The CVSS score of 9.6 reflects a scope change (S:C), indicating the attacker can impact resources beyond their authorized permissions with high confidentiality and integrity impact. Vendor-released patch available from Microsoft Security Response Center. No public exploit identified at time of analysis, with CVSS temporal metrics indicating unproven exploitability (E:U).

Authentication Bypass Microsoft
NVD VulDB
CVSS 3.1
9.6
EPSS
0.0%
CVE-2026-33844 CRITICAL PATCH NEWS NO ACTION HOSTED Monitor

Remote code execution in Azure Managed Instance for Apache Cassandra allows authenticated attackers with low privileges to execute arbitrary code when a user interacts with a malicious payload. CVSS 9.0 (Critical) with scope change indicates container/tenant escape potential. Microsoft released a patch (MSRC update guide), and CVSS temporal metrics confirm remediation available with complete confidence, though no confirmed active exploitation or public POC identified at time of analysis.

Microsoft Apache Information Disclosure
NVD VulDB
CVSS 3.1
9.0
EPSS
0.1%
CVE-2026-43997 CRITICAL PATCH GHSA Act Now

Remote code execution in vm2 Node.js sandbox library (versions ≤3.10.5) allows attackers to escape isolation and execute arbitrary system commands by exploiting incomplete host Object protections. Attackers leverage JavaScript prototype chain manipulation to obtain host-context symbols, enabling injection of malicious code into Node.js inspection routines. Publicly available exploit code exists with working proof-of-concept demonstrating command execution via child_process. CVSS 10.0 (Critical) with network attack vector and no authentication required. Fixed in vm2 3.11.0, part of coordinated release addressing 13 sandbox-escape vulnerabilities.

Code Injection RCE
NVD GitHub
CVSS 3.1
10.0
EPSS
0.0%
CVE-2026-44006 CRITICAL PATCH GHSA Act Now

Prototype chain manipulation in vm2 Node.js sandbox library enables complete sandbox escape and remote code execution via util.inspect handler leakage. Attackers can exploit BaseHandler.getPrototypeOf through crafted objects to access host process primitives and execute arbitrary system commands. Public exploit code exists (vendor-published PoC demonstrates child_process.execSync execution). Fixed in vm2 version 3.11.0 alongside 12 other critical sandbox escape vulnerabilities in coordinated security release.

Code Injection RCE
NVD GitHub
CVSS 3.1
10.0
EPSS
0.0%
CVE-2026-44005 CRITICAL PATCH GHSA Act Now

vm2 npm package versions 3.9.6 through 3.10.5 allow sandbox escape through prototype pollution of host-realm intrinsic objects. Attackers execute arbitrary code by leveraging flawed proxy bridge implementation that writes sandbox mutations directly to shared host Object.prototype, Array.prototype, and Function.prototype instead of isolating changes to the sandbox realm. This vulnerability was patched in vm2 v3.11.0 as part of a coordinated release addressing 13 security advisories. Publicly available exploit code exists with minimal attack complexity (CVSS AC:L) requiring no authentication or user interaction (AV:N/PR:N/UI:N).

Code Injection RCE
NVD GitHub
CVSS 3.1
10.0
EPSS
0.0%
CVE-2026-44523 CRITICAL PATCH GHSA Act Now

JWT secret validation bypass in Note Mark allows full account takeover through offline token forgery. The Go-based note-taking application accepts HS256 signing secrets shorter than RFC 7518's required 32 bytes, enabling attackers to capture a single valid JWT from network traffic or logs, brute-force the weak secret offline, and forge authentication tokens for any user including administrators. Publicly available exploit code exists (vendor-published PoC in GitHub advisory GHSA-q6mh-rqwh-g786). Vendor-released patch available in commit 18b587758667 and release v0.19.4. CVSS 10.0 reflects unauthenticated network exploitation with scope change, though real-world impact requires JWT capture as a prerequisite.

Python RCE
NVD GitHub
CVSS 3.1
10.0
EPSS
0.0%
CVE-2026-43999 CRITICAL PATCH GHSA Act Now

vm2's NodeVM sandbox escape allows remote code execution when applications use the common `builtin: ['*', '-child_process']` configuration pattern. An attacker with the ability to submit code to the sandbox can bypass the builtin allowlist by requiring the `module` builtin, then using `Module._load()` to load explicitly excluded modules like `child_process` in the host context. This directly leads to arbitrary command execution on the host system. The vulnerability affects vm2 version 3.10.5, with a vendor-released patch available in version 3.11.0. CVSS score of 9.9 reflects critical severity with network attack vector, low complexity, and scope change from sandbox to host. No public exploit code or active exploitation evidence identified at time of analysis.

Authentication Bypass Node.js RCE
NVD GitHub
CVSS 3.1
9.9
EPSS
0.1%
CVE-2026-41050 CRITICAL PATCH GHSA Act Now

ServiceAccount impersonation bypass in Rancher Fleet allows tenants with git push access to multi-tenant clusters to read secrets from any namespace across all downstream clusters. Two distinct code paths failed to properly apply RBAC constraints: Helm's lookup function executed with cluster-admin credentials instead of the impersonated ServiceAccount, and valuesFrom secret references in fleet.yaml bypassed namespace isolation. Confirmed active exploitation status unknown (not in CISA KEV). CVSS 9.9 with scope-change modifier reflects potential credential leakage to external services. Fleet versions 0.12.0 through 0.15.0 affected across multiple Rancher release branches. Patches available for all supported versions with detailed version matrix provided by SUSE.

Authentication Bypass Kubernetes Suse
NVD GitHub
CVSS 3.1
9.9
EPSS
0.0%
CVE-2026-37709 CRITICAL PATCH GHSA Act Now

Remote unauthenticated attackers can execute arbitrary code in Snipe-IT versions 8.4.0 and earlier by uploading malicious files through the API's UploadedFilesController component. The vulnerability stems from an authorization bypass where file upload endpoints required only 'view' permission instead of 'update' permission, allowing attackers to upload and execute code without proper authentication. Fixed in commit 676a9958 (March 10, 2026). EPSS data not available. No CISA KEV listing identified at time of analysis. Public exploit code (POC) status unknown, though GitHub security advisory GHSA-xg82-2hrv-hf64 confirms the flaw.

Authentication Bypass PHP RCE
NVD GitHub
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-42010 CRITICAL PATCH Act Now

Authentication bypass in GnuTLS affects servers that enable the RSA-PSK key exchange, where the PSK identity comparison treats a username containing an embedded NUL byte as equal to a legitimate truncated username. Remote attackers can send a crafted username to circumvent pre-shared-key authentication and gain unauthorized access. There is no public exploit identified at time of analysis, the EPSS probability is low (0.15%), and CISA SSVC scores exploitation as none - indicating high theoretical severity but no observed real-world abuse.

Authentication Bypass Gnutls Hardened Images Openshift Container Platform Enterprise Linux
NVD VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-7415 CRITICAL Act Now

Anonymous MQTT access in Yarbo firmware v2.3.9 allows remote unauthenticated attackers on the local network to fully control the robotic lawn mower and exfiltrate sensitive telemetry data. The embedded MQTT broker accepts connections without credentials and enforces no topic-level access controls, enabling arbitrary publish/subscribe operations. No authentication, authorization, or message validation occurs. EPSS and KEV data not available; exploitation requires only network access to the robot's MQTT port (typically TCP 1883).

Authentication Bypass Firmware
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2025-63706 CRITICAL GHSA Act Now

NPM package next-npm-version1.0.1 is vulnerable to Command injection.

Command Injection Node.js Code Injection RCE N A
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-42581 CRITICAL PATCH GHSA Act Now

HTTP request smuggling in Netty's netty-codec-http (HttpObjectDecoder) lets remote attackers desynchronize message boundaries by sending an HTTP/1.0 request carrying both Transfer-Encoding: chunked and Content-Length. Netty's anti-smuggling sanitization that strips the conflicting Content-Length header only runs for HTTP/1.1, so on HTTP/1.0 Netty parses the body as chunked while leaving Content-Length intact for any downstream Content-Length-first proxy, which then treats trailing chunk bytes as a new request. Publicly available exploit code exists (a working EmbeddedChannel PoC test), but EPSS is very low (0.03%, 8th percentile) and it is not in CISA KEV.

Authentication Bypass Request Smuggling Java Nginx
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-30496 CRITICAL Act Now

The Optoma CinemaX P2 projector (firmware TVOS-04.24.010.04.01, Android 8.0.0) exposes an HTTP API on TCP port 2345 that allows full unauthenticated remote control of the device. The API supports both reading configuration (74 endpoints) and writing/modifying settings including volume, mute, brightness, power, network protocols enable/disable (including TELNET), display modes, and other projector functions. Any device on the same network can control the projector without authentication.

Authentication Bypass Google N A
NVD
CVSS 3.1
9.8
EPSS
0.0%
CVE-2025-63703 CRITICAL GHSA Act Now

npm package parse-ini v1.0.6 is vulnerable to Prototype Pollution in index.js().

Node.js Prototype Pollution Information Disclosure
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2025-63704 CRITICAL GHSA Act Now

Prototype pollution in query-string-parser 1.0.0 enables remote unauthenticated attackers to inject malicious properties into JavaScript object prototypes via crafted query parameters, achieving arbitrary code execution, privilege escalation, or denial of service in Node.js applications. CVSS 9.8 critical severity with network attack vector and no authentication required. EPSS score of 0.02% (4th percentile) indicates low observed exploitation probability despite critical rating. Publicly available proof-of-concept exists (GitHub Gist), but no CISA KEV listing confirms active exploitation. SSVC framework rates this as automatable with total technical impact but currently unexploited, suggesting opportunistic future risk rather than immediate widespread targeting.

Node.js Prototype Pollution Information Disclosure
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-7414 CRITICAL Act Now

Hardcoded administrative credentials in Yarbo firmware v2.3.9 allow remote unauthenticated attackers to gain full device administrative access across all deployed units. The CVSS 9.8 critical score reflects the complete lack of authentication barriers (AV:N/AC:L/PR:N), with identical credentials embedded in every device that cannot be changed by end users. No active exploitation has been confirmed by CISA KEV, but a public GitHub repository reference suggests potential proof-of-concept availability. EPSS data unavailable, though the trivial exploitation path (no complexity, no privileges required) indicates high weaponization potential once credentials become widely known.

Authentication Bypass Firmware
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-8091 CRITICAL PATCH Act Now

Remote code execution in Firefox ESR allows unauthenticated network attackers to achieve complete system compromise via malformed audio/video content. Mozilla has released patches in Firefox ESR 140.10.2 and Firefox ESR 115.35.2. Despite a critical CVSS 9.8 score and SSVC rating of 'total' technical impact with automatable exploitation, EPSS assigns only 0.01% exploitation probability (1st percentile), and no public exploit or active exploitation has been identified. The severity stems from the unauthenticated network attack vector against a boundary condition flaw in media playback - a user-facing feature in a widely-deployed browser component.

Mozilla Information Disclosure
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-8094 CRITICAL PATCH Act Now

Remote code execution in Firefox ESR's WebRTC component allows unauthenticated network attackers to achieve arbitrary code execution with complete system compromise. The vulnerability affects Firefox ESR versions prior to 140.10.2 and carries a critical CVSS score of 9.8 with network attack vector requiring no authentication or user interaction. Despite the critical severity, EPSS probability remains exceptionally low at 0.01% (0th percentile) with no evidence of active exploitation, suggesting limited awareness or exploitation complexity despite the automatable nature assessed by CISA SSVC framework.

Mozilla Code Injection RCE
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-36458 CRITICAL Act Now

ChestnutCMS v1.5.10 has a SQL injection vulnerability. The content parameter of the cms_content tag can be manipulated in the admin backend and injected into a SQL query when the template is rendered.

SQLi Code Injection RCE N A
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-6508 CRITICAL PATCH Act Now

Remote unauthenticated attackers can bypass access control lists in Liderahenk 2.0.1, achieving complete system compromise with confidentiality, integrity, and availability impact. The origin validation flaw (CWE-346) allows attackers to access restricted functionality without proper authorization checks. CVSS 9.8 (Critical) reflects network-accessible exploitation requiring no authentication or user interaction. No EPSS data or CISA KEV status available, but the origin validation weakness combined with unrestricted network access creates high practical risk. Reported by Turkey's National Cyber Security Center (USOM), indicating potential targeting of Turkish government/organizational deployments.

Information Disclosure
NVD
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-41589 CRITICAL PATCH GHSA Act Now

Path traversal in Wish SSH server's SCP middleware allows authenticated attackers to read arbitrary files, write arbitrary files, and create directories outside the configured root via crafted filenames containing ../ sequences. Affects charm.land/wish/v2 versions 2.0.0 through 2.0.1 and all github.com/charmbracelet/wish v1.x versions. Vendor-released patch v2.0.1 available for v2 branch; no fix confirmed for v1 branch. CVSS 9.6 with scope change indicates potential container/host escape scenarios. No evidence of active exploitation or public POC at time of analysis.

Path Traversal Wish
NVD GitHub
CVSS 3.1
9.6
EPSS
0.0%
CVE-2026-42880 CRITICAL PATCH GHSA Act Now

Kubernetes Secret extraction in Argo CD v3.2.0-3.2.10 and v3.3.0-3.3.8 allows authenticated users with read-only application permissions to retrieve plaintext credential data including service account tokens, TLS certificates, database passwords, and API keys via the ServerSideDiff endpoint. The vulnerability exists due to missing data masking in the gRPC/REST ServerSideDiff function, which returns raw Kubernetes Server-Side Apply dry-run responses containing unredacted Secret values from etcd when applications are annotated with 'IncludeMutationWebhook=true'. A functional proof-of-concept exploit exists demonstrating automated extraction of all accessible secrets. Vendor-released patches (3.2.11, 3.3.9) are available. CVSS 9.6 reflects network-exploitable, low-complexity attack requiring only low-privilege authenticated access with cross-scope high confidentiality/integrity impact.

Kubernetes Information Disclosure
NVD GitHub
CVSS 3.1
9.6
EPSS
0.0%
CVE-2026-6795 CRITICAL PATCH Act Now

Open redirect vulnerability in DivvyDrive 4.8.2.9 through 4.8.3.1 allows remote unauthenticated attackers to redirect users to malicious sites via parameter injection, achieving high-severity impact across confidentiality, integrity, and availability with scope change. The CVSS 9.6 (Critical) score reflects cross-site scope change and combined impacts, though typical open redirect attacks involve phishing rather than direct system compromise. TR-CERT published this vulnerability with vendor coordination through Turkish national CERT.

Open Redirect
NVD
CVSS 3.1
9.6
EPSS
0.0%
CVE-2026-42596 CRITICAL PATCH GHSA Act Now

Unauthenticated server-side request forgery (SSRF) in Gotenberg 8.30.1 and earlier allows remote attackers to force the server to make HTTP requests to internal/loopback addresses by bypassing default deny-lists with IPv4-mapped IPv6 notation (e.g., http://[::ffff:127.0.0.1]:port). The vulnerability affects both the downloadFrom file-fetching feature and the webhook delivery feature. Attackers can read content from internal HTTP endpoints and trigger state-changing requests against services bound to localhost, exposing internal APIs, cloud metadata endpoints, and admin interfaces. Fix available in version 8.32.0. No public exploit code confirmed outside the GitHub advisory PoC, not listed in CISA KEV, but CVSS 9.4 Critical rating reflects the network-accessible, unauthenticated nature and high confidentiality/integrity impact.

SSRF Microsoft Python Docker Google
NVD GitHub VulDB
CVSS 3.1
9.4
EPSS
0.1%
CVE-2026-44484 CRITICAL GHSA Act Now

Supply chain compromise in PyTorch Lightning versions 2.6.2 and 2.6.3 delivers credential-harvesting malware through the official PyPI distribution channel. Lightning AI confirmed malicious code was injected into these specific releases, targeting API keys, access tokens, SSH keys, and service account credentials. The compromised versions were quarantined from PyPI and users are directed to downgrade to known-clean version 2.6.1. The CVSS 9.3 score reflects network-accessible exploitation requiring no authentication or user interaction, though exploitation is limited to systems that specifically installed the two poisoned versions.

Information Disclosure
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.0%
CVE-2026-44497 CRITICAL PATCH GHSA Act Now

Consensus divergence in Zebra 4.3.1 enables blockchain network partitioning through crafted transparent transactions with invalid sighash types. Insufficient error handling at the Rust-to-C++ FFI boundary causes Zebra to incorrectly accept transactions with undefined hash types by reusing stale buffer data from prior valid signature checks, while zcashd correctly rejects these transactions. Attackers can exploit this by chaining OP_CHECKSIGVERIFY with OP_CHECKSIG opcodes using invalid hash types to trigger acceptance on Zebra nodes but rejection on zcashd nodes, creating a consensus split that could enable double-spend attacks. Vendor-released patch: 4.4.0. No public exploit identified at time of analysis, but the technical mechanism is fully disclosed in the GitHub advisory GHSA-gq4h-3grw-2rhv.

Jwt Attack Information Disclosure
NVD GitHub
CVSS 4.0
9.3
EPSS
0.0%
CVE-2026-33587 CRITICAL Act Now

Server-Side Template Injection in Open Notebook v1.8.3 enables arbitrary Python code execution and OS command execution within the Docker container through unsanitized user input in transformation features. The vulnerability requires local access (CVSS AV:L) but no authentication or user interaction, making it exploitable by any application user with access to the transformation creation interface. No public exploit code identified at time of analysis, though the GitHub security advisory provides technical details for reproduction.

Python Docker Code Injection
NVD GitHub VulDB
CVSS 4.0
9.2
EPSS
0.0%
CVE-2026-44498 CRITICAL PATCH GHSA Act Now

Zebra's block validator fails to count transparent signature operations correctly, allowing malicious miners to create blocks that exceed the 20,000 sigop consensus limit and trigger network splits between Zebra and zcashd nodes. The vulnerability affects Zebra versions prior to 4.4.0 and stems from two distinct accounting flaws: (1) coinbase input scriptSigs were excluded from legacy sigop counts, hiding up to 98 operations, and (2) P2SH redeem script sigops were only computed during mempool validation but never aggregated during block validation. A miner could craft a single block with 1,334+ P2SH spends to exceed the limit and partition the Zcash network. Vendor-released patch: Zebra 4.4.0 (confirmed by GitHub advisory GHSA-jv4h-j224-23cc). No public exploit identified at time of analysis.

Information Disclosure
NVD GitHub
CVSS 4.0
9.2
EPSS
0.0%
CVE-2026-44542 CRITICAL PATCH GHSA Act Now

Path traversal in FileBrowser allows unauthenticated attackers possessing a valid public share hash with delete permissions to delete arbitrary files anywhere within the share owner's storage scope. The vulnerability exists in both stable and development versions due to user-controlled path input being joined with trusted base paths before sanitization in middleware.go:111 and resource.go:274. Proof-of-concept exploit code is publicly available via GitHub advisory GHSA-fwj3-42wh-8673. Vendor-released patch available in commit 112740bdd41de7d5eb01e13ba49d406bfc463f69.

Path Traversal
NVD GitHub
CVSS 3.1
9.1
EPSS
0.4%
CVE-2026-40982 CRITICAL PATCH GHSA Act Now

Directory traversal in Spring Cloud Config server module allows remote unauthenticated attackers to read arbitrary files from the file system using specially crafted URLs. Affects Spring Cloud Config versions 3.1.0-3.1.13, 4.1.0-4.1.9, 4.2.0-4.2.6, 4.3.0-4.3.2, and 5.0.0-5.0.2, with patches available across all branches. The vulnerability achieves CVSS 9.1 (Critical) due to remote exploitation without authentication (AV:N/AC:L/PR:N/UI:N) and high confidentiality/integrity impact, though EPSS and KEV data are not available to confirm active exploitation status. VMware/Spring has released fixes for all affected versions.

Java Path Traversal Spring Cloud Config
NVD HeroDevs
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-42579 CRITICAL PATCH GHSA Act Now

Improper enforcement of RFC 1035 domain-name constraints in Netty's DNS codec (io.netty.handler.codec.dns.DnsCodecUtil) lets attacker-influenced names bypass validation in both directions: the decoder accepts oversized labels (>63 bytes) and total names (>255 bytes) from malicious DNS responses, growing an unbounded StringBuilder, while the encoder passes through null bytes and over-length labels and silently truncates on empty labels. This affects any Java application using netty-codec-dns or netty-resolver-dns (e.g. DnsNameResolver) up to 4.2.12.Final and 4.1.132.Final, enabling DNS cache poisoning, domain allowlist/validation bypass, and memory-exhaustion denial of service. Publicly available exploit code exists (vendor-supplied encoder and decoder PoCs verified on 4.2.12.Final), but EPSS is very low (0.04%, 13th percentile) and it is not in CISA KEV.

Denial Of Service Java
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-7891 CRITICAL Act Now

Anonymous authorization bypass in Mendix Studio Pro (all versions up to 11.8.0 Beta) causes the Anonymous user role to silently follow standard user-inheritance rules, so an unauthenticated visitor can read every record in an entity even when no access rights are configured for that role. Demonstrated in DIVD's VerySecureApp (≤1.1.0), the flaw exposes entire datasets to anonymous callers whenever anonymous access is enabled to publish an entity publicly. There is no public exploit identified at time of analysis, EPSS is very low (0.04%), and it is not on CISA KEV, but SSVC rates technical impact as total and automatable.

Information Disclosure Verysecureapp
NVD VulDB
CVSS 4.0
9.1
EPSS
0.0%
CVE-2026-42584 CRITICAL PATCH GHSA Act Now

HTTP response desynchronization in Netty's HttpClientCodec (netty-codec-http 4.1.x through 4.1.132.Final and 4.2.0.Alpha1 through 4.2.12.Final) lets a malicious or misbehaving server cause one request's response body to be parsed as another's. Because the codec polls its request queue once per inbound response — including for informational 1xx — a pipelined GET+HEAD sequence preceded by a 103 mispairs the HEAD with the GET's 200, leaving GET entity bytes on the wire so the following response is parsed from the wrong offset. Rated CVSS 9.1 (I:H/A:H), publicly available exploit code exists (a vendor PoC ships in the advisory), though EPSS is very low (0.04%) and it is not on CISA KEV.

Request Smuggling Information Disclosure Java
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-44007 CRITICAL PATCH GHSA Act Now

{nesting:true, require:false} are fully compromised — attackers can execute arbitrary OS commands as the host process user. Publicly available exploit code exists (proof-of-concept demonstrated command execution via child_process). CVSS 9.1 indicates high privileges required (PR:H), meaning the host must explicitly enable nesting:true, but the severity reflects scope change (S:C) when this non-default configuration is present. Vendor-released patch in vm2 3.11.1 converts contradictory configuration into a runtime error at NodeVM construction time, preventing silent sandbox escape.

Command Injection Authentication Bypass RCE Docker Node.js
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-41902 CRITICAL PATCH Act Now

{hash} endpoint accepts 60-character invite_hash values with no time-based expiration, remaining valid indefinitely until consumed. Attackers who obtain leaked invite links through forwarded emails, HTTP referrer logs, CDN access logs, or archived messages can set passwords for target accounts months or years post-issuance. CVSS 9.1 (Critical) with network vector and no authentication required. Patched in version 1.8.217 with 7-day invite expiration. EPSS and KEV data not available; no public exploit code identified at time of analysis.

Information Disclosure Freescout
NVD GitHub
CVSS 3.1
9.1
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy