456 CVEs tracked today. 58 Critical, 146 High, 216 Medium, 21 Low.
-
CVE-2026-44670
CRITICAL
CVSS 9.4
Remote code execution in SiYuan's Electron desktop application allows authenticated attackers (or browser extensions on localhost) to inject malicious JavaScript through unescaped Attribute View names, escalating from stored XSS to arbitrary system command execution. The Go kernel backend stores AV names without HTML escaping, then embeds them via string replacement into HTML templates pushed over WebSocket. Three TypeScript renderer paths (render.ts, Title.ts, transaction.ts) consume this data using innerHTML/outerHTML without sanitization. Because the Electron main window runs with nodeIntegration:true and contextIsolation:false, script injection grants full Node.js API access—enabling attackers to spawn child processes (calc.exe/xcalc demonstrated in PoC), exfiltrate SSH keys, install backdoors, or pivot to cloud credentials. Payloads persist in JSON files under data/storage/av/, replicate across all sync transports (S3/WebDAV/cloud), survive .sy.zip export-import, and trigger for any user role (Administrator/Editor/Reader/Visitor) opening a document bound to the poisoned database view. CVSS 9.4 (Network/Low/None/High Confidentiality-Integrity-Availability + Scope Changed) reflects worst-case remote network vector, though the primary realistic attack path is via installed browser extensions (chrome-extension:// Origin explicitly allowlisted in session.go:277) calling the /api/transactions endpoint as an auto-granted admin on default installations with no Access Authorization Code. GitHub advisory GHSA-2h64-c999-c9r6 confirms patch available in kernel commit 0.0.0-20260512140701-d7b77d945e0d. No public exploit code identified at time of analysis, but detailed reproduction steps with curl payloads and Electron DevTools inspection are published in the advisory.
XSS
RCE
Google
Node.js
Apple
-
CVE-2026-44588
CRITICAL
CVSS 9.4
Remote code execution in SiYuan's Electron renderer occurs when users hover over search results, file tree items, or attribute view elements containing URL-encoded XSS payloads in document titles or metadata. The vulnerability chains a URL-decoding step (decodeURIComponent) with unsafe innerHTML assignment in tooltip rendering, bypassing the escapeAriaLabel sanitizer that only handles HTML entities but ignores %XX URL escapes. Because SiYuan's renderer runs with nodeIntegration:true and contextIsolation:false, the XSS escalates to arbitrary code execution via require('child_process'). Exploitation requires user interaction (hovering) but no authentication, and malicious payloads survive .sy.zip export/import and sync replication, enabling supply-chain and shared-workspace attacks. No public exploit code identified at time of analysis, though detailed proof-of-concept is published in the GitHub advisory.
XSS
RCE
Python
Google
Apple
-
CVE-2026-44551
CRITICAL
CVSS 9.1
Remote authentication bypass in Open WebUI LDAP integration (versions ≤0.8.12) allows complete account takeover by submitting empty passwords. The vulnerability exploits RFC 4513 unauthenticated simple bind semantics: when LDAP is enabled, attackers can authenticate as any user-including administrators-with zero knowledge of actual passwords, gaining full access to chats, files, API keys, and settings. Affects deployments using OpenLDAP default configurations or certain Active Directory setups that accept empty-password binds. Vendor-released patch: version 0.9.0. CVSS 9.1 (Critical) reflects network-accessible, zero-privilege, zero-interaction exploitation with high confidentiality and integrity impact.
Authentication Bypass
Denial Of Service
Python
-
CVE-2026-44336
CRITICAL
CVSS 9.4
Arbitrary file write in PraisonAI's MCP server escalates to remote code execution through path traversal when user interaction triggers malicious tool calls. The praisonai mcp serve daemon accepts attacker-controlled path arguments without validation, allowing writes outside the intended ~/.praison/rules/ directory. Attackers can drop Python .pth files into site-packages to achieve code execution in any subsequent Python process run by the victim user. CVSS 9.4 with network vector and low complexity, though exploitation requires user interaction (PR:N/UI:P). No active exploitation confirmed (not in CISA KEV) and no public POC identified at time of analysis, but the detailed advisory provides sufficient information for weaponization.
RCE
Python
-
CVE-2026-44330
CRITICAL
CVSS 10.0
### Summary
free5GC's NEF mounts the `nnef-pfdmanagement` route group without inbound OAuth2/bearer-token authorization. A network attacker who can reach NEF on the SBI can use a forged or arbitrary bearer token (e.g. `Authorization: Bearer not-a-real-token`) to read PFD application data via `GET /a...
Authentication Bypass
Docker
-
CVE-2026-44329
CRITICAL
CVSS 10.0
### Summary
free5GC's SMF mounts the `UPI` management route group without OAuth2/bearer-token authorization middleware. A network attacker who can reach SMF on the SBI can hit `UPI` endpoints with no `Authorization` header at all, and the requests reach the SMF business handlers. In the running Dock...
Authentication Bypass
Docker
-
CVE-2026-44327
CRITICAL
CVSS 10.0
### Summary
free5GC's NEF mounts the `nnef-oam` route group without inbound OAuth2/bearer-token authorization. A network attacker who can reach NEF on the SBI can hit the OAM route with no `Authorization` header at all and the handler returns `200 OK`. The current OAM handler is a stub that returns ...
Authentication Bypass
Docker
-
CVE-2026-44326
CRITICAL
CVSS 9.4
### Summary
free5GC's NEF mounts the `3gpp-traffic-influence` API without inbound OAuth2/bearer-token authorization. A network attacker who can reach NEF on the SBI can create, read, patch, and delete traffic-influence subscriptions either with no `Authorization` header at all, or with a forged bear...
Authentication Bypass
Docker
-
CVE-2026-44315
CRITICAL
CVSS 9.4
### Summary
free5GC's NEF mounts the `3gpp-pfd-management` API without inbound OAuth2/bearer-token authorization. A network attacker who can reach NEF on the SBI can create, read, and delete PFD-management transaction state with a forged or arbitrary bearer token (e.g. `Authorization: Bearer not-a-r...
Authentication Bypass
Docker
-
CVE-2026-44313
CRITICAL
CVSS 9.1
Server-Side Request Forgery in Linkwarden's fetchTitleAndHeaders function enables authenticated users to perform arbitrary HTTP requests against internal services and infrastructure. The vulnerability stems from inadequate URL validation that only verifies protocol prefixes (http:// or https://) without blocking internal address spaces, allowing attackers to scan internal networks, access metadata endpoints (e.g., cloud provider instance metadata), and potentially exfiltrate sensitive data from services not exposed to the internet. Exploitation requires only low-privilege authentication (PR:L) and can impact resources beyond the vulnerable application's security scope (S:C). Patched in version 2.13.0.
SSRF
-
CVE-2026-44212
CRITICAL
CVSS 9.3
Stored XSS in PrestaShop back-office Customer Service enables unauthenticated attackers to achieve full back-office takeover via malicious Contact Us form submissions. The vulnerability affects PrestaShop versions prior to 8.2.6 and 9.0.0-9.1.0, with patches released in versions 8.2.6 and 9.1.1. Despite the 9.3 CVSS score reflecting critical severity due to network attack vector, low complexity, and scope change, the CVSS UI:R requirement (user interaction) means exploitation requires a back-office employee to open the malicious customer thread. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV, indicating no confirmed widespread active exploitation despite the critical impact potential.
XSS
Microsoft
-
CVE-2026-44211
CRITICAL
CVSS 9.6
## Summary
The `kanban` npm package (used by the `cline` CLI) starts a WebSocket server on `127.0.0.1:3484` with no Origin header validation. Any website a developer visits can silently connect to the kanban server via WebSocket and:
1. Leak sensitive data in real-time: workspace filesystem paths,...
Authentication Bypass
RCE
Denial Of Service
Information Disclosure
Google
-
CVE-2026-44128
CRITICAL
CVSS 9.3
Remote code execution in SEPPmail Secure Email Gateway versions prior to 15.0.2.1 enables unauthenticated attackers to execute arbitrary Perl code via the GINA UI. The vulnerability stems from an endpoint passing unsanitized user input directly to Perl's eval function, allowing complete system compromise. Reported by Switzerland's national CERT (NCSC.ch), this represents a critical pre-authentication attack surface requiring immediate patching.
RCE
Code Injection
-
CVE-2026-44126
CRITICAL
CVSS 9.2
Remote code execution in SEPPmail Secure Email Gateway via insecure deserialization allows unauthenticated attackers to execute arbitrary code through the GINA UI interface. Versions prior to 15.0.4 deserialize untrusted data without validation, enabling attackers to send crafted serialized objects that execute upon processing. CVSS 9.2 reflects network-accessible attack with low complexity requiring only present attack conditions, though no active exploitation (KEV) or public POC has been identified at time of analysis.
Deserialization
-
CVE-2026-44125
CRITICAL
CVSS 9.3
Authorization bypass in SEPPmail Secure Email Gateway versions prior to 15.0.4 enables remote unauthenticated attackers to access privileged GINA UI endpoints without authentication. The vulnerability (CISA reported by Swiss NCSC) affects core access control mechanisms with CVSS 9.3 critical severity, allowing complete system compromise through network-accessible administrative interfaces. No active exploitation (CISA KEV) or public exploit code identified at time of analysis, but the network-accessible attack vector with no authentication barrier presents immediate risk to internet-facing deployments.
Authentication Bypass
-
CVE-2026-44009
CRITICAL
CVSS 9.8
Remote code execution in VM2 (npm package) allows complete sandbox escape via null-prototype exception handling flaw. Attackers can execute arbitrary system commands on the host by exploiting a logic error in the exception proxy mechanism that incorrectly handles objects with null prototypes. Public exploit code exists and the vulnerability affects all versions prior to 3.11.2. The CVSS 9.8 severity reflects network-accessible, unauthenticated exploitation requiring no user interaction - however, real-world risk depends on whether untrusted users can supply code to the VM2 sandbox in a given deployment.
RCE
Information Disclosure
-
CVE-2026-44008
CRITICAL
CVSS 9.8
Remote code execution in vm2 npm package (versions ≤3.11.1) allows attackers to escape the JavaScript sandbox via a prototype pollution technique targeting the neutralizeArraySpeciesBatch method. By installing a setter on Array.prototype[0] and triggering Buffer allocation, attackers gain access to the host Function constructor and can execute arbitrary system commands. Publicly available proof-of-concept exists (GHSA-9qj6-qjgg-37qq). CVSS 9.8 with network vector reflects the risk when vm2 is used to execute untrusted code in server-side applications. Vendor-released patch: vm2 v3.11.2 addresses this and two other concurrent sandbox escapes.
RCE
Information Disclosure
-
CVE-2026-43944
CRITICAL
CVSS 9.4
Arbitrary local code execution in electerm (versions 3.0.6-3.8.14) allows remote attackers to execute malicious code on victim systems by tricking users into clicking crafted electerm:// deep links, opening malicious shortcuts, or running CLI commands with attacker-controlled --opts parameters. The vulnerability stems from insufficient input validation (CWE-20) on deep link and CLI arguments, enabling adversaries to inject arbitrary options that execute code with the privileges of the electerm process. Exploitation requires user interaction (clicking link or opening file) but no authentication, making it suitable for phishing or watering-hole attacks. Patch available in version 3.8.15 with deny-list controls blocking critical parameter override.
RCE
-
CVE-2026-43941
CRITICAL
CVSS 9.6
Arbitrary code execution in Electerm terminal client (≤3.8.15) allows attackers who control terminal output to execute commands or access local files when victims click hyperlinks. The unvalidated shell.openExternal call accepts any protocol scheme, enabling 'file://' URIs for local file access or platform-specific handlers for code execution. No vendor-released patch identified at time of analysis. GitHub Security Advisory GHSA-fwf6-j56g-m97c confirms the vulnerability. CVSS 9.6 reflects high impact across confidentiality, integrity, and availability with scope change, though exploitation requires user interaction (clicking a malicious link).
RCE
-
CVE-2026-43465
CRITICAL
CVSS 9.8
Reference counting flaw in mlx5e network driver causes kernel memory corruption when XDP multi-buffer programs modify packet layouts via bpf_xdp_pull_data() or bpf_xdp_adjust_tail(). Affects Linux kernel versions 6.18.x through 6.19.9, with vendor patches available for 6.18.19, 6.19.9, and 7.0. The vulnerability triggers negative page pool reference counts leading to memory management errors, discovered by the drivers/net/xdp.py selftest. While CVSS scores this 9.8 Critical with network vector, the technical context suggests local impact requiring specific XDP program execution. EPSS exploitation probability is low (0.02%, 4th percentile) with no evidence of active exploitation or public POC at time of analysis.
Information Disclosure
Linux
-
CVE-2026-43414
CRITICAL
CVSS 9.8
Double-free vulnerability in Linux kernel's qla2xxx SCSI driver allows remote code execution or denial of service through malformed Fibre Channel ELS commands. The qla24xx_els_dcmd_iocb() function incorrectly frees fcport structures twice during error handling - once via kref_put() calling qla2x00_els_dcmd_sp_free(), then again explicitly afterward. Despite the CVSS:3.1/AV:N score of 9.8, the network vector appears to reflect the driver's network-facing nature (Fibre Channel over IP or similar) rather than internet-accessible exploitation. EPSS score of 0.02% (5th percentile) indicates extremely low observed exploitation probability. Patches available across multiple stable kernel branches (6.9+, 6.19.9+, 7.0+) per upstream commits.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43407
CRITICAL
CVSS 9.1
Integer overflow in Linux kernel's libceph authentication handler enables remote memory corruption and potential system crash against unpatched systems. A malicious Ceph monitor can send a specially crafted CEPH_MSG_AUTH_REPLY message with payload_len exceeding INT_MAX, causing ceph_handle_auth_reply() to underflow a pointer and trigger out-of-bounds memory access. This allows remote unauthenticated attackers to potentially read sensitive kernel memory (high confidentiality impact) or crash the kernel (high availability impact) on systems using Ceph storage. CVSS 9.1 (Critical) reflects network attack vector with no authentication or user interaction required. EPSS score of 0.02% (7th percentile) suggests low observed exploitation likelihood. Vendor patches available for all affected kernel series (5.10.253, 5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, 7.0), but no active exploitation confirmed via CISA KEV.
Buffer Overflow
Information Disclosure
Linux
Debian
-
CVE-2026-43406
CRITICAL
CVSS 9.1
Out-of-bounds memory reads in Linux kernel's libceph messaging layer allow remote unauthenticated attackers to disclose kernel memory or trigger denial-of-service via malformed Ceph protocol frames. The vulnerability exists in process_message_header() when message frames are corrupted to make the control segment length smaller than the message header size, bypassing length validation. Vendor patches available for stable kernel versions 5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, and mainline 7.0. EPSS score of 0.02% and no KEV listing suggest limited real-world exploitation observed despite network-accessible attack vector and unauthenticated access. Critical CVSS score of 9.1 reflects worst-case impact (high confidentiality and availability risk) if Ceph storage networking is exposed.
Buffer Overflow
Information Disclosure
Linux
-
CVE-2026-43402
CRITICAL
CVSS 9.8
Use-after-free in Linux kernel kthread subsystem enables memory corruption leading to arbitrary code execution or denial of service. The vulnerability arises when kernel threads exit via make_task_dead() instead of kthread_exit(), bypassing affinity_node cleanup. This causes dangling pointers in the global kthread_affinity_list that corrupt freed memory reused by the SLAB allocator, specifically overwriting RCU callback function pointers in struct pid objects. CVSS rates this 9.8 critical, though the network attack vector appears misclassified since kernel thread manipulation requires local code execution. EPSS score of 0.02% (4th percentile) indicates low predicted exploitation likelihood despite severity. Vendor patches available for Linux 6.18.19, 6.19.9, and 7.0 via upstream commits.
Denial Of Service
Linux
Use After Free
Memory Corruption
-
CVE-2026-43384
CRITICAL
CVSS 9.8
Timing attacks can compromise TCP Authentication Option (TCP-AO) message authentication codes in Linux kernel 6.7+ due to non-constant-time MAC comparison. Remote unauthenticated attackers on the network path can exploit timing differences during MAC validation to extract authentication secrets, defeating TCP-AO's connection authentication mechanism. Exploitation probability is low (EPSS 0.02%, 5th percentile) with no confirmed active exploitation, but vendor patches are available for affected stable branches including 6.12.78, 6.18.19, 6.19.9, and mainline 7.0.
Information Disclosure
Linux
-
CVE-2026-43383
CRITICAL
CVSS 9.4
Timing attacks against TCP MD5 authentication in Linux kernel allow remote attackers to forge connection signatures through MAC comparison oracle. The vulnerability exists because MAC (Message Authentication Code) comparisons in the TCP-MD5 implementation are not constant-time, enabling attackers to extract authentication secrets through timing side-channels. All Linux kernel versions from 2.6.20 through 6.19.9 are affected. Patches are available across all actively maintained stable branches (5.10, 6.1, 6.6, 6.12, 6.18, 6.19, 7.0). EPSS score of 0.02% suggests low automated exploitation probability, though the network-accessible attack vector and authentication bypass capability represent significant risk for systems using TCP MD5 signatures (RFC 2385).
Information Disclosure
Linux
-
CVE-2026-43379
CRITICAL
CVSS 9.8
Use-after-free in Linux kernel ksmbd allows remote unauthenticated attackers to potentially execute arbitrary code, disclose sensitive information, or cause denial of service. The vulnerability stems from improper RCU lock handling in smb_lazy_parent_lease_break_close() where opinfo pointer is dereferenced after RCU read unlock, creating a race condition. Patches available across multiple kernel versions (6.6.130, 6.12.78, 6.18.19, 6.19.9, 7.0). Despite critical CVSS 9.8 score, EPSS exploitation probability is low (0.02%, 5th percentile) and no active exploitation or public POC identified at time of analysis.
Information Disclosure
Linux
Use After Free
Memory Corruption
-
CVE-2026-43378
CRITICAL
CVSS 9.8
Use-after-free in the Linux kernel's ksmbd SMB server (smb2_open()) allows remote attackers to potentially trigger memory corruption when accessing an opinfo pointer dereferenced after rcu_read_unlock(). The flaw is fixed in upstream stable releases (6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, and 7.0); no public exploit identified at time of analysis, and EPSS exploitation probability is very low at 0.02%.
Information Disclosure
Linux
Use After Free
Memory Corruption
Red Hat
-
CVE-2026-43376
CRITICAL
CVSS 9.8
Use-after-free in Linux kernel ksmbd allows remote unauthenticated attackers to execute arbitrary code, escalate privileges, or cause denial of service by racing oplock_info access during concurrent RCU read operations. The vulnerability stems from immediate kfree() without RCU grace period, enabling opinfo_get() to call atomic_inc_not_zero() on freed memory. CVSS 9.8 reflects network exploitability without authentication, though EPSS score of 0.02% (5th percentile) suggests minimal observed exploitation attempts. Vendor patches available across multiple kernel versions (6.6.130, 6.12.78, 6.18.19, 6.19.9, 7.0) with fixes referenced in five upstream commits. Not listed in CISA KEV; no public exploit code identified at time of analysis.
Information Disclosure
Linux
Use After Free
Memory Corruption
-
CVE-2026-43341
CRITICAL
CVSS 9.8
Integer overflow in Linux kernel's IPv6 IOAM (In-situ Operations, Administration, and Maintenance) trace functionality allows remote unauthenticated attackers to trigger buffer overflow conditions. A crafted IOAM trace packet with specific schema configurations causes an 8-bit integer wraparound that bypasses buffer boundary checks, enabling memory corruption with potential for arbitrary code execution at kernel privilege level. CVSS scored 9.8 (Critical) with network attack vector, though EPSS score of 0.02% (7th percentile) suggests minimal observed exploitation activity. Patches available across multiple stable kernel versions (5.15, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0) via upstream commits, indicating vendor-prioritized remediation without confirmed active exploitation.
Authentication Bypass
Linux
-
CVE-2026-43304
CRITICAL
CVSS 9.8
Improper key length validation in the Linux kernel's libceph authentication subsystem allows remote unauthenticated attackers to trigger memory corruption during Ceph authentication key decoding. This affects systems using Ceph distributed storage clusters, with EPSS probability 0.02% (percentile 7%), indicating low immediate exploitation likelihood. Patches available across all supported kernel branches (5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0) with commits linked in multiple stable trees, suggesting coordinated vendor response. No public exploit code or CISA KEV listing identified at time of analysis.
Information Disclosure
Linux
-
CVE-2026-42454
CRITICAL
CVSS 9.9
Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to version 2.1.0, all Docker container management endpoints in Termix interpolate the containerId URL path parameter and WebSocket message field directly into shell commands executed v...
RCE
Docker
Command Injection
-
CVE-2026-42302
CRITICAL
CVSS 9.8
FastGPT is an AI Agent building platform. From version 4.14.10 to before version 4.14.13, the agent-sandbox component of FastGPT is vulnerable to unauthenticated Remote Code Execution (RCE). The startup script entrypoint.sh initializes code-server with the --auth none flag and binds the service to a...
Authentication Bypass
RCE
-
CVE-2026-42298
CRITICAL
CVSS 10.0
Postiz is an AI social media scheduling tool. Prior to commit da44801, a "Pwn Request" vulnerability in the Build and Publish PR Docker Image workflow (.github/workflows/pr-docker-build.yml) allows any unauthenticated user to execute arbitrary code during the Docker build process and exfiltrate a hi...
RCE
Docker
Code Injection
-
CVE-2026-42287
CRITICAL
CVSS 10.0
Emlog is an open source website building system. Prior to version 2.6.11, direct SQL injection in article creation and update functions allows attackers to execute arbitrary SQL commands, potentially leading to complete database compromise, data theft, or system destruction. This issue has been patc...
SQLi
-
CVE-2026-42208
CRITICAL
CVSS 9.3
SQL injection in LiteLLM proxy server versions 1.81.16 through 1.83.6 allows unauthenticated remote attackers to read and modify database contents, gaining unauthorized access to managed LLM API credentials. The vulnerability is exploitable via crafted Authorization headers sent to any LLM API route (e.g., POST /chat/completions), triggering the injection through the proxy's error-handling path. Vendor-released patch available in version 1.83.7. No active exploitation confirmed (not in CISA KEV), but the attack vector is simple (CVSS 4.0: AV:N/AC:L/PR:N) and SQL injection POCs are widely known. Discovered by Tencent YunDing Security Lab.
SQLi
Red Hat
-
CVE-2026-42193
CRITICAL
CVSS 9.1
Plunk is an open-source email platform built on top of AWS SES. Prior to version 0.9.0, the /webhooks/sns endpoint accepts Amazon SNS notification payloads from unauthenticated requests without verifying the SNS signature, certificate, or topic ARN, meaning anyone can forge a valid-looking webhook r...
Information Disclosure
Jwt Attack
-
CVE-2026-42160
CRITICAL
CVSS 10.0
Unauthorized API access in sovity Dataspace Portal versions 2.1.1 through 7.3.1 allows unauthenticated remote attackers to bypass authorization controls and access backend APIs using credentials from self-registered accounts in PENDING status. The vulnerability affects the open-source SaaS platform before organizations approve new user registrations, enabling information disclosure and potential data manipulation. Vendor-confirmed patch released in version 7.3.2 on 2026-04-20. CVSS 10.0 reflects network-accessible attack with no complexity, no privileges required, and high impact across confidentiality, integrity, and availability in both vulnerable and subsequent systems. No CISA KEV listing or public exploit identified at time of analysis.
Information Disclosure
-
CVE-2026-42072
CRITICAL
CVSS 9.8
NornicDB's Bolt server binds to all network interfaces (0.0.0.0) regardless of the --address CLI flag or server.host configuration, exposing the graph database with default admin:password credentials to any device on the same LAN. The HTTP server correctly honors bind address restrictions, but a configuration plumbing bug prevents the Bolt protocol listener from reading the intended host parameter. Vendor-released patch available in version 1.0.42-hotfix addresses the underlying CWE-1392 (Improper Binding of Resource to Another Sphere) by adding Host field to Bolt configuration and wiring the resolveBindAddress() function to both protocol listeners. GitHub security advisory GHSA-2hp7-65r3-wv54 confirms the vulnerability with reproduction steps showing netstat evidence of wildcard binding despite localhost configuration.
Information Disclosure
-
CVE-2026-41588
CRITICAL
CVSS 9.0
Timing attack vulnerability in RELATE's authentication module allows remote unauthenticated attackers to infer valid sign-in keys through response time analysis. The CWE-208 timing side-channel in course/auth.py's check_sign_in_key() function enables attackers to distinguish between valid and invalid authentication tokens by measuring server response latencies. While attack complexity is high (AC:H) due to the precise timing measurements required, successful exploitation grants full authentication bypass with cross-scope impact. Patched in commit 2f68e16. No public exploit identified at time of analysis. EPSS data not provided, CVSS 9.0 (Critical) reflects potential for complete system compromise via side-channel cryptanalysis.
Information Disclosure
-
CVE-2026-41584
CRITICAL
CVSS 9.2
Remote attackers can crash ZEBRA Zcash nodes by submitting a crafted Orchard transaction containing an identity value in the rk (randomized validating key) field, triggering a panic in the orchard crate's verification logic. All ZEBRA versions prior to 4.3.1 are affected. This critical denial-of-service vulnerability requires no authentication and has low attack complexity (CVSS 4.0: 9.2, AV:N/AC:L/PR:N). The issue stems from improper handling of the elliptic curve point identity value during transaction verification, where the orchard crate's unwrap() call on coordinate extraction causes an unhandled panic. Fixed in zebrad 4.3.1 and zebra-chain 6.0.2 by rejecting identity rk values during transaction parsing.
Denial Of Service
-
CVE-2026-41583
CRITICAL
CVSS 9.3
Consensus failure in Zebra nodes before 4.3.1 allows remote attackers to trigger network partitioning by submitting V4 or V5 transactions with invalid sighash hash types. After a refactoring removed critical validation logic from C++ FFI code, Zebra failed to enforce consensus rules restricting hash type values in transparent transaction signatures, creating divergence from zcashd nodes. Attackers can exploit this remotely without authentication (CVSS:4.0 AV:N/AC:L/PR:N) to partition the Zcash network and enable potential double-spend attacks. No public exploit identified at time of analysis, but GitHub advisory (GHSA-8m29-fpq5-89jj) confirms the attack mechanism and vendor-released patches are available.
Information Disclosure
Canonical
-
CVE-2026-41574
CRITICAL
CVSS 9.3
Authentication bypass in Nhost (open-source Firebase alternative) allows account takeover via OAuth email verification bypass. Attackers can claim a victim's email address on vulnerable OAuth providers (Discord, Bitbucket, AzureAD, EntraID) without verification, then authenticate to Nhost and receive a full session merged into the victim's existing account. The flaw affects multiple OAuth provider adapters that incorrectly populate the EmailVerified field - Discord silently drops the API's verified flag, Bitbucket accepts unconfirmed emails as verified, and Microsoft providers derive emails from non-ownership-proving fields like user principal names. Patched in version 0.49.1 per GitHub Security Advisory GHSA-6g38-8j4p-j3pr. No public exploit identified at time of analysis, but attack is trivially executable given the detailed technical disclosure.
Authentication Bypass
Microsoft
-
CVE-2026-41512
CRITICAL
CVSS 9.9
Remote code execution in ai-scanner versions 1.0.0 through 1.4.0 allows authenticated attackers to inject and execute arbitrary JavaScript code via the BrowserAutomation::PlaywrightService component. The vulnerability has a Critical CVSS score of 9.9 with scope change, enabling cross-boundary compromise of confidentiality, integrity, and availability. Vendor-released patch available in version 1.4.1 as of April 13, 2026, with GitHub Security Advisory GHSA-r27j-xxgx-f5vr confirming the fix.
RCE
Code Injection
Nvidia
-
CVE-2026-41507
CRITICAL
CVSS 9.8
Remote code execution in math-codegen npm package versions prior to 0.4.3 allows unauthenticated attackers to execute arbitrary system commands via string literal injection into the cg.parse() function. The vulnerability stems from unsanitized string literals being injected directly into new Function() bodies, enabling full command execution on any application exposing math evaluation endpoints that process user input. EPSS score not available, but this is a critical unauthenticated RCE requiring no special conditions beyond user input reaching the vulnerable parser. Vendor-released patch available in version 0.4.3.
RCE
Code Injection
-
CVE-2026-41500
CRITICAL
CVSS 9.8
Command injection in electerm's npm install script allows arbitrary command execution on macOS systems during 'npm install -g electerm'. The runMac() function in install.js:150 passes attacker-controlled remote release metadata (releaseInfo.name) directly to exec('open ...') without validation, enabling remote code execution as the installing user. CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) reflects theoretical network-based exploitation, though actual attack requires compromise of the project's update server or man-in-the-middle position during npm package installation. No public exploit identified at time of analysis. Vendor-released patch: version 3.3.8 (commit 59708b3).
Command Injection
Node.js
-
CVE-2026-41497
CRITICAL
CVSS 9.8
Command injection in PraisonAI's MCP server command handler enables remote unauthenticated attackers to execute arbitrary operating system commands. The vulnerability exists in parse_mcp_command() which accepts MCP server commands without validating executables or arguments, allowing injection of shell commands like 'bash -c', 'python -c', or '/bin/sh -c' with inline code execution. GitHub security advisory GHSA-9qhq-v63v-fv3j confirms this is an incomplete fix for CVE-2026-34935. Vendor-released patch version 4.6.9 (upstream version 1.5.69) implements an allowlist of permitted MCP executables and validates commands against ALLOWED_MCP_COMMANDS. No active exploitation confirmed (not in CISA KEV); proof-of-concept exploit code published in advisory demonstrates trivial exploitation.
RCE
Python
Command Injection
-
CVE-2026-38360
CRITICAL
CVSS 9.8
Remote code execution in dash-uploader (Python package for Plotly Dash) versions 0.1.0 through 0.7.0a2 allows unauthenticated remote attackers to execute arbitrary code via directory traversal flaws in the HTTP request handler. The vulnerability affects temp_root path handling and POST request processing, enabling attackers to write files outside intended upload directories. Public exploit code exists (GitHub repository CVE-2026-38360), and the CVSS 9.8 critical score reflects the network-accessible, no-authentication attack vector. EPSS data not available, but the combination of RCE impact, public POC, and trivial exploitation complexity (AC:L/PR:N) makes this a high-priority remediation target for any deployment using vulnerable dash-uploader versions.
RCE
Path Traversal
-
CVE-2026-37431
CRITICAL
CVSS 9.8
SQL injection in Beauty Parlour Management System v1.1 enables unauthenticated remote attackers to extract, modify, or delete database contents through the aptnumber parameter at /appointment-detail.php endpoint. With CVSS 9.8 (critical severity) and network-accessible exploit requiring no authentication, this represents a complete compromise vector. Public proof-of-concept code exists on GitHub, and CISA SSVC framework rates it as automatable with total technical impact, though CISA KEV does not yet list active exploitation. EPSS data unavailable, but the combination of public POC, zero authentication requirements, and straightforward SQLi exploitation pattern indicates high probability of opportunistic scanning and exploitation.
PHP
SQLi
-
CVE-2026-25199
CRITICAL
CVSS 9.1
Unauthorized cross-tenant access in Apache CloudStack 4.21.0 through 4.22.0 allows remote unauthenticated attackers to gain full control over virtual machines belonging to other tenants via the Proxmox extension. Attackers exploit a user-editable 'proxmox_vmid' setting that lacks tenant ownership validation and predictable VM IDs to reference and control VMs across tenant boundaries, enabling VM start/stop/destroy operations. CVSS 9.1 indicates critical severity with network attack vector and no authentication required, though EPSS data and KEV status are not available to confirm active exploitation patterns.
Authentication Bypass
Apache
Information Disclosure
-
CVE-2026-8178
CRITICAL
CVSS 9.2
Remote code execution in Amazon Redshift JDBC Driver versions prior to 2.2.2 allows unauthenticated network attackers to execute arbitrary code by manipulating JDBC connection URL parameters under high-complexity conditions. The driver can be exploited to load and execute arbitrary classes from the application's classpath when specific connection URL parameters are controlled by an attacker. AWS released patch version 2.2.2 with GHSA advisory GHSA-wmmv-vvg5-993q. CVSS 9.2 (Critical) reflects high impact across confidentiality, integrity, and availability, though attack complexity is high and attack vector prerequisites are present.
RCE
-
CVE-2026-8153
CRITICAL
CVSS 9.8
Remote unauthenticated command injection in Universal Robots PolyScope Dashboard Server (versions <5.21.1) allows attackers to execute arbitrary OS commands on industrial robot controllers via network-crafted requests. With CVSS 9.8 (critical severity) and complete absence of authentication barriers, this vulnerability enables full robot controller compromise from remote network positions. No authentication, user interaction, or attack complexity required - exploitation is straightforward against default configurations exposing the Dashboard Server interface.
Command Injection
-
CVE-2026-8076
CRITICAL
CVSS 9.3
Brute-force authentication bypass in CashDro 3 web administration panel 24.01.00.26 enables remote unauthenticated attackers to gain full administrative access. The system accepts numeric PINs without account lockout mechanisms, a legacy design from 2012 POS integrations. Successful exploitation grants access to confidential configuration settings with high impact to confidentiality and integrity (CVSS 9.3). No public exploit identified at time of analysis, though exploitation is trivial given the vulnerability class. Patch available per vendor advisory from INCIBE.
Authentication Bypass
-
CVE-2026-6213
CRITICAL
CVSS 10.0
Remote code execution as root in Remote Spark SparkView before build 1122 allows network attackers to bypass local connection authentication checks and execute arbitrary commands with maximum privileges. CVSS 4.0 assigns the maximum 10.0 score with network vector, low complexity, and no authentication required (AV:N/AC:L/PR:N). The vendor description explicitly warns that depending on implementation, unauthenticated attackers can exploit this flaw. EPSS and KEV data not provided, but the combination of trivial exploitation conditions and root-level impact makes this critical for any organization running affected SparkView builds.
RCE
-
CVE-2025-69691
CRITICAL
CVSS 9.9
Netgate pfSense CE 2.8.0 allows code execution in the XMLRPC API via pfsense.exec_php. NOTE: the Supplier disputes this because the API call is only available to admins and they are intentionally allowed to execute PHP code.
PHP
Authentication Bypass
RCE
-
CVE-2025-69690
CRITICAL
CVSS 9.1
Netgate pfSense CE 2.7.2 allows code execution by using the module installer with a backup file with a serialized PHP object containing the post_reboot_commands property. NOTE: the Supplier disputes this because this installer is only available to admins and they are intentionally allowed to execute...
PHP
RCE
Deserialization
-
CVE-2025-69599
CRITICAL
CVSS 9.8
RayVentory Scan Engine through 12.6 Update 8 allows attackers to gain privileges if they control the value of the PATH environment variable. NOTE: this is disputed because ability of an attacker to control the environment is a site-specific misconfiguration.
Information Disclosure
N A
-
CVE-2025-67887
CRITICAL
CVSS 9.8
1C-Bitrix through 25.100.500 allows Remote Code Execution because an actor with SOURCE/WRITE permissions for the Translate Module can upload and execute code by sending a PHP file and a .htaccess file. NOTE: this is disputed by the Supplier because this is intended behavior for the high-privileged u...
PHP
RCE
Code Injection
N A
-
CVE-2026-44900
HIGH
CVSS 8.1
ECDSA signature verification bypass in Oviva epa4all-client allows adjacent network attackers to impersonate trusted VAU endpoints without authentication. The SignedPublicKeysTrustValidatorImpl.isTrusted() method discards the boolean return value of Signature.verify() at line 45, accepting any structurally valid signature regardless of cryptographic validity. Vendor-released patch confirmed in version 1.2.1 (PR #34). No public exploit identified at time of analysis, but CVSS 8.1 with adjacent network vector (AV:A) and low complexity (AC:L) indicates straightforward exploitation once attacker is on the same network segment. EPSS data not available.
Information Disclosure
-
CVE-2026-44843
HIGH
CVSS 8.2
LangChain contains older runtime code paths that deserialize run inputs, run outputs, or other application-controlled payloads using overly broad object allowlists. These paths may call `load()` with `allowed_objects="all"`. This does not enable arbitrary Python object deserialization, but it does a...
Python
Deserialization
-
CVE-2026-44832
HIGH
CVSS 7.1
### Impact
An authenticated user with only `users.edit` permission can escalate their own privileges to `admin` by sending a PATCH request to `/api/v1/users/{id}` with `permissions[admin]=1`. The API controller only strips the `superuser` key from the permissions array, allowing `admin` and all othe...
Privilege Escalation
-
CVE-2026-44728
HIGH
CVSS 8.2
### Impact
Using Babel to compile code that was specifically crafted by an attacker can cause Babel to generate output code that executes arbitrary code.
Known affected plugins are:
- `@babel/plugin-transform-modules-systemjs`
- `@babel/preset-env` when using the [`modules: "systemjs"` option](htt...
RCE
Code Injection
-
CVE-2026-44721
HIGH
CVSS 7.3
Stored cross-site scripting in Open WebUI versions 0.3.5 through 0.8.12 allows authenticated users with model creation permission to inject malicious JavaScript via markdown-link payloads in model descriptions. Attackers craft markdown links with javascript: URIs (e.g., [text](javascript:alert())) that bypass sanitization, are parsed into executable anchor tags by marked.parse(), and rendered unsafely via Svelte's {@html} directive. Successful exploitation enables session token theft from localStorage and full account takeover of admins and other users who view the malicious model in the chat UI. This represents a pipeline-ordering flaw distinct from CVE-2024-7990, which exploited a video-tag restoration logic removed in v0.4.0. Fix confirmed in v0.9.0 (commit 5eab125) via DOMPurify post-processing. EPSS data not provided; CVSS 7.3 reflects network attack vector with low complexity but required authentication and user interaction, limiting automated exploitation.
XSS
RCE
Python
-
CVE-2026-44714
HIGH
CVSS 7.5
Signature verification bypass in bitcoinj-core library allows attackers to forge Bitcoin transaction validations by exploiting fast-path optimization flaws in P2PKH and P2WPKH script execution. Versions 0.15 through 0.17.0 fail to verify that attacker-supplied public keys match the hash committed to in transaction outputs, enabling arbitrary keypairs to satisfy local transaction validation checks. While this does not affect SPV (Simple Payment Verification) nodes that follow proof-of-work without signature verification, applications using the correctlySpends() method for transaction validation or pre-signing checks are vulnerable to accepting fraudulent transactions. Vendor-released patch available in version 0.17.1, fixes confirmed in GitHub commits 2bc5653c and b575a682. No active exploitation confirmed (not in CISA KEV); EPSS data unavailable.
RCE
Java
Jwt Attack
-
CVE-2026-44700
HIGH
CVSS 8.7
ex_webrtc library for Erlang/Elixir fails to validate DTLS peer certificate fingerprints when operating in client (active) role during WebRTC handshakes, breaking mutual authentication. Versions prior to 0.15.1 and 0.16.1 are affected. While not independently exploitable against standard browser peers over secure signaling, this flaw enables man-in-the-middle attacks when combined with insecure signaling channels (HTTP/plain WebSocket), compromised signaling servers, or non-compliant peer implementations. Vendor-released patches (0.15.1, 0.16.1) available with no workarounds. No public exploit identified at time of analysis, but the high CVSS score (8.7, AV:N/AC:L/PR:N/UI:N) reflects the network attack vector and low complexity when prerequisites are met.
Information Disclosure
-
CVE-2026-44694
HIGH
CVSS 7.2
Server-side request forgery in n8n-mcp versions 2.18.7 through 2.50.1 allows authenticated attackers with MCP session access to bypass SSRF protections and send HTTP requests to cloud metadata endpoints and internal services, with response bodies returned directly to the attacker. Multi-tenant HTTP deployments are critically exposed: any tenant sharing an AUTH_TOKEN can exfiltrate AWS IAM, GCP service account, or Azure managed identity credentials from the operator's cloud metadata service (169.254.169.254 and related endpoints). Single-tenant and stdio deployments remain vulnerable via indirect prompt injection attacks that manipulate LLM tool calls. Vendor-released patch: n8n-mcp version 2.50.2. No CVSS score assigned; no public exploit code identified at time of analysis, though the advisory contains sufficient technical detail for proof-of-concept development.
Google
SSRF
Microsoft
-
CVE-2026-44680
HIGH
CVSS 7.6
SQL injection in MikroORM versions ≤7.0.13 (v7) and ≤6.6.13 (v6) allows authenticated attackers to execute arbitrary SQL queries by injecting malicious characters into schema names, JSON property filters, or query builder keys. The vulnerability stems from improper escaping of dialect-specific quote characters in identifier-quoting and JSON-path functions. Multi-tenant applications are at heightened risk of cross-tenant data leakage. Vendor-released patches are available: upgrade to 7.0.14 (v7) or 6.6.14 (v6). No public exploit identified at time of analysis, though the vulnerability was discovered during internal security review by the project maintainer.
Privilege Escalation
SQLi
PostgreSQL
-
CVE-2026-44671
HIGH
CVSS 7.5
LDAP Filter Injection in Zitadel's identity provider implementation allows unauthenticated remote attackers to enumerate valid usernames and extract sensitive LDAP directory attributes through blind injection techniques. The vulnerability exists in Zitadel versions 2.71.11-2.71.19, 3.1.0-3.4.9, and 4.0.0-4.14.0 when LDAP is configured as an identity provider. Exploitation requires no authentication (CVSS PR:N) and has network attack vector (AV:N) with low complexity (AC:L), resulting in high confidentiality impact (C:H) but no authentication bypass capability. Vendor-released patches are available for 3.x (3.4.10) and 4.x (4.15.0) branches. No public exploit identified at time of analysis, though the attack technique is well-documented in security research.
Authentication Bypass
Information Disclosure
LDAP
Code Injection
-
CVE-2026-44567
HIGH
CVSS 7.3
# **CONFIDENTIAL**
# Vulnerability Disclosure Analysis Documentation
---
## Vulnerability Details
| # | Field | Value |
|---|-------|-------|
| 1 | **Discoverer** | Taylor Pennington of KoreLogic, Inc. |
| 2 | **Date Submitted** | June 11, 2024 |
| 3 | **Title** | Open WebUI Improper Authorizati...
Authentication Bypass
Python
Debian
-
CVE-2026-44566
HIGH
CVSS 7.3
# **CONFIDENTIAL**
# KL-CAN-2024-002
## Vulnerability Details
| # | Field | Value |
|---|-------|-------|
| 1 | **Discoverer** | Jaggar Henry & Sean Segreti of KoreLogic, Inc. |
| 2 | **Date Submitted** | 2024.03.12 |
| 3 | **Title** | Open WebUI Arbitrary File Upload + Path Traversal |
| 5 | **A...
Python
Path Traversal
Debian
File Upload
-
CVE-2026-44556
HIGH
CVSS 7.1
Open WebUI versions through 0.8.12 allow any authenticated user to bypass model access controls and interact with restricted LLM models via the /api/openai/responses endpoint. The vulnerability permits low-privilege users to consume expensive models (GPT-4o, o1-pro) restricted by administrators, enabling budget exhaustion and denial of service against legitimate users in multi-tenant deployments. Publicly available exploit code exists via GitHub PR #23481. Vendor-released patch available in version 0.9.0. CVSS 7.1 (High) reflects network-accessible attack with low complexity requiring only basic authentication, yielding high availability impact and low confidentiality impact.
Authentication Bypass
Denial Of Service
-
CVE-2026-44555
HIGH
CVSS 7.6
Authenticated users can bypass model access controls in Open WebUI ≤0.8.12 to invoke restricted AI models via chained base_model_id references. Any user with default model creation permissions can create a wrapper model referencing a restricted base model (e.g., gpt-4-turbo with admin-only access), then query it to consume the admin's API credits and access premium model capabilities. This vulnerability enables cost escalation on pay-per-token backends (OpenAI, Anthropic, Azure) and defeats tiered access policies. GitHub advisory confirmed; patched in version 0.9.0. No active exploitation confirmed per available intelligence, but the attack path is straightforward for authenticated users with standard permissions.
Authentication Bypass
Python
Microsoft
-
CVE-2026-44554
HIGH
CVSS 8.1
Open WebUI through version 0.8.12 allows authenticated attackers to destroy or poison any user's knowledge base via unauthorized collection overwrite operations. The `/api/v1/retrieval/process/web` endpoint fails to verify collection ownership before performing delete-and-replace operations on vector database collections. This enables attackers to permanently delete victim knowledge bases and inject malicious content that influences LLM responses through RAG poisoning. No public exploit identified at time of analysis, but proof-of-concept code is documented in the GitHub advisory GHSA-7r82-qhg4-6wvj. Vendor-released patch: version 0.9.0.
Authentication Bypass
Python
-
CVE-2026-44553
HIGH
CVSS 8.1
Privilege escalation in Open WebUI ≤0.8.12 allows demoted administrators to retain elevated access to collaborative documents via stale Socket.IO sessions. When an admin user is demoted or deleted, their active WebSocket connection preserves cached admin privileges indefinitely through heartbeat mechanisms, enabling unauthorized read/write access to any user's notes. Official patch released in version 0.9.0 addresses the session invalidation gap. CVSS 8.1 (High) with network attack vector and low complexity; no public exploit identified at time of analysis.
Authentication Bypass
Python
Session Fixation
-
CVE-2026-44552
HIGH
CVSS 8.7
Cross-instance cache poisoning in Open WebUI allows administrators on one instance to inject malicious tool server configurations into shared Redis cache, affecting users on other instances. The vulnerability stems from missing Redis key prefixes on tool_servers and terminal_servers cache entries in backend/open_webui/utils/tools.py. When multiple Open WebUI instances share a Redis backend (a documented multi-region/blue-green deployment pattern), an admin on Instance A can configure a malicious tool server that overwrites Instance B's cache, causing Instance B users to send tool call payloads-containing chat content, user identity, and OAuth tokens-to attacker-controlled servers. Exploitation requires privileged access (CVSS PR:H) but crosses instance boundaries (Scope:Changed), enabling data exfiltration and prompt injection delivery. Vendor-released patch: version 0.9.0 addresses the missing prefix issue.
Python
Information Disclosure
Redis
-
CVE-2026-44549
HIGH
CVSS 7.3
### Summary
Excel file attachments are previewed in an unsafe way. A crafted XLSX file payload can be used to cause the [sheetjs](https://git.sheetjs.com/sheetjs/sheetjs) function [sheet_to_html](https://git.sheetjs.com/sheetjs/sheetjs/src/commit/66cf8d2117d271f89e4f47b5fed35a3e1ea93f67/bits/79_html...
XSS
Python
-
CVE-2026-44499
HIGH
CVSS 8.7
Remote denial-of-service in Zebra (Zcash node implementation) versions prior to 4.4.0 allows unauthenticated attackers to permanently halt block synchronization via a single TCP connection. The attack exploits three independent weaknesses in gossip, syncer, and download subsystems to create an irreversible block discovery deficit. Vendor patch available in version 4.4.0. EPSS data unavailable; no CISA KEV listing or public exploit code identified at time of analysis, but the technical barrier appears low given network attack vector with no authentication or complexity requirements (CVSS 4.0: AV:N/AC:L/PR:N).
Denial Of Service
-
CVE-2026-44400
HIGH
CVSS 8.7
MailEnable Enterprise Premium 10.55 and earlier contains an improper authorization vulnerability in the WebAdmin mobile portal that allows attackers to bypass authentication checks by reusing AuthenticationToken cookies generated for low-privileged users. Attackers can obtain a token from the WebMai...
Authentication Bypass
-
CVE-2026-44340
HIGH
CVSS 8.7
Path traversal via symlink exploitation in PraisonAI multi-agent teams system allows remote unauthenticated attackers to write arbitrary files outside intended directories during recipe operations (pull/publish/unpack). The _safe_extractall helper validates archive member names but fails to validate symlink targets (linkname attribute), enabling attackers to craft malicious tar bundles containing symlinks pointing outside extraction directories followed by files traversing through those symlinks. Affects versions prior to 4.6.37. EPSS data unavailable, no CISA KEV listing, and no public POC identified at time of analysis, suggesting limited observed exploitation despite network-accessible attack vector.
Path Traversal
-
CVE-2026-44339
HIGH
CVSS 8.6
Remote attackers can invoke arbitrary application callables in PraisonAI multi-agent systems by manipulating tool-call names to bypass tool declaration controls. Vulnerable versions (praisonai <4.6.37, praisonaiagents <1.6.37) resolve unmatched tool names against module globals and __main__ namespaces without permission validation when _perm_allow is None (default configuration). This enables unauthorized function execution beyond the intended tool list, allowing integrity compromise and potential information disclosure. Patched versions 4.6.37 and 1.6.37 address the tool name resolution vulnerability.
Information Disclosure
-
CVE-2026-44338
HIGH
CVSS 7.3
Remote unauthenticated access to PraisonAI's legacy Flask API server allows attackers to execute configured agent workflows without authentication. Versions 2.5.6 through 4.6.33 ship with authentication disabled by default on the Flask server, enabling any network-accessible caller to trigger agents.yaml workflows via the /chat endpoint and access agent configurations through /agents. Patch released in version 4.6.34. CVSS 7.3 with network vector and no privileges required (AV:N/AC:L/PR:N/UI:N) indicates this is remotely exploitable against default configurations, though impact is limited to low confidentiality, integrity, and availability (C:L/I:L/A:L).
Authentication Bypass
Python
-
CVE-2026-44328
HIGH
CVSS 8.2
### Summary
free5GC's SMF mounts the `UPI` management route group without inbound OAuth2 middleware (same root cause as the broader UPI auth gap reported in free5gc/free5gc#887). On top of that, the `DELETE /upi/v1/upNodesLinks/{upNodeRef}` handler unconditionally dereferences `upNode.UPF` after the...
Authentication Bypass
Denial Of Service
Docker
-
CVE-2026-44325
HIGH
CVSS 7.5
### Summary
free5GC's NRF root SBI endpoint `POST /oauth2/token` contains a parser-level type-confusion bug family. The handler in `NFs/nrf/internal/sbi/api_accesstoken.go` reflects over `models.NrfAccessTokenAccessTokenReq`, special-cases only plain `string` and `NrfNfManagementNfType` fields, and ...
Denial Of Service
Docker
-
CVE-2026-44322
HIGH
CVSS 7.5
### Summary
free5GC's NEF `PATCH /3gpp-pfd-management/v1/{afId}/transactions/{transId}/applications/{appId}` handler panics with a nil-pointer dereference when the upstream UDR call fails AND the consumer wrapper returns `err != nil` together with a nil `*ProblemDetails`. The handler's `errPfdData !...
Denial Of Service
Docker
Null Pointer Dereference
-
CVE-2026-44321
HIGH
CVSS 7.5
### Summary
free5GC's SMF mounts the `UPI` management route group without inbound OAuth2 middleware (same root cause as free5gc/free5gc#887). The `POST /upi/v1/upNodesLinks` create-or-update handler accepts attacker-controlled JSON and passes it directly into `UpNodesFromConfiguration()`, which call...
Authentication Bypass
Docker
-
CVE-2026-44320
HIGH
CVSS 7.3
### Summary
free5GC's NEF mounts the `nnef-callback` route group without inbound OAuth2/bearer-token authorization. A forged or arbitrary bearer token (e.g. `Authorization: Bearer not-a-real-token`) is enough to reach the SMF-callback handler -- the callback body is parsed and dispatched into NEF bu...
Authentication Bypass
Docker
-
CVE-2026-44319
HIGH
CVSS 7.5
### Summary
free5GC's NEF terminates the entire process when a stored PFD-subscription `notifyUri` cannot be reached. In `PfdChangeNotifier.FlushNotifications()`, the notifier calls `NnefPFDmanagementNotify(...)` and on any delivery error invokes `logger.PFDManageLog.Fatal(err)`, which is `os.Exit(1...
Denial Of Service
Docker
-
CVE-2026-44316
HIGH
CVSS 7.5
### Summary
free5GC's PCF `POST /npcf-smpolicycontrol/v1/sm-policies` handler (`HandleCreateSmPolicyRequest`) panics with a nil-pointer dereference when a downstream OpenAPI consumer call (UDR lookup) returns `404 Not Found` and the consumer wrapper returns `err != nil` together with a nil response ...
Denial Of Service
Docker
Null Pointer Dereference
-
CVE-2026-44209
HIGH
CVSS 7.5
## Summary
`banks <= 2.4.1` uses `jinja2.Environment()` (unsandboxed) to render prompt templates. Applications that pass user-supplied strings as the template argument to `Prompt()` are vulnerable to Server-Side Template Injection (SSTI), which can lead to Remote Code Execution (RCE) on the host sy...
RCE
Python
Ssti
-
CVE-2026-44129
HIGH
CVSS 8.3
Remote code execution in SEPPmail Secure Email Gateway versions before 15.0.4 allows unauthenticated attackers to execute arbitrary template expressions through a server-side template injection flaw in the GINA UI endpoint. The vulnerability requires no authentication and has low attack complexity, but depends on specific template plugin configurations (CVSS 4.0: 8.3 High with AT:P indicating present attack conditions). No public exploit code or active exploitation confirmed at time of analysis. EPSS data not available.
RCE
Ssti
-
CVE-2026-44127
HIGH
CVSS 8.8
Remote unauthenticated attackers can read arbitrary local files and trigger deletion of targeted files in SEPPmail Secure Email Gateway versions before 15.0.4 through path traversal in the /api.app/attachment/preview endpoint. The vulnerability allows exploitation without authentication or user interaction (CVSS:4.0 AV:N/AC:L/PR:N/UI:N), enabling attackers to exfiltrate sensitive configuration files, credentials, or email data, and selectively delete files with api.app process privileges. No active exploitation confirmed by CISA KEV at time of analysis, though the unauthenticated remote attack vector and file manipulation capabilities represent elevated risk for exposed email gateway appliances. Swiss NCSC disclosure suggests vendor-coordinated remediation.
Path Traversal
-
CVE-2026-43967
HIGH
CVSS 8.7
Unauthenticated denial of service in absinthe-graphql versions 1.2.0 through 1.10.1 allows remote attackers to exhaust CPU resources via quadratic-complexity validation. Attackers submit GraphQL documents with tens of thousands of fragment definitions (~60,000 fragments in a 1 MB payload), triggering O(N²) comparisons during fragment-name uniqueness validation - approximately 3.6 billion comparisons per request. No authentication, schema knowledge, or special server configuration is required. Patch available in version 1.10.2 via GitHub commit 223600c (replaces nested loop with single-pass frequency map).
Denial Of Service
-
CVE-2026-43943
HIGH
CVSS 7.8
Command injection in electerm's SFTP file editor feature allows arbitrary code execution when users edit files with maliciously crafted filenames. The vulnerability affects versions prior to 3.7.9 and can be exploited by attackers controlling SSH servers or the victim's operating system to inject shell metacharacters into filenames. When victims attempt to edit these files using 'open with system editor' or custom editor features, unsanitized filenames are passed directly to command execution functions, triggering injected commands with user privileges. GitHub security advisory GHSA-q4p8-8j9m-8hxj confirms the vulnerability, with exploit code demonstrable through the proof-of-concept filename in unit tests. EPSS data not available, not listed in CISA KEV. Vendor-released patch available in version 3.7.9.
RCE
Command Injection
-
CVE-2026-43940
HIGH
CVSS 8.4
Path traversal in electerm's IPC widget loader allows local code execution with full process privileges when an attacker achieves JavaScript execution in the renderer process. Affects all versions prior to 3.7.16. The vulnerability enables filesystem-wide arbitrary JavaScript file loading and execution through unsanitized path concatenation in runWidget function, bypassing Electron's process isolation. Vendor-released patch available in version 3.7.16. EPSS data not available; no confirmed active exploitation (not in CISA KEV).
RCE
Path Traversal
-
CVE-2026-43469
HIGH
CVSS 7.5
Denial of service in Linux kernel's xprtrdma subsystem causes system hang when memory allocation fails during RDMA receive buffer posting. Affects NFS over RDMA (RoCE/InfiniBand) deployments running kernel versions 5.13 through 6.19.8, 6.18.18 and earlier, 6.12.77 and earlier, 6.6.129 and earlier, 6.1.166 and earlier, and 5.15.202 and earlier. Systems under high memory pressure can trigger hung tasks in the xprtiod workqueue, requiring reboot to recover. EPSS score of 0.02% suggests low widespread exploitation likelihood. Vendor patches available across all affected stable kernel branches.
Information Disclosure
Linux
-
CVE-2026-43466
HIGH
CVSS 8.2
DMA memory corruption in Linux kernel mlx5e driver allows denial-of-service and potential data integrity violations when recovering from TX error completion queue entries. The vulnerability affects mlx5 Ethernet driver users from kernel 4.17 onwards, causing desynchronization between DMA FIFO producer/consumer counters during error recovery, leading to unmapping of stale DMA addresses and IOMMU warnings. Exploitation probability is low (EPSS 0.02%, 7th percentile) with no public exploit identified at time of analysis. Vendor-released patches available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, 7.0).
Information Disclosure
Linux
-
CVE-2026-43464
HIGH
CVSS 7.5
Memory corruption in Linux kernel's mlx5 network driver causes denial of service when XDP multi-buffer programs modify packet layout. The flaw specifically affects the mlx5e receive queue fragment tracking logic: when XDP programs call bpf_xdp_pull_data() or bpf_xdp_adjust_tail() to modify buffer layout, the driver fails to properly count dropped fragments, leading to negative page pool reference counts, kernel warnings, and potential system instability. Exploitation requires sending crafted network packets to systems using mlx5 NICs with XDP multi-buffer programs loaded. EPSS score of 0.02% indicates low exploitation probability. Vendor patches available for kernel versions 6.18.19, 6.19.9, and 7.0.
Information Disclosure
Linux
-
CVE-2026-43462
HIGH
CVSS 7.5
DMA mapping resource leaks in the Linux kernel's spacemit Ethernet MAC driver (emac_tx_mem_map function) allow remote attackers to trigger denial of service through network traffic that causes mapping errors, progressively exhausting kernel memory resources. The vulnerability affects Linux kernel versions 6.18.x through 6.19.9, with vendor patches available for stable branches 6.18.19, 6.19.9, and 7.0. EPSS exploitation probability is very low (0.02%, 4th percentile), and no public exploit or active exploitation has been identified at time of analysis.
Information Disclosure
Linux
-
CVE-2026-43461
HIGH
CVSS 7.8
Memory corruption in Linux kernel's Amlogic SPI Flash Controller A4 driver allows local authenticated attackers with low privileges to escalate privileges, corrupt memory, or cause denial of service through improper DMA mapping error handling. The vulnerability stems from three distinct bugs in aml_sfc_dma_buffer_setup() that can trigger double-unmapping and incorrect DMA synchronization. EPSS score of 0.02% (4th percentile) indicates low exploitation likelihood in the wild. Vendor patches are available for affected kernel versions 6.18.x and 6.19.x, with fixes backported to stable branches.
Information Disclosure
Linux
-
CVE-2026-43460
HIGH
CVSS 7.8
Local privilege escalation potential in the Linux kernel's Rockchip Serial Flash Controller (SFC) SPI driver arises from a double-free in the remove() callback path, where the driver calls spi_unregister_controller() manually despite already using the devm-managed registration helper. The flaw affects systems using the rockchip-sfc driver and is not currently in CISA KEV, with no public exploit identified at time of analysis and a very low EPSS score (0.02%, 4th percentile), but CVSS 7.8 reflects high local impact if triggered.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43459
HIGH
CVSS 7.3
Use-after-free in Linux kernel ASoC (ALSA System on Chip) subsystem allows local authenticated users with open audio streams to trigger memory corruption during sound card unbind operations. The flaw occurs when PCM stream closure schedules delayed DAPM (Dynamic Audio Power Management) work after widgets are freed, enabling potential privilege escalation or denial of service. EPSS score of 0.02% indicates low observed exploitation probability. Vendor patches available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, 7.0). No CISA KEV listing or public POC identified at time of analysis.
Information Disclosure
Linux
Use After Free
Memory Corruption
-
CVE-2026-43458
HIGH
CVSS 7.8
Local privilege escalation in the Linux kernel's CAIF serial driver allows attackers with local access to trigger a use-after-free condition in pty_write_room() via the caif_serial line discipline. The flaw stems from missing reference counting on tty->link, enabling memory corruption that can lead to arbitrary kernel code execution with full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, with an EPSS score of 0.02% (7th percentile) indicating low likelihood of widespread exploitation.
Information Disclosure
Linux
Use After Free
Memory Corruption
Red Hat
-
CVE-2026-43456
HIGH
CVSS 7.8
Type confusion in the Linux kernel bonding driver allows local authenticated users to trigger kernel crashes and potentially escalate privileges when non-Ethernet devices (such as GRE tunnels) are enslaved to a bond interface. The vulnerability stems from bond_setup_by_slave() blindly copying header_ops from slave devices without accounting for device-specific private data structures, causing netdev_priv() in functions like ipgre_header() to access incorrect memory layouts. Vendor patches are available for kernel versions 6.12.78, 6.18.19, 6.19.9, and 7.0. EPSS exploitation probability is low (0.02%, 5th percentile) with no public exploit identified at time of analysis.
Denial Of Service
Linux
-
CVE-2026-43454
HIGH
CVSS 7.8
Privilege escalation in Linux kernel netfilter subsystem allows local authenticated users to achieve high-impact compromise via duplicate netdev hook registration. The vulnerability affects kernel versions 6.16 through early 7.0 releases, with vendor patches available for stable branches 6.18.19, 6.19.9, and mainline 7.0. EPSS score of 0.02% (4th percentile) suggests low observed exploitation likelihood despite CVSS 7.8 severity. No active exploitation (not in CISA KEV) or public proof-of-concept identified at time of analysis.
Information Disclosure
Linux
-
CVE-2026-43453
HIGH
CVSS 7.1
Stack out-of-bounds read in the Linux kernel's netfilter nft_set_pipapo subsystem allows local low-privileged attackers to read 4 bytes past the end of a stack-allocated rulemap array via pipapo_drop(). The flaw was confirmed by KASAN and affects kernels from 5.6 onward until the fixed stable releases. No public exploit identified at time of analysis, and EPSS is very low (0.02%, 7th percentile), but the CVSS 7.1 score reflects the potential for kernel memory disclosure and availability impact.
Buffer Overflow
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43452
HIGH
CVSS 8.2
Out-of-bounds read in Linux kernel netfilter x_tables module allows remote attackers to disclose kernel memory and potentially cause denial of service. The xt_tcpudp and xt_dccp option walkers fail to validate boundaries when processing the last byte of TCP/UDP/DCCP options, triggering a 1-byte buffer over-read. CVSS 8.2 with network attack vector and no authentication required indicates high exploitability, though EPSS score of 0.02% (7th percentile) suggests minimal observed exploitation attempts. Patches available across all active kernel stable branches (5.10.253, 5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, 7.0). No CISA KEV listing or public exploit code identified at time of analysis.
Information Disclosure
Linux
-
CVE-2026-43450
HIGH
CVSS 7.1
Out-of-bounds read in the Linux kernel's netfilter nfnetlink_cthelper subsystem allows a local attacker with CAP_NET_ADMIN to trigger an 8-byte OOB read in nfnl_cthelper_dump_table() by racing helper deletion against a netlink dump operation. The flaw stems from a misplaced 'goto restart' that bypasses the for-loop bounds check when cb->args[0] equals nf_ct_helper_hsize, as detected by KASAN. EPSS is 0.02% and no public exploit identified at time of analysis, though a detailed reproducer call trace exists in the commit message.
Buffer Overflow
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43449
HIGH
CVSS 7.1
Out-of-bounds read in the Linux kernel's NVMe PCI driver (nvme_dbbuf_set) allows a local attacker to trigger a slab-out-of-bounds memory access during NVMe controller reset, potentially leading to denial of service or information disclosure. The flaw stems from an incorrect loop bound that iterates past dev->online_queues, reading from kmalloc-2k slab memory belonging to adjacent allocations. No public exploit identified at time of analysis, and the EPSS score of 0.02% reflects a low probability of opportunistic exploitation.
Buffer Overflow
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43447
HIGH
CVSS 7.8
Use-after-free in the Linux kernel iavf driver allows local authenticated users to execute arbitrary code, escalate privileges, or crash the system. The vulnerability affects Intel Ethernet Adaptive Virtual Function (iavf) driver's PTP implementation where a worker thread continues accessing freed memory during network adapter reset or disable operations. Patch available from kernel.org upstream commits across multiple stable branches (6.18.19, 6.19.9, 7.0+). EPSS score of 0.02% (4th percentile) indicates low observed exploitation likelihood, and no CISA KEV listing confirms this remains a theoretical risk requiring local access with low privileges.
Denial Of Service
Linux
Use After Free
Memory Corruption
-
CVE-2026-43442
HIGH
CVSS 7.1
Local unprivileged users can trigger out-of-bounds memory reads in Linux kernel's io_uring subsystem (versions 6.19+) via crafted SQE array mappings when IORING_SETUP_SQE_MIXED is enabled without NO_SQARRAY. By manipulating sq_array indices to point to the last physical SQE slot and submitting 128-byte operations, attackers cause a 64-byte buffer over-read during memcpy operations, potentially leaking sensitive kernel memory. Vendor patches available for affected 6.19.x branches. EPSS score of 0.02% indicates very low observed exploitation probability; no CISA KEV listing or public exploit identified at time of analysis.
Information Disclosure
Linux
-
CVE-2026-43441
HIGH
CVSS 7.5
Null pointer dereference in Linux kernel bonding driver crashes systems running with IPv6 disabled (ipv6.disable=1) when IPv6 Neighbor Solicitation packets arrive on bonded interfaces with ARP/NS validation enabled. Affects Linux kernel versions 5.18+ up to 6.19.9/7.0, with vendor patches available across stable branches (6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, 7.0). EPSS exploitation probability is very low (0.02%, 7th percentile) and no active exploitation or public POC has been identified, but the high CVSS 7.5 reflects trivial remote triggering (AV:N/AC:L/PR:N) for denial-of-service in affected configurations.
Denial Of Service
Linux
Null Pointer Dereference
-
CVE-2026-43440
HIGH
CVSS 7.8
Local privilege escalation potential in the Linux kernel's Microsoft Azure Network Adapter (mana) driver allows a low-privileged local user to trigger a use-after-free via a double destroy_workqueue() call on the gc->service_wq pointer when mana_gd_setup() fails. The flaw, fixed in the 6.18.x and 6.19.x stable trees, has no public exploit identified at time of analysis and an EPSS of 0.02% (4th percentile), but carries a CVSS of 7.8 due to high confidentiality, integrity, and availability impact within the kernel.
Information Disclosure
Linux
Use After Free
Memory Corruption
Red Hat
-
CVE-2026-43438
HIGH
CVSS 7.8
Reference count underflow in Linux kernel sched_ext subsystem enables local privilege escalation to execute arbitrary code with kernel privileges. The flaw affects kernel versions 6.12 through 6.19.x (prior to patched releases 6.12.78, 6.18.19, 6.19.9, 7.0), scoring CVSS 7.8 with local attack vector requiring low privileges. Vendor patches available via stable kernel updates. EPSS exploitation probability is low (0.02%, 5th percentile) with no public exploit code or active exploitation confirmed at time of analysis, though the Use-After-Free primitive could enable kernel memory corruption attacks.
Information Disclosure
Linux
Use After Free
Memory Corruption
-
CVE-2026-43437
HIGH
CVSS 7.8
Use-after-free in Linux kernel ALSA PCM subsystem allows local authenticated users to corrupt memory and potentially execute arbitrary code with kernel privileges. The vulnerability occurs in snd_pcm_drain() when a linked stream's runtime structure is freed via concurrent close() while still being dereferenced, enabling information disclosure, system crashes, or privilege escalation. With EPSS at 0.02% (7th percentile) and CVSS 7.8, this represents elevated theoretical risk but shows no evidence of active exploitation or public POC at time of analysis. Vendor patches are available across multiple stable kernel branches (5.10.253, 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, 7.0).
Information Disclosure
Linux
Use After Free
Memory Corruption
-
CVE-2026-43434
HIGH
CVSS 7.8
Local privilege escalation in Linux kernel's Rust Binder allows authenticated users to write to normally read-only binder pages, potentially leading to memory corruption and arbitrary code execution. The vulnerability stems from improper VMA (Virtual Memory Area) ownership validation during page installation - if a VMA is closed and replaced at the same address, Rust Binder may install pages into the wrong VMA, converting read-only pages to writable. Affects Linux kernel 6.18+ with Rust Binder enabled. EPSS score of 0.02% suggests low observed exploitation probability. Vendor patches available (6.18.19, 6.19.9, 7.0) via kernel.org stable tree commits.
Information Disclosure
Linux
Red Hat
-
CVE-2026-43433
HIGH
CVSS 7.8
Time-of-check-to-time-of-use (TOCTOU) race condition in Linux kernel's rust_binder implementation allows local authenticated attackers with low privileges to escalate privileges. The flaw exists in transaction offset array handling where values copied to a target process's read-only VMA are read back without protection against concurrent modification. If an attacker can write to their own supposedly read-only VMA through a separate vulnerability, they can modify offsets between write and read operations, causing the kernel to misinterpret transaction data and potentially enabling privilege escalation into the sending process. Patch available in kernel versions 6.18.19, 6.19.9, and 7.0. EPSS score of 0.02% suggests limited real-world exploitation likelihood despite CVSS 7.8 severity.
Privilege Escalation
Linux
Red Hat
Suse
-
CVE-2026-43427
HIGH
CVSS 7.1
Out-of-bounds read in the Linux kernel's USB CDC-WDM (Communication Device Class - Wireless Device Management) driver allows a local low-privileged attacker to disclose uninitialized kernel memory and potentially crash the host through a memory-ordering race between desc->length updates and a memmove() in the read path. The flaw stems from compiler reordering or CPU out-of-order execution that can cause wdm_read() to observe an updated length before the corresponding data is fully copied, leading copy_to_user() to operate on uninitialized memory. EPSS is very low (0.02%, 7th percentile), there is no public exploit identified at time of analysis, and the issue is not on the CISA KEV list.
Buffer Overflow
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43426
HIGH
CVSS 7.8
Use-after-free in the Linux kernel's Renesas USB host (renesas_usbhs) driver allows a local low-privileged attacker to potentially corrupt memory or escalate privileges during device removal. The flaw stems from the interrupt handler remaining registered while driver resources, including the pipe array, are freed in usbhs_remove(), creating a race window where the ISR can dereference freed memory. EPSS is very low (0.02%, 7th percentile) and no public exploit identified at time of analysis, but the kernel-level memory corruption impact (CVSS 7.8) makes it a meaningful local risk on affected Renesas USB hardware.
Information Disclosure
Linux
Use After Free
Memory Corruption
Red Hat
-
CVE-2026-43408
HIGH
CVSS 7.8
Memory corruption in the Linux kernel's Ceph filesystem client allows local authenticated users to trigger kernel crashes and potentially escalate privileges. The vulnerability stems from missing zero-initialization of ceph_path_info structures before passing them to ceph_mdsc_build_path(), causing subsequent ceph_mdsc_free_path_info() calls to attempt freeing uninitialized or corrupted memory pointers. Multiple code paths in ceph_open() and related functions are affected, introduced by commit 15f519e9f883. Patches are available for kernel versions 6.12.78, 6.18.19, 6.19.9, and 7.0. EPSS score of 0.02% (5th percentile) indicates low probability of widespread exploitation, with no public exploit code or CISA KEV listing at time of analysis.
Denial Of Service
Linux
Null Pointer Dereference
-
CVE-2026-43405
HIGH
CVSS 7.5
Integer signedness vulnerability in Linux kernel's Ceph networking library (libceph) allows remote attackers to trigger denial of service via crafted monitor map messages. The flaw enables bypassing memory allocation limits by exploiting signed/unsigned integer confusion in ceph_monmap_decode(), causing excessive memory allocation attempts that crash the system. With CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) and 0.02% EPSS score, this represents a network-reachable DoS vector against systems using Ceph storage, though low exploitation probability suggests limited attacker interest. Patches available across all maintained kernel branches (5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, 7.0).
Information Disclosure
Linux
-
CVE-2026-43403
HIGH
CVSS 8.8
Namespace iteration ioctl permission bypass in Linux kernel allows local privileged users to enumerate namespaces of other privileged services, potentially leaking cross-service information. Affects kernel 6.12 through 6.19.x with patches available in 6.12.78, 6.18.20, 6.19.9, and mainline 7.0. The vulnerability has low EPSS (0.02%, 5th percentile) indicating minimal observed exploitation activity. Vendor patches deployed across stable kernel branches address the issue by enforcing stricter namespace visibility policies via the may_see_all_namespaces() helper.
Information Disclosure
Linux
-
CVE-2026-43391
HIGH
CVSS 8.8
Insufficient permission checks in Linux kernel nsfs (namespace filesystem) allow low-privileged local users to access other processes' namespaces, potentially escalating privileges across namespace boundaries and leaking sensitive information between isolated services. The vulnerability affects kernel versions before 6.19.9 and 7.0, with patches available in stable branches d2324a9317f0 and 1797ee11451f. EPSS score of 0.02% (5th percentile) indicates low current exploitation probability, and no active exploitation or public POC has been identified in CISA KEV or public sources. The CVSS 8.8 (High) rating reflects scope change (S:C) indicating privilege escalation across security boundaries - a critical concern for containerized environments where namespace isolation is foundational to multi-tenant security.
Information Disclosure
Linux
-
CVE-2026-43385
HIGH
CVSS 7.5
RCU tasks grace period stalls cause denial of service in Linux kernel's threaded NAPI busypoll implementation (6.19+). When threaded busypoll is enabled on network interfaces, the napi_threaded_poll_loop function resets its quiescent state tracking (last_qs) on every invocation, preventing rcu_softirq_qs_periodic from reporting grace period completion. This triggers kernel stalls lasting hundreds of seconds (400,000+ jiffies observed), causing tools like bpftrace to hang indefinitely and impacting system stability. Vendor patches available for 6.19.9 and 7.0. EPSS score of 0.02% suggests very low active exploitation likelihood, consistent with this being a kernel-internal RCU mechanism issue affecting specific network polling configurations rather than a remotely triggerable network attack surface.
Information Disclosure
Linux
-
CVE-2026-43380
HIGH
CVSS 7.8
Stack buffer overflow in the Linux kernel's pmbus/q54sj108a2 hwmon driver allows local privileged users to corrupt kernel stack memory by reading from a specific debugfs entry. The flaw stems from a misuse of bin2hex() that writes 64 bytes of hex-encoded output into a 34-byte stack buffer, overflowing it by 30 bytes; no public exploit identified at time of analysis and EPSS exploitation probability is negligible at 0.03% (9th percentile).
Buffer Overflow
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43377
HIGH
CVSS 8.1
Linux kernel's ksmbd server exposes SMB3 session, signing, encryption, and decryption keys in debug logs when KSMBD_DEBUG_AUTH is enabled. Authenticated network attackers with access to system logs can retrieve these cryptographic keys to compromise SMB3 session confidentiality and integrity. EPSS probability is very low (0.01%, 3rd percentile) and no active exploitation is documented. Vendor patches available across multiple stable kernel branches (6.1.167, 6.6.130, 6.12.78, 6.18.20, 6.19.9, 7.0).
Information Disclosure
Linux
-
CVE-2026-43374
HIGH
CVSS 7.8
Use-after-free in Linux kernel nexthop routing code allows local authenticated attackers with low privileges to execute arbitrary code, escalate privileges, or crash the system. The vulnerability occurs when removing a nexthop from a routing group, where percpu statistics memory is freed before the RCU grace period completes, allowing concurrent readers to access freed memory. Vendor patches available for stable kernel branches 6.12.78, 6.18.19, 6.19.9, and mainline 7.0. EPSS score of 0.02% (5th percentile) indicates low observed exploitation probability, and no active exploitation is confirmed (not in CISA KEV). CVSS 7.8 reflects local attack vector requiring authenticated access.
Information Disclosure
Linux
Use After Free
Memory Corruption
-
CVE-2026-43373
HIGH
CVSS 7.5
Memory exhaustion in Linux kernel NCSI protocol handler allows remote denial of service through resource depletion. The Network Controller Sideband Interface (NCSI) receive and Asynchronous Event Notification (AEN) handlers fail to free socket buffers (skbs) in error paths, enabling network attackers to exhaust kernel memory by sending malformed NCSI packets or triggering device resolution failures. CVSS 7.5 (High severity) reflects unauthenticated network exploitation, though low EPSS score (0.02%, 7th percentile) suggests minimal observed exploitation. Vendor patches available across all active kernel branches (5.10.253, 5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, 7.0).
Information Disclosure
Linux
-
CVE-2026-43370
HIGH
CVSS 7.8
Use-after-free race condition in Linux kernel amdgpu driver allows local authenticated users to achieve arbitrary code execution with high confidentiality, integrity, and availability impact. The flaw occurs when parent and child processes sharing a drm_file both attempt to acquire the same virtual memory context after fork(), due to non-atomic vm->process_info assignment. Patches released across multiple stable kernel versions (5.10.253, 5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, 7.0). EPSS score of 0.02% (7th percentile) indicates very low predicted exploitation probability despite CVSS 7.8 severity, and no active exploitation or public POC identified.
Information Disclosure
Linux
Use After Free
Memory Corruption
-
CVE-2026-43368
HIGH
CVSS 7.8
Integer overflow in Linux kernel's i915 graphics driver corrupts memory mapping for DRM/GEM shmem objects larger than 4GB, causing kernel warnings, potential crashes, and incorrect memory access when Intel graphics hardware processes large buffer objects. The vulnerability manifests when scatterlist length fields overflow during folio page allocation, leading to premature termination of backing page iteration. Patch available across multiple stable kernel branches (6.6.130, 6.12.78, 6.18.19, 6.19.9, 7.0) per upstream commits. EPSS score of 0.02% (5th percentile) indicates low observed exploitation probability, and no public exploit code or CISA KEV listing exists at time of analysis.
Buffer Overflow
Linux
Intel
-
CVE-2026-43366
HIGH
CVSS 7.8
Local privilege escalation in Linux kernel io_uring subsystem allows authenticated attackers with low privileges to achieve high confidentiality, integrity, and availability impact through improper buffer list type validation during recycling operations. The vulnerability stems from a race condition where buffer lists can be upgraded from legacy to ring-provided type between acquisition and recycling when requests are forced through io-wq, potentially leading to type confusion and memory corruption. Patches available across multiple kernel versions (6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, 7.0) with upstream commits confirmed. EPSS score is very low (0.02%, 7th percentile) indicating minimal observed exploitation probability despite high CVSS 7.8 rating. No KEV listing or public exploit identified at time of analysis.
Information Disclosure
Linux
-
CVE-2026-43365
HIGH
CVSS 8.2
Log corruption in Linux kernel XFS filesystem leads to mount failures and potential data integrity loss when superblock lacks log stripe unit configuration. Systems with 4k physical sector disks are vulnerable to torn writes and CRC failures that prevent filesystem mounting. Vendor-released patches available across multiple stable kernel branches (5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, 7.0). EPSS score of 0.02% suggests low exploitation probability. No active exploitation confirmed (not in CISA KEV). CVSS 8.2 reflects network vector but description indicates local filesystem operation - attack vector discrepancy requires verification.
Information Disclosure
Linux
Microsoft
-
CVE-2026-43362
HIGH
CVSS 8.1
In-place encryption in the Linux kernel's SMB client corrupts write payloads during retry attempts, potentially causing data integrity loss and denial of service when SMB connections experience transient failures. The flaw affects SMB3 encrypted writes where the encryption process modifies the original buffer in place; on replayable errors (like network interruptions), retries re-send already-encrypted data as if it were plaintext, resulting in double-encryption and corrupted writes. This particularly impacts special file operations (SFU mknod, MF symlinks) and sync writes on pre-6.10 kernels. Patches are available across multiple stable kernel branches (6.6.130, 6.12.78, 6.18.19, 6.19.9, 7.0). EPSS score is very low (0.01%), indicating minimal observed exploitation likelihood, and no active exploitation or public POC is documented.
Buffer Overflow
Linux
Memory Corruption
-
CVE-2026-43353
HIGH
CVSS 7.8
Race condition in Linux kernel I3C HCI DMA dequeue handler allows local authenticated attackers with low privileges to trigger memory corruption leading to privilege escalation, denial of service, or information disclosure. The vulnerability affects kernel versions from 5.11 onwards where the mipi-i3c-hci driver is enabled. EPSS probability is low (0.02%, 4th percentile) and no active exploitation or public POC is identified at time of analysis. Vendor patches available for stable kernel branches 6.18.19, 6.19.9, and 7.0.
Information Disclosure
Linux
Race Condition
-
CVE-2026-43352
HIGH
CVSS 7.8
Flawed DMA ring abort handling in the Linux kernel's MIPI I3C Host Controller Interface driver allows local authenticated attackers with low privileges to cause high-severity impacts including information disclosure, integrity violations, and denial of service. The vulnerability stems from improper abort sequence logic that disrupts controller state by unintentionally clearing hardware enable bits and resetting ring pointers. Vendor patches are available for kernel versions 6.18.19, 6.19.9, and 7.0. EPSS score of 0.02% (4th percentile) indicates low probability of mass exploitation, and no active exploitation or public POC has been identified at time of analysis.
Information Disclosure
Linux
-
CVE-2026-43350
HIGH
CVSS 7.6
Out-of-bounds read in Linux kernel SMB client allows malicious SMB servers to disclose kernel memory and potentially crash systems via crafted NFS mode SIDs in ACL responses. Affects Linux kernel 5.4+ with SMB client enabled. Vendor patches released for stable branches 6.6.136, 6.12.84, 6.18.25, 7.0.2, and mainline 7.1-rc1. EPSS score of 0.02% (5th percentile) indicates low observed exploitation probability, and no active exploitation confirmed (not in CISA KEV). Attack requires user interaction (mounting malicious SMB share), reducing practical risk for environments with controlled server connections.
Information Disclosure
Linux
-
CVE-2026-43347
HIGH
CVSS 7.5
Memory corruption in Linux kernel on Qualcomm Monaco-based ARM64 platforms causes kernel crashes through synchronous external aborts when accessing hypervisor-owned memory incorrectly marked as conventional RAM. The firmware's EFI memory map only reserves 288 KiB of a 512 KiB Gunyah hypervisor metadata region (0x91a80000-0x91afffff), leaving 224 KiB exploitable for triggering fatal aborts. Patches available for stable branches 6.18.24, 6.19.14, and 7.0 series. EPSS exploitation probability is very low (0.02%, 4th percentile) with no known active exploitation or public POC, indicating limited real-world threat despite CVSS 7.5 rating.
Denial Of Service
Linux
Qualcomm
-
CVE-2026-43345
HIGH
CVSS 7.5
Linux Kernel versions 6.4 and later containing IPA v5.0+ hardware support experience complete data path failure and indefinite system hangs during suspend or shutdown operations due to a register field misprogramming bug. The event ring index field was incorrectly referenced using an outdated identifier (ERINDEX instead of CH_ERINDEX) in the CH_C_CNTXT_1 register definition, preventing GSI channels from signaling transfer completions. This causes gsi_channel_trans_quiesce() to block indefinitely in wait_for_completion(), resulting in runtime suspend, system suspend, and remoteproc stop operations hanging forever. Patches are available across multiple stable kernel branches (6.6.136, 6.12.83, 6.18.24, 6.19.14, 7.0). EPSS score of 0.02% indicates very low observed exploitation probability, and no active exploitation is confirmed (not in CISA KEV). The CVSS vector indicates network-accessible attack surface, though the actual impact is limited to devices with IPA v5.0+ hardware.
Information Disclosure
Linux
-
CVE-2026-43339
HIGH
CVSS 7.8
Local privilege escalation in Linux kernel IPv6 address configuration subsystem enables authenticated local users to gain high-level system access through a use-after-free (UaF) condition in addrconf_permanent_addr(). Patch available across all maintained stable kernel series (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0) with fixes backported from commit f1705ec197e7. EPSS score of 0.02% suggests minimal active exploitation likelihood, no KEV listing or public POC identified at time of analysis.
Information Disclosure
Linux
Use After Free
Memory Corruption
Red Hat
-
CVE-2026-43336
HIGH
CVSS 7.5
ChaCha cipher implementation in the Linux kernel leaks cryptographic key material through an improperly zeroized stack variable. The ChaCha permutation function leaves 'permuted_state' on the stack after execution, which can be used to reverse-compute the original encryption key since ChaCha's permutation is mathematically invertible. This information disclosure affects kernel cryptographic operations including the RNG (random number generator). EPSS score of 0.02% indicates very low observed exploitation probability, and no active exploitation is confirmed (not in CISA KEV). Patches are available across all maintained kernel versions from 5.10.253 through 6.19.12.
Information Disclosure
Linux
Red Hat
-
CVE-2026-43334
HIGH
CVSS 8.8
Authentication downgrade in Linux kernel Bluetooth SMP allows adjacent network attackers to bypass MITM protection during pairing. When a Bluetooth responder requires BT_SECURITY_HIGH, the SMP implementation incorrectly builds pairing responses before enforcing local MITM requirements, allowing initiators to force weaker 'Just Confirm' authentication even when policy mandates stronger methods. EPSS score of 0.02% indicates low predicted exploitation probability, and no active exploitation or public POC has been identified. Patches available across all supported kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0).
Information Disclosure
Linux
Red Hat
-
CVE-2026-43332
HIGH
CVSS 7.8
Use-after-free in Linux kernel thermal subsystem allows local authenticated attackers with low privileges to achieve high confidentiality, integrity, and availability impact through race condition during thermal zone device registration failure. The flaw occurs when thermal_zone_device_register_with_trips() fails after registration but before properly cleaning up - if userspace holds a kobject reference, the thermal zone structure can be freed prematurely while still in use. Vendor patches available across stable branches (6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.02% (5th percentile) indicates very low observed exploitation probability despite CVSS 7.8 rating, suggesting limited real-world attacker interest in this local race condition.
Information Disclosure
Linux
Red Hat
-
CVE-2026-43330
HIGH
CVSS 7.8
Buffer overflow in the Linux kernel's CAAM crypto driver allows local authenticated attackers to corrupt memory and potentially execute arbitrary code with elevated privileges. The vulnerability occurs when HMAC keys exceeding the algorithm's block size are processed - the driver allocates DMA-aligned memory but uses kmemdup() to copy only the actual key length, then reads beyond the source buffer boundary during hashing. EPSS score of 0.02% (5th percentile) indicates low predicted exploitation likelihood. Patches are available across multiple stable kernel branches (6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0) via upstream commits, with fixes applied since kernel 6.3 introduced the vulnerable code.
Buffer Overflow
Linux
Memory Corruption
Red Hat
-
CVE-2026-43329
HIGH
CVSS 7.8
Buffer overflow in Linux kernel netfilter flowtable hardware offload allows local authenticated users to achieve high confidentiality, integrity, and availability impact via IPv6 flowtable configurations. The vulnerability stems from an off-by-one error where IPv6 setups require 17 actions but the hardcoded limit was 16, enabling memory corruption when complex IPv6 flows with SNAT, DNAT, VLAN manipulation, and tunneling are offloaded to hardware. EPSS exploitation probability is low (0.02%, 7th percentile), and vendor patches are available across multiple stable kernel branches (5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). No public exploit code or CISA KEV listing identified at time of analysis.
Information Disclosure
Linux
Red Hat
-
CVE-2026-43328
HIGH
CVSS 7.8
Double-free condition in the Linux kernel's cpufreq governor subsystem affects multiple stable branches and can lead to memory corruption when an error path in cpufreq_dbs_governor_init() is triggered. The flaw stems from redundant cleanup logic that calls gov->exit() and kfree(dbs_data) twice after a kobject_init_and_add() failure, and no public exploit identified at time of analysis. EPSS exploitation probability is very low (0.02%, 7th percentile), consistent with a local memory-safety bug requiring privileged access rather than a remote attack surface.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43324
HIGH
CVSS 7.8
Race condition in the Linux kernel's dummy-hcd USB driver allows local authenticated users to trigger use-after-free conditions during gadget driver unbinding, potentially enabling privilege escalation, information disclosure, or denial of service. The flaw stems from incorrect ordering of interrupt synchronization - emulated synchronize_irq() runs before interrupt-disable, allowing callbacks to execute after the gadget driver is unbound. Patched versions include 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, and mainline 7.0. EPSS score of 0.02% (7th percentile) indicates very low probability of exploitation in the wild, with no confirmed active exploitation or public POC identified at time of analysis.
Information Disclosure
Linux
Red Hat
-
CVE-2026-43322
HIGH
CVSS 8.8
Use-after-free (UAF) in Linux kernel Bluetooth subsystem allows adjacent network attackers to trigger memory corruption via malformed LE Read Features Complete responses. The vulnerability occurs when hci_conn is freed before le_read_features_complete callback executes but after hci_le_read_remote_features_sync initiates, causing atomic operations on freed memory during hci_conn_drop. Active exploitation status not confirmed (no CISA KEV listing). EPSS score of 0.02% (5th percentile) indicates very low observed exploitation probability. Upstream patches committed to stable kernel branches 6.19.12+ and 7.0+.
Information Disclosure
Linux
Google
Use After Free
Memory Corruption
-
CVE-2026-43321
HIGH
CVSS 7.8
Improper register liveness tracking in the Linux kernel eBPF verifier allows local authenticated users to potentially achieve information disclosure, privilege escalation, or denial of service through crafted BPF programs. The vulnerability stems from the compute_insn_live_regs() function failing to mark registers as used during indirect jump ('gotox rX') instructions, enabling attackers with BPF program loading privileges to manipulate register state tracking. With EPSS exploitation probability at 0.02% (5th percentile) and no evidence of active exploitation or public POC, this represents a theoretical risk primarily for systems where unprivileged users can load BPF programs. Vendor patches are available for kernel versions 6.18.16, 6.19.6, and 7.0.
Information Disclosure
Linux
-
CVE-2026-43307
HIGH
CVSS 7.8
Buffer over-read in the Linux kernel's adxl380 IIO accelerometer driver allows local authenticated users to read arbitrary kernel memory. The FIFO interrupt handler incorrectly calculates batch sizes when multiple channels are enabled, reading more entries than exist in the FIFO buffer. CVSS rates this 7.8 (High) with local access requiring low-privileged credentials. EPSS exploitation probability is minimal (0.02%, 5th percentile), indicating low real-world risk. Patches available in stable kernel versions 6.12.75, 6.18.16, 6.19.6, and 7.0.
Information Disclosure
Linux
-
CVE-2026-43303
HIGH
CVSS 7.8
Use-after-free in Linux kernel swap subsystem allows local authenticated users to achieve high-severity code execution, integrity violations, or denial of service. The vulnerability stems from multiple kernel subsystems (SLUB, shmem, TTM) failing to clear page->private fields before freeing memory, causing stale pointers to persist when pages are reallocated and split. The swap code then dereferences these uninitialized LIST_POISON values during swapoff operations, triggering KASAN-detected wild memory access. Patches available across kernel versions 6.18.16, 6.19.6, and 7.0, with EPSS score of 0.02% indicating low observed exploitation probability despite CVSS 7.8 rating.
Denial Of Service
Linux
Use After Free
Memory Corruption
-
CVE-2026-43296
HIGH
CVSS 7.5
Denial of service in Linux kernel octeontx2-af network driver allows remote unauthenticated attackers to trigger system stalls and deadlocks via network traffic that exploits hardware errata in Marvell OcteonTX2 NIX SQ manager. The vulnerability affects Linux kernel versions from mainline through multiple stable branches, with vendor patches released for 5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, and mainline 7.0. EPSS exploitation probability is low at 0.02% (7th percentile), and no public exploit or active exploitation is confirmed at time of analysis.
Information Disclosure
Linux
-
CVE-2026-43291
HIGH
CVSS 8.3
Improper packet data validation in Linux kernel NCI NFC subsystem breaks communication with NFC chips and creates potential for information disclosure. The vulnerability affects adjacent network attackers (AV:A) who can exploit variable-length packet handling without authentication (PR:N) to achieve high confidentiality impact, low integrity impact, and high availability impact. EPSS score of 0.02% (7th percentile) indicates low observed exploitation probability despite CVSS 8.3 severity. Vendor patches available across multiple kernel versions (5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0) with upstream fixes committed to stable branches.
Information Disclosure
Linux
-
CVE-2026-43290
HIGH
CVSS 7.8
A buffer management flaw in the Linux kernel's uvcvideo (USB Video Class) driver allows local authenticated attackers to trigger memory corruption via improper buffer handling when streaming initialization fails. The vulnerability manifests when xHCI controller failures cause uvc_pm_get() errors during start_streaming(), leaving queued video buffers unreturned and potentially causing system instability or privilege escalation. Patches are available from kernel maintainers for versions 6.18.16, 6.19.6, and 7.0+, with upstream fixes committed. EPSS score of 0.02% suggests minimal observed exploitation attempts, and no KEV listing indicates this is not currently exploited in the wild despite the high CVSS 7.8 score.
Information Disclosure
Linux
-
CVE-2026-43284
HIGH
CVSS 8.8
Use-after-free in Linux kernel ESP (IPsec) allows local authenticated attackers to decrypt shared memory fragments improperly, potentially exposing encrypted network traffic or causing memory corruption. Affects kernel versions 6.5+ where MSG_SPLICE_PAGES can attach pipe pages directly to UDP socket buffers. The IPv4/IPv6 datagram paths fail to mark spliced pages as shared, causing ESP input decryption to modify memory not privately owned by the packet buffer. Public exploit code exists (POC available on GitHub), EPSS score is low (0.01%) indicating limited widespread exploitation risk, and vendor patches are available across affected stable kernel branches (6.6.138, 6.12.87, 6.18.28, 7.0.5).
Information Disclosure
Linux
Use After Free
Memory Corruption
-
CVE-2026-42793
HIGH
CVSS 8.2
Unauthenticated remote attackers can crash Erlang VM nodes running Absinthe GraphQL 1.5.0 through 1.10.1 by exhausting the BEAM atom table through specially crafted GraphQL SDL documents. Attackers send SDL containing numerous unique directive, field, type, or argument names that are unsafely converted to atoms via String.to_atom/1, permanently consuming slots in the fixed-size atom table (default 1,048,576 entries) until the VM terminates with system_limit error. This affects any application exposing SDL parsing to untrusted input, such as schema upload endpoints, federation gateways ingesting remote SDL, or developer tools processing user-supplied documents. Vendor-released patch (version 1.10.2) is available per GitHub advisory GHSA-qf4g-9fqq-mmm7.
Denial Of Service
-
CVE-2026-42556
HIGH
CVSS 8.9
Postiz is an AI social media scheduling tool. From version 2.21.6 to before version 2.21.7, any authenticated user who can create a post can store arbitrary HTML in post content by tampering their own save request and send the public preview link /p/<postId>?share=true to another user. The preview p...
XSS
-
CVE-2026-42455
HIGH
CVSS 8.8
Stored cross-site scripting in Linkwarden 2.14.0 and earlier allows remote unauthenticated attackers to execute arbitrary JavaScript in victims' authenticated sessions by uploading malicious HTML archives. The vulnerability exists because the /api/v1/archives endpoint accepts unsanitized HTML files and serves them without Content-Security-Policy protections, enabling session hijacking and account takeover. No vendor-released patch identified at time of analysis (GHSA advisory notes no patches available). EPSS data not provided; no active exploitation (CISA KEV) or public POC identified at time of analysis.
XSS
-
CVE-2026-42453
HIGH
CVSS 8.7
Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to version 2.1.0, the extractArchive and compressFiles endpoints in file-manager.ts use double-quoted strings for shell command construction, unlike all other file manager operations w...
Command Injection
-
CVE-2026-42452
HIGH
CVSS 8.1
Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to version 2.1.0, /users/login issues a temporary JWT (temp_token) for TOTP-enabled accounts. That token carries a pendingTOTP state and should only be valid for the second-factor flow...
Information Disclosure
-
CVE-2026-42345
HIGH
CVSS 7.7
FastGPT is an AI Agent building platform. In versions 4.14.11 and prior, FastGPT's isInternalAddress() function in packages/service/common/system/utils.ts blocks cloud metadata endpoints using a fullUrl.startsWith() check against a hardcoded list. This check can be bypassed using at least 7 differen...
SSRF
-
CVE-2026-42286
HIGH
CVSS 8.4
Emlog is an open source website building system. Prior to version 2.6.11, missing CSRF protection in critical admin functions allows attackers to trick authenticated administrators into performing unauthorized actions like system registration, plugin management, and configuration changes. This issue...
CSRF
-
CVE-2026-42278
HIGH
CVSS 8.8
Authentication bypass in UltraDAG Core blockchain allows remote unauthenticated attackers to drain all pocket-derived sub-addresses on smart accounts, completely bypassing vault delays and daily spending limits. The StateEngine fails to resolve pocket addresses to their parent account during policy enforcement, treating virtual pocket addresses as unrestricted accounts. Confirmed actively exploited (CISA KEV). Vendor-released patch: commit fb6ef59 resolves pocket-to-parent mapping before all policy checks. EPSS data unavailable but attack vector is network-accessible with no complexity (CVSS 4.0 AV:N/AC:L/PR:N), making this a critical priority for any UltraDAG deployment using smart account pockets.
Authentication Bypass
Hashicorp
-
CVE-2026-42275
HIGH
CVSS 8.7
Remote path traversal via symlink following in zrok's WebDAV drive backend allows unauthenticated network attackers to read arbitrary files accessible to the zrok process and overwrite critical system files (such as SSH authorized_keys) outside the intended share boundary. Attack complexity is high because exploitation requires a pre-existing symlink inside the shared directory pointing outside DriveRoot-a precondition typically created through local access or misconfiguration, not by the attacker. EPSS data not provided; no CISA KEV listing indicates targeted rather than widespread exploitation. Vendor-released patch available in version 2.0.2 with commit 459bcfc1e121decae1b1d11c37ad94e4ed5bbf2e implementing symlink boundary validation.
Path Traversal
-
CVE-2026-42274
HIGH
CVSS 7.8
Authorization bypass in Heimdall cloud-native Identity Aware Proxy allows remote unauthenticated attackers to circumvent access control policies via path normalization mismatches. Attackers can craft requests with encoded or relative path traversal sequences (e.g., /public/../admin, /user/%2e%2e/admin) that Heimdall evaluates against one rule while downstream services normalize to a different protected path, enabling unauthorized access to restricted resources or functionality. No public exploit identified at time of analysis, though CVSS vector indicates network-accessible, low-complexity exploitation (CVSS:4.0 AV:N/AC:L/PR:N). Fixed in version 0.17.14.
Information Disclosure
-
CVE-2026-42273
HIGH
CVSS 7.8
Heimdall's case-sensitive host matching bypasses access control policies when attackers submit HTTP requests with alternate letter casing in the Host header, exploiting the discrepancy between HTTP spec (case-insensitive hostnames) and Heimdall's implementation. Versions prior to 0.17.14 fail to match rules configured for lowercase hostnames when requests arrive with mixed or uppercase casing, potentially routing to permissive default rules and granting unintended access. This vulnerability is most dangerous when Heimdall is deployed with insecure default rule enforcement flags enabled, though it requires attackers to know the exact hostname pattern and exploit misconfiguration.
Information Disclosure
-
CVE-2026-42272
HIGH
CVSS 7.8
Authorization bypass in Heimdall cloud-native Identity Aware Proxy affects versions prior to 0.17.14 due to case-sensitive URL-encoded slash handling. Remote unauthenticated attackers can craft requests with lowercase-encoded slashes (%2f) to evade path-based access controls when 'allow_encoded_slashes' is disabled (default). This discrepancy between Heimdall's path interpretation and upstream services enables access to restricted endpoints if a permissive default rule exists. GitHub reports a public fix (PR #3207, commit 8b0de6a) with patched version 0.17.14 released. No public exploit identified at time of analysis. CVSS 7.8 with CVSS:4.0 vector indicates network-accessible, low-complexity attack requiring no privileges or user interaction, though real-world impact depends on deployment configuration.
Information Disclosure
-
CVE-2026-42271
HIGH
CVSS 8.7
Remote command execution in LiteLLM proxy server versions 1.74.2 through 1.83.6 allows any authenticated user to execute arbitrary commands on the host system. Two MCP (Model Context Protocol) test endpoints accept stdio transport configurations including command, args, and env fields, then spawn the supplied command as a subprocess with proxy process privileges. Authentication with any valid API key, including low-privilege internal-user keys, bypasses intended PROXY_ADMIN role restrictions. Patch available in version 1.83.7. No CISA KEV listing or public exploit code identified at time of analysis, though EPSS scoring is not provided in available data.
Command Injection
-
CVE-2026-42261
HIGH
CVSS 7.1
Server-Side Request Forgery (SSRF) in PromptHub 0.4.9 through 0.5.3 allows authenticated users to bypass IPv6 address validation and probe internal network resources. The /api/skills/fetch-remote endpoint accepts user-supplied URLs and fetches them server-side, reflecting up to 5 MB of response data. Flawed IPv6 validation allows attackers to reach RFC1918 private networks, loopback addresses, and link-local destinations using IPv4-mapped IPv6 hex representations and alternate ::1 notations. When ALLOW_REGISTRATION=true (a documented configuration), any internet user can register and exploit this vulnerability. Vendor-released patch: version 0.5.4. EPSS data not available; no evidence of active exploitation (not in CISA KEV).
SSRF
Canonical
-
CVE-2026-42212
HIGH
CVSS 7.1
SolidCAM-GPPL-IDE is an unofficial, independently developed extension, Postprocessor IDE for SolidCAM. From version 1.0.0 to before version 1.0.2, Opening a .gpp file in the SolidCAM Postprocessor IDE extension causes the language server to parse a companion .vmid file from the same directory (namin...
Denial Of Service
-
CVE-2026-42205
HIGH
CVSS 8.8
Avo is a framework to create admin panels for Ruby on Rails apps. Prior to version 3.31.2, a broken access control vulnerability was identified in the ActionsController of the Avo framework. Due to insecure action lookup logic, an authenticated user can execute any Action class (descendants of Avo::...
Authentication Bypass
Privilege Escalation
-
CVE-2026-42203
HIGH
CVSS 8.6
Server-side template injection in LiteLLM Proxy versions 1.80.5 through 1.83.6 allows authenticated users to execute arbitrary code via the POST /prompts/test endpoint. Any user with a valid proxy API key can submit malicious prompt templates that escape sandboxing and run commands in the proxy server process, exposing environment secrets like provider API keys and database credentials. This vulnerability affects deployments using LiteLLM as an AI gateway proxy server. No active exploitation confirmed (not in CISA KEV), but GitHub advisory and patch are publicly available, increasing exploit likelihood. CVSS 8.6 (High) with network attack vector and low complexity, though PR:L requirement limits exposure to authenticated attackers only.
RCE
Red Hat
Ssti
-
CVE-2026-42189
HIGH
CVSS 7.5
Pre-authentication denial-of-service in russh SSH server library allows remote attackers to crash servers implementing keyboard-interactive authentication via a single malformed packet. Affects russh versions prior to 0.60.1. Attacker sends crafted SSH_MSG_USERAUTH_INFO_RESPONSE with inflated allocation count (e.g., 0x10000000), triggering multi-gigabyte memory allocation and OOM crash before any credential validation occurs. Vendor-released patch available (v0.60.1) bounds allocation to remaining packet data. Confirmed working exploit code exists per GitHub security advisory GHSA-f5v4-2wr6-hqmg. CVSS 7.5 (High) with network vector, low complexity, no privileges required.
Denial Of Service
-
CVE-2026-41886
HIGH
CVSS 7.5
Cross-origin DOM XSS and handler hijacking in the locize client SDK (browser module) allows remote attackers to execute arbitrary JavaScript, steal translation content, and manipulate the InContext editor UI. Attackers exploit missing postMessage origin validation by crafting messages from any embedded iframe, opened window, or parent frame that shares a window reference with a locize-enabled page. The vulnerability affects all versions prior to 4.0.21, with the vendor confirming exploitation through multiple handler paths (editKey, commitKeys, isLocizeEnabled, requestPopupChanges). No public exploit identified at time of analysis, though the GitHub security advisory provides detailed exploitation vectors including innerHTML injection, attribute-based XSS (onclick, href="javascript:"), and API endpoint hijacking to intercept translation data.
XSS
-
CVE-2026-41883
HIGH
CVSS 8.1
Remote code execution in OmniFaces CDNResourceHandler allows unauthenticated attackers to execute arbitrary code on servers via crafted EL injection in resource URLs. The vulnerability affects applications using wildcard CDN mappings (e.g., libraryName:*=https://cdn.example.com/*), where attackers can embed Expression Language expressions in resource request names that get evaluated server-side. Patched versions available across all maintained branches (1.14.2, 2.7.32, 3.14.16, 4.7.5, 5.2.3). EPSS data unavailable; not currently in CISA KEV, suggesting limited active exploitation at time of analysis.
RCE
-
CVE-2026-41693
HIGH
CVSS 8.2
Path traversal in i18next-fs-backend allows remote unauthenticated attackers to read arbitrary files (including /etc/passwd) or overwrite application files when language/namespace parameters derive from user input. Applications exposing i18next language detection via query strings, cookies, or headers (common with i18next-http-middleware or i18next-browser-languagedetector) are vulnerable to immediate exploitation with zero authentication (CVSS AV:N/AC:L/PR:N/UI:N). GitHub security advisory confirms the vulnerability with proof-of-concept parameter `?lng=../../../../etc/passwd`. Fixed in version 2.6.4; vulnerable versions also support eval-based .js/.ts locale loading, creating a code execution chain when traversal targets executable files.
Information Disclosure
Node.js
-
CVE-2026-41690
HIGH
CVSS 8.6
Object.prototype pollution in i18next-http-middleware prior to 3.9.3 allows remote unauthenticated attackers to inject arbitrary properties into all JavaScript objects via crafted HTTP requests, bypassing authorization checks, causing type-confusion denial of service, or enabling remote code execution when chained with vulnerable downstream code. The vulnerability is actively exploitable through two unprotected API endpoints (getResourcesHandler and missingKeyHandler) that accept user-controlled language and namespace parameters without validation. EPSS data not provided, not listed in CISA KEV, but publicly disclosed with detailed GitHub security advisory including technical exploitation details.
Path Traversal
Node.js
-
CVE-2026-41576
HIGH
CVSS 7.1
HTML injection in Brave CMS 2.0 contact form allows remote attackers to inject arbitrary HTML markup into administrative notification emails. The unauthenticated contact form passes user-supplied message text through nl2br() without HTML escaping, then renders it using Blade's unescaped {!! $msg !!} directive. While JavaScript execution is blocked by modern email clients, attackers can craft convincing phishing interfaces within the email body to target administrators. Upstream fix available via commit 6c56603, which implements HTML escaping using Laravel's e() helper function. EPSS and KEV data not provided. GitHub source diff confirms the vulnerability in ContactController.php and documents the server-side sanitization fix.
XSS
Microsoft
-
CVE-2026-41570
HIGH
CVSS 7.8
Arbitrary PHP directive injection in PHPUnit 12.5.21 and 13.1.5 enables local attackers with write access to phpunit.xml to achieve code execution in isolated test child processes by embedding newlines in INI setting values. The vulnerability exploits PHPUnit's unsanitized forwarding of INI settings to child processes via command-line arguments, where PHP's INI parser treats newlines as directive separators, allowing injection of auto_prepend_file to load attacker-controlled code. Fixed in versions 12.5.22 and 13.1.6. Primary exposure vector is Poisoned Pipeline Execution (PPE) in CI/CD environments running PHPUnit against untrusted pull requests without isolation.
PHP
RCE
Suse
-
CVE-2026-41524
HIGH
CVSS 8.7
Stored cross-site scripting (XSS) in Brave CMS 2.0 allows authenticated users with editor privileges to inject malicious JavaScript through the CKEditor rich-text interface, achieving persistent code execution in all visitors' browsers. The vulnerability stems from Laravel Blade's unescaped output directive {!! !!} rendering user-supplied content without sanitization. Patched via commit 6c56603 which implements HtmlSanitizer to allowlist safe HTML tags and strip dangerous attributes before database storage.
XSS
-
CVE-2026-41496
HIGH
CVSS 8.1
SQL injection in PraisonAI's multi-backend conversation storage system allows authenticated attackers to execute arbitrary SQL commands. The incomplete fix for CVE-2026-40315 validated input only in SQLiteConversationStore, leaving nine other database backends (MySQL, PostgreSQL, Turso, SingleStore, Supabase, SurrealDB, and their async variants) vulnerable to f-string SQL injection via unvalidated table_prefix and schema parameters. 52 injection points exist across the codebase. Exploitable in multi-tenant deployments or API-driven configurations where table_prefix is derived from external input. Patches released in praisonai 4.6.9 and praisonaiagents 1.6.9 address all affected backends. EPSS and KEV data unavailable; no public POC confirmed at time of analysis.
SQLi
PostgreSQL
-
CVE-2026-41491
HIGH
CVSS 8.1
Path traversal in Dapr runtime versions 1.3.0-1.15.13, 1.16.0-rc.1-1.16.13, and 1.17.0-rc.1-1.17.4 allows authenticated attackers to bypass service invocation access control policies by exploiting URL encoding mismatches between ACL evaluation and request dispatch layers. Attackers can use encoded path traversal sequences (e.g., admin%2F..%2Fpublic) or reserved URL characters (%23 for fragment, %3F for query) to authorize one path while delivering a different path to the target application. The gRPC API is more dangerous as it passes method strings raw without client-side sanitization. Vendor-released patches are available in versions 1.15.14, 1.16.14, and 1.17.5 (GitHub PR #9589). No public exploit code or CISA KEV listing identified at time of analysis.
Path Traversal
-
CVE-2026-41423
HIGH
CVSS 8.7
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.21, 20.3.19, 21.2.9, and 22.0.0-next.8, a Server-Side Request Forgery (SSRF) vulnerability exists in @angular/platform-server due to improper han...
SSRF
-
CVE-2026-38361
HIGH
CVSS 7.5
Remote code execution and denial-of-service in dash-uploader Python library allows unauthenticated network attackers to execute arbitrary code or crash applications via malicious file uploads. Versions 0.1.0 through 0.7.0a2 contain flaws in HTTP request handler (httprequesthandler.py), upload function (upload.py), and max_file_size parameter processing (configure_upload.py). Confirmed public exploit code exists (GitHub: a1ohadance/CVE-2026-38361), elevating risk despite CVSS indicating only availability impact - the RCE tag contradicts the CVSS vector's C:N/I:N rating, suggesting incomplete impact assessment. EPSS data unavailable; not in CISA KEV at time of analysis. Affects popular Python file upload component with thousands of monthly downloads per PyPI statistics.
RCE
Denial Of Service
-
CVE-2026-34354
HIGH
CVSS 7.4
Local privilege escalation in Akamai Guardicore Platform Agent 7.0-7.3.1 and Zero Trust Client 6.0-6.1.5 on Linux and macOS enables unprivileged users to gain root access through two distinct vectors: a TOCTOU race condition in the HandleSaveLogs() function that creates world-writable root-owned files via symlink manipulation in /tmp, and command injection in the gimmelogs diagnostic tool executing with root privileges. The vulnerability requires local access with high attack complexity (CVSS AC:H) but no authentication (PR:N), affecting endpoint security agents that typically run with elevated privileges. No active exploitation confirmed at time of analysis; EPSS data not available for this 2026 CVE identifier.
Privilege Escalation
Command Injection
Apple
Microsoft
-
CVE-2026-29975
HIGH
CVSS 7.5
Denial of service in lwjson 1.8.1 streaming parser allows remote unauthenticated attackers to cause indefinite application hang by sending JSON strings containing escaped backslashes followed by quotes (e.g., "text\\\"). The vulnerability stems from flawed end-of-string detection logic in lwjson_stream.c that fails to properly count consecutive backslashes before quote characters. With CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) and no authentication required, this represents a readily exploitable availability risk for applications using lwjson_stream_parse(), though no active exploitation or POC weaponization is confirmed at time of analysis.
Denial Of Service
-
CVE-2026-29974
HIGH
CVSS 7.5
Stack buffer overflow in kosma minmea 0.3.0 allows remote unauthenticated attackers to cause denial of service through crafted NMEA field data. The minmea_scan function's format specifier copies data to caller-provided buffers without size validation, enabling memory corruption when processing untrusted NMEA GPS sentences. CVSS 7.5 (High) with network attack vector and low complexity, though impact is currently limited to availability (DoS). Public exploit demonstration exists via GitHub Gist reference. EPSS data not available, not listed in CISA KEV at time of analysis.
Buffer Overflow
Stack Overflow
-
CVE-2026-29972
HIGH
CVSS 8.2
Stack-based buffer overflow in nanoMODBUS v1.22.0 and earlier allows malicious Modbus TCP servers to execute arbitrary code on clients via oversized responses. When client applications call nmbs_read_holding_registers() or nmbs_read_input_registers(), the library fails to validate byte_count before writing server data to the caller's buffer, enabling up to 248 bytes of controlled overflow. No active exploitation confirmed (not in CISA KEV), but proof-of-concept code is publicly available and the vulnerability is automatable (SSVC) with network attack vector (CVSS AV:N/AC:L/PR:N). EPSS data not provided, but the combination of public POC, low complexity, and RCE potential warrants immediate attention for systems using nanoMODBUS as a client.
RCE
Buffer Overflow
Stack Overflow
-
CVE-2026-29201
HIGH
CVSS 8.6
Insufficient input validation of the feature file name in `feature::LOADFEATUREFILE` adminbin call can cause arbitrary file read when a relative file path is passed.
Information Disclosure
-
CVE-2026-25077
HIGH
CVSS 8.8
Remote code execution in Apache CloudStack allows authenticated account users to execute arbitrary code on KVM hypervisor hosts by registering malicious templates with unsanitized filenames. Affects CloudStack 4.11.0 through 4.20.2.0 and 4.21.0.0 through 4.22.0.0 when using KVM hypervisors. Despite high CVSS (8.8), EPSS exploitation probability is very low (0.04%, 11th percentile) and CISA SSVC reports no active exploitation. Vendor-released patches are available in versions 4.20.3.0 and 4.22.0.1.
RCE
Denial Of Service
Apache
Code Injection
-
CVE-2026-23558
HIGH
CVSS 7.8
Pre-NVD disclosure via oss-security: oss-security mailing list - 2026/04/28. dvisory 484 v2 (CVE-2026-23557) - Xenstored DoS via XS_RESET_WATCHES command (Xen.org security team <security@....org>) Xen Security Advisory 485 v2 (CVE-2026-31786) - Linux kernel out of bounds read via Xen-related sysfs f...
Buffer Overflow
Linux
Race Condition
Suse
-
CVE-2026-8148
HIGH
CVSS 7.8
Local attackers with standard user credentials can escalate privileges to NT AUTHORITY\SYSTEM in NAVER MYBOX Explorer for Windows through registry manipulation. The vulnerability affects versions prior to 3.0.11.160 and stems from improper privilege checks, allowing complete system control on compromised endpoints. EPSS risk is low at 0.02% (4th percentile), indicating minimal observed exploitation probability. No active exploitation has been reported and this vulnerability is not listed in CISA KEV.
Privilege Escalation
Microsoft
-
CVE-2026-8138
HIGH
CVSS 7.4
Stack-based buffer overflow in Tenda CX12L router firmware 16.03.53.12 allows authenticated remote attackers to achieve full system compromise via the PPTP server configuration interface. The vulnerability resides in the formSetPPTPServer function within /goform/SetPptpServerCfg and is exploitable over the network with low attack complexity. A public proof-of-concept exploit exists on GitHub, significantly lowering the barrier to exploitation, though CISA has not yet added this to the KEV catalog indicating no confirmed widespread active exploitation at this time.
Buffer Overflow
Stack Overflow
Tenda
-
CVE-2026-8137
HIGH
CVSS 7.4
Buffer overflow in Totolink X5000R 9.1.0u.6369_B20230113 router firmware allows authenticated remote attackers to execute arbitrary code or cause denial of service via crafted submit-url parameter to /boafrm/formDdns endpoint. Public exploit code exists (GitHub). CVSS 7.4 indicates high severity but requires authenticated access (PR:L), limiting immediate risk to environments where router credentials are compromised. EPSS data not available; prioritize if router exposed to internet or untrusted networks.
Buffer Overflow
-
CVE-2026-8077
HIGH
CVSS 8.6
Authorization bypass in CashDro 3 web administration panel 24.01.00.26 allows authenticated attackers to escalate to full administrative privileges by manipulating client-side permission controls. The vulnerability stems from reliance on frontend-only authorization checks, with no backend validation of user permissions. Attackers with low-privileged accounts can modify the 'Permissions' field in JSON responses to grant themselves unrestricted access to cash management system controls. INCIBE-CERT has confirmed vendor patch availability, though EPSS data is not yet available for this recent CVE.
Authentication Bypass
-
CVE-2026-8069
HIGH
CVSS 8.5
Local attackers with standard user accounts can escalate to NT AUTHORITY\SYSTEM privileges in Acer PredatorSense V3 versions 3.00.3136 through 3.00.3196. The gaming utility software exposes a misconfigured Windows Named Pipe allowing arbitrary code execution and file deletion with SYSTEM privileges. CVSS 8.5 (High) reflects severe local impact with low complexity exploitation. No active exploitation confirmed (not in CISA KEV) and no public exploit code identified at time of analysis, though the technical details provided enable development of proof-of-concept code.
Privilege Escalation
RCE
Path Traversal
Microsoft
-
CVE-2026-7807
HIGH
CVSS 8.7
Authenticated attackers can read arbitrary JSON files from SmarterMail servers prior to build 9560 through a path traversal vulnerability in the /api/v1/report/summary/{type} endpoint. The vulnerability chains with weak encryption and hardcoded keys to decrypt stored passwords and two-factor authentication secrets for all system users, enabling complete account compromise. VulnCheck identified this vulnerability; vendor patch available in build 9560 or later. CVSS 8.7 reflects high confidentiality and integrity impact with low attack complexity, though requiring authenticated access (PR:L) moderates immediate risk for internet-exposed instances with strong authentication controls.
Path Traversal
-
CVE-2026-7330
HIGH
CVSS 7.2
Stored Cross-Site Scripting in Auto Affiliate Links for WordPress allows unauthenticated remote attackers to inject malicious JavaScript into administrator statistics pages through an unprotected AJAX endpoint. The vulnerability stems from missing input sanitization on the 'url' parameter in aal_url_stats_save_action() combined with direct output of stored values in aal_display_clicks() without escaping. Attackers can exploit a publicly exposed nonce and the wp_ajax_nopriv_ hook to store malicious payloads that execute when administrators view click statistics, potentially leading to session hijacking, privilege escalation, or site compromise. Wordfence reported this vulnerability affecting versions through 6.8.8, with a patch released in version 6.8.8.1.
WordPress
XSS
-
CVE-2026-6659
HIGH
CVSS 7.5
Weak salt generation in Crypt::PasswdMD5 (Perl) through version 1.42 enables password hash cracking via predictable random values. The module uses Perl's built-in rand() function for salt generation instead of cryptographically secure random sources, allowing attackers to predict salt values and drastically reduce the computational cost of offline password cracking attacks. CVSS 7.5 (High) with network vector and no authentication required. SSVC assessment indicates the vulnerability is automatable with partial technical impact. EPSS and KEV data not provided, but the cryptographic weakness is architecturally exploitable wherever these password hashes are transmitted or stored in accessible locations.
Information Disclosure
-
CVE-2026-5127
HIGH
CVSS 8.8
PHP object injection in User Frontend plugin for WordPress versions up to 4.3.1 allows authenticated attackers with Subscriber-level access or above to achieve remote code execution via unsafe deserialization of the wpuf_files parameter during form submission. The vulnerability chains input validation failures during form processing with unconditional use of maybe_unserialize() when rendering post content, enabling attackers to inject malicious PHP objects that can execute arbitrary code, delete files, or trigger other attacks through available Property-Oriented Programming (POP) chains. Wordfence disclosed detailed code references showing the vulnerable data flow across multiple plugin files including wpuf-functions.php, FieldableTrait.php, and Frontend_Form_Ajax.php, with both trunk and version 4.2.10 code paths exhibiting the flaw.
PHP
WordPress
RCE
Deserialization
-
CVE-2026-4935
HIGH
CVSS 8.6
Unauthenticated attackers can exploit SQL injection in OttoKit: All-in-One Automation Platform WordPress plugin versions before 1.1.23 due to improper input sanitization in SQL statement construction. The vulnerability allows remote attackers to extract sensitive data and modify database contents without authentication, though integrity impact is limited. Publicly available exploit code exists, and a patch has been released by the vendor.
WordPress
SQLi
-
CVE-2025-67888
HIGH
CVSS 7.3
Remote command injection in Control Web Panel allows unauthenticated attackers to execute arbitrary OS commands as root through unsanitized GET parameter. Exploitation requires Softaculous or SitePad components to be installed. Despite critical impact (root RCE), EPSS score of 6.16% (91st percentile) suggests selective targeting rather than mass exploitation, though technical barrier is low (AC:L). Public exploit code exists via Karma Insecurity disclosure and FullDisclosure mailing list, significantly increasing attack surface.
PHP
Command Injection
-
CVE-2025-67486
HIGH
CVSS 8.6
Remote code execution in Dolibarr ERP/CRM versions ≤22.0.2 allows authenticated administrators to execute arbitrary PHP code by injecting malicious payloads into the 'computed value' field of user extrafields, which are passed unsanitized to PHP's eval() function. No vendor patch exists at time of analysis (zero-day status), but exploitation requires high-privilege administrator access, limiting immediate risk to environments with compromised admin accounts or malicious insiders. EPSS data unavailable; not listed in CISA KEV, indicating no confirmed widespread exploitation despite public technical disclosure.
PHP
RCE
-
CVE-2025-66467
HIGH
CVSS 8.0
Apache CloudStack's MinIO integration fails to clean up bucket access policies when buckets are deleted, enabling previous bucket owners to retain unauthorized access via cached credentials. If another user creates a bucket with the same name, the former owner gains read/write access using their old access keys. CISA has not listed this CVE in KEV, indicating no confirmed widespread exploitation. CVSS 8.0 reflects high impact but requires authenticated access and user interaction (PR:L/UI:R), tempering immediate urgency. Patch available in CloudStack 4.20.3.0 and 4.22.0.1.
Authentication Bypass
Apache
-
CVE-2025-66172
HIGH
CVSS 8.1
Authenticated CloudStack users can hijack volumes from other tenants' backups via the Backup plugin in versions 4.21.0.0 and 4.22.0.0. Attackers with low-privileged authenticated access can restore any user's backup volume and attach it to their own VMs, enabling complete data theft across tenant boundaries in multi-tenant environments. CVSS 8.1 reflects high confidentiality and integrity impact with low attack complexity. EPSS score of 0.01% indicates minimal observed exploitation activity, while SSVC assessment confirms non-automatable, partial technical impact with no known exploitation. Apache released patch version 4.22.0.1 addressing the access control flaw.
Information Disclosure
-
CVE-2025-55449
HIGH
CVSS 7.3
Remote unauthenticated attackers can forge JWT authentication tokens in AstrBot 3.5.15 by exploiting a hardcoded private key ('Advanced_System_for_Text_Response_and_Bot_Operations_Tool'), enabling full authentication bypass with subsequent remote code execution capabilities. Public exploit code exists on GitHub (Marven11/CVE-2025-55449-AstrBot-RCE) demonstrating weaponization of this cryptographic flaw. EPSS score of 0.00% suggests limited automated scanning activity, but the availability of working RCE exploit code significantly elevates practical risk for exposed instances.
Information Disclosure
-
CVE-2026-45130
MEDIUM
CVSS 6.6
Vim is an open source, command line text editor. Prior to version 9.2.0450, a heap buffer overflow exists in read_compound() in src/spellfile.c when loading a crafted spell file (.spl) with UTF-8 encoding active. An attacker-controlled length field in the spell file's compound section overflows a 32...
Buffer Overflow
Heap Overflow
Red Hat
-
CVE-2026-44896
MEDIUM
CVSS 5.3
Cross-site scripting (XSS) via unescaped HTML attributes in mistune's figure directive allows attackers to inject arbitrary HTML and JavaScript when processing markdown documents with figure directives, bypassing the HTMLRenderer escape setting. The `figclass` and `figwidth` parameters in `render_figure()` are concatenated directly into HTML without sanitization, while other attributes in the same file are properly escaped. Vulnerability affects mistune versions through 3.2.0; no patched version is currently released.
XSS
-
CVE-2026-44844
MEDIUM
CVSS 6.3
### Summary
`EmlParser.get_raw_body_text()` recurses unconditionally for every nested `message/rfc822` attachment without any depth limit. An attacker who can supply a badly crafted EML file with approximately 120 nested `message/rfc822` parts triggers an unhandled `RecursionError` and aborts parsi...
Denial Of Service
Python
Apple
Ubuntu
-
CVE-2026-44837
MEDIUM
CVSS 5.9
Path traversal in ViewComponent system test entrypoint allows local attackers to read arbitrary files outside the intended temp directory by exploiting a flawed string-prefix containment check. The vulnerability affects ViewComponent 3.0.0 through 4.8.x running in Rails test mode; a request with a crafted file parameter containing a sibling directory name (e.g., `../view_components_evil/secret.html.erb`) bypasses validation because `/app/tmp/view_components_evil/secret.html.erb` passes a `start_with?` check against `/app/tmp/view_components`. This is limited to test environments (Rails.env.test?) but poses risk in shared CI systems, staging, or review apps where test mode is accidentally exposed. Public proof-of-concept code is available.
Path Traversal
-
CVE-2026-44836
MEDIUM
CVSS 6.5
ViewComponent preview routes allow authenticated attackers to invoke inherited helper methods including render_with_template, enabling rendering of internal Rails templates and exposure of secrets, configuration, and debug data not otherwise routable. The vulnerability requires authenticated access (CVSS PR:L) and affects versions 3.0.0 through 4.8.x; it is confirmed by proof-of-concept code in the vendor repository and requires preview routes to be externally exposed.
Information Disclosure
-
CVE-2026-44833
MEDIUM
CVSS 5.9
Open redirect vulnerability in Snipe-IT versions prior to 8.4.1 allows authenticated attackers to redirect users to malicious sites by poisoning the session-stored HTTP Referer header, enabling phishing, session hijacking, and malware distribution attacks. Exploitation requires prior session poisoning and user interaction (clicking a form submission), limiting real-world practical impact despite moderate CVSS score of 5.9. Vendor-released patch available in version 8.4.1.
Open Redirect
-
CVE-2026-44831
MEDIUM
CVSS 4.8
### Impact
Users with component view access could be impacted by an unescaped `notes` column.
### Patches
This was patched in https://github.com/grokability/snipe-it/commit/28f493d84d057895fbb93b6570e7393a2c2fa438, and is fixed in v8.4.1 or greater.
### Workarounds
None.
XSS
-
CVE-2026-44788
MEDIUM
CVSS 5.9
Path traversal in SharpCompress `WriteToDirectory()` allows malicious ZIP and TAR archives to create directories outside the intended extraction root via relative (`../../`) and absolute path (`/tmp/`) overrides in the directory-entry fast-path. TAR archives can be further escalated to arbitrary file writes when callers implement `SymbolicLinkHandler` without validating symlink targets, enabling an attacker to write files anywhere on the filesystem subject to process permissions. CVSS 5.9 reflects moderate severity; real-world impact depends on whether the application extracts untrusted archives and implements symlink handling.
Privilege Escalation
Path Traversal
-
CVE-2026-44737
MEDIUM
CVSS 6.2
Stored cross-site scripting in Grav admin panel allows authenticated attackers to inject malicious JavaScript into page titles via the data[header][title] parameter, which is then executed when other administrators access the affected page or its move function. The vulnerability requires admin authentication to inject the payload but affects all subsequent viewers, enabling session hijacking, credential theft, and administrative impersonation. Publicly available exploit code exists with working proof-of-concept screenshots.
XSS
RCE
-
CVE-2026-44708
MEDIUM
CVSS 6.1
Cross-site scripting (XSS) vulnerability in the Mistune markdown parser's math plugin bypasses the `escape=True` security setting by rendering inline (`$...$`) and block (`$$...$$`) math content without HTML escaping. Attackers can inject arbitrary JavaScript that executes in the victim's browser session when a developer-controlled application parses untrusted markdown with the math plugin enabled, even when the parser is explicitly configured to sanitize all user input. Proof-of-concept code demonstrates script tag injection and image onerror handler exploitation; no public exploit code identified at time of analysis.
XSS
Python
Apple
-
CVE-2026-44665
MEDIUM
CVSS 6.1
Attribute injection in fast-xml-builder npm package allows attackers to inject malicious HTML/XML attributes when processEntities flag is disabled. Affected versions through 1.1.6 fail to properly sanitize quote characters in attribute values, enabling injection of arbitrary attributes like onClick handlers for cross-site scripting attacks. Patch available in version 1.1.7. EPSS and KEV data not available for this vulnerability, suggesting limited observed exploitation targeting this specific library, though the attack technique is well-understood.
XXE
Red Hat
-
CVE-2026-44664
MEDIUM
CVSS 6.1
Injection of arbitrary XML/HTML content in fast-xml-builder versions up to 1.1.5 allows unauthenticated remote attackers to break out of XML comments via three consecutive dashes (---), bypassing the regex-based sanitization fix for CVE-GHSA-gh4j-gqv2-49f6. Applications with the comment property enabled are at risk of XSS or malicious code injection in generated XML/HTML output when processing untrusted input. CVSS 6.1 with user interaction required; publicly available advisory but no confirmed POC.
RCE
Red Hat
-
CVE-2026-44656
MEDIUM
CVSS 4.6
Vim is an open source, command line text editor. Prior to version 9.2.0435, an OS command injection vulnerability exists in Vim's :find command-line completion. When the path option contains backtick-enclosed shell commands, those commands are executed during file name completion. Because the path o...
Command Injection
-
CVE-2026-44568
MEDIUM
CVSS 4.8
## Vulnerability Details
**CWE-79**: Cross-site Scripting (XSS)
The `AccountPending.svelte` component renders the admin-configured "Pending User Overlay Content" using `marked.parse()` inside `{@html}` with an incorrect DOMPurify application order:
### Vulnerable Code
**`src/lib/components/layou...
XSS
-
CVE-2026-44564
MEDIUM
CVSS 5.4
Read-only users in Open WebUI can modify collaborative documents via Socket.IO by emitting crafted `ydoc:document:update` events that bypass write permission checks, allowing them to inject, modify, or delete content visible to all collaborators in real time. While direct database persistence requires write access, tampered content becomes permanent if any write-enabled user saves the document, undermining the read/write permission model for collaborative editing.
Authentication Bypass
Python
-
CVE-2026-44563
MEDIUM
CVSS 5.4
Open WebUI Ollama proxy endpoints bypass model access control checks, allowing authenticated users to access restricted models and expose sensitive configuration. Four endpoints (/api/generate, /api/embed, /api/embeddings, /api/show) fail to validate AccessGrants permissions before forwarding requests to the Ollama backend, despite the /api/chat endpoint implementing proper authorization checks. Attackers with any valid user account can consume GPU resources on restricted models and view sensitive details like system prompts by directly calling unprotected endpoints with known model names.
Authentication Bypass
Python
-
CVE-2026-44562
MEDIUM
CVSS 6.5
Open WebUI's POST /api/v1/models/import endpoint allows authenticated users with workspace.models_import permission to overwrite any existing model in the database without ownership validation, silently replacing system prompts, base model routing, and access grants. This enables a low-privilege user to hijack organization-wide models and inject malicious behavior affecting all downstream queries. The vulnerability bypasses access grant restrictions enforced on all other model mutation endpoints by never calling filter_allowed_access_grants.
Authentication Bypass
Denial Of Service
Python
-
CVE-2026-44561
MEDIUM
CVSS 5.4
# Deactivated Channel Members Retain Full Access to Group/DM Channels
## Affected Component
Channel membership authorization check:
- `backend/open_webui/models/channels.py` (lines 663-673, `is_user_channel_member`)
- Used at 15 locations in `backend/open_webui/routers/channels.py`
## Affected Ve...
Authentication Bypass
Denial Of Service
Python
-
CVE-2026-44560
MEDIUM
CVSS 6.5
# Unauthorized File and Knowledge Base Content Access via RAG Vector Search
## Affected Component
RAG source resolution in chat completion pipeline:
- `backend/open_webui/retrieval/utils.py` (lines 963-965, 1063-1068, 1126-1131 in `get_sources_from_items`)
## Affected Versions
Current main branc...
Authentication Bypass
Denial Of Service
-
CVE-2026-44559
MEDIUM
CVSS 4.3
Open WebUI versions up to 0.8.12 allow authenticated users to enumerate members of private standard channels via the GET /api/v1/channels/{id}/members endpoint, which lacks access control checks present on other channel endpoints. An attacker who knows a private channel's UUID can retrieve the full list of members including their names, emails, roles, and profile images, enabling targeted social engineering and organizational structure reconnaissance. The vulnerability is fixed in version 0.9.0.
Authentication Bypass
Denial Of Service
Python
-
CVE-2026-44558
MEDIUM
CVSS 5.4
Open WebUI versions up to 0.8.12 allow authenticated users to bypass channel access control restrictions by directly persisting arbitrary access grants without applying the `filter_allowed_access_grants()` validation used consistently across other resource types. An attacker with channel creation or ownership privileges can grant public read access (via wildcard principal grants) or individual user access, circumventing admin-configured sharing permission policies. This affects installations where administrators restrict public sharing or user-grant capabilities to specific roles.
Authentication Bypass
Python
-
CVE-2026-44557
MEDIUM
CVSS 4.3
Open WebUI versions up to 0.8.12 allow authenticated users to enumerate all knowledge bases across the instance via an incomplete access control allowlist in the retrieval collection validation function. The `_validate_collection_access` function only enforces ownership checks for collections matching `user-memory-*` and `file-*` patterns, allowing any authenticated user to directly query the system-level `knowledge-bases` meta-collection and retrieve the IDs, names, and descriptions of every knowledge base regardless of ownership. This information disclosure vulnerability serves as an enabler for subsequent attacks including knowledge base destruction and content injection, transforming these attacks from theoretically exploitable (requiring random UUID guessing) to trivially exploitable (UUIDs enumerable). CVSS score 4.3 (network-accessible, low privilege required, low confidentiality impact). Patched in version 0.9.0.
Denial Of Service
Python
Information Disclosure
-
CVE-2026-44550
MEDIUM
CVSS 5.0
Mass assignment vulnerability in Open WebUI's folder creation endpoint allows authenticated attackers to create folders in other users' accounts by exploiting Pydantic's extra='allow' configuration. An attacker with a valid account can supply an arbitrary user_id in the POST request body, overwriting the server-assigned value and persisting folders under a victim's account without their knowledge. The attacker can use this to plant phishing content, spam folders, or degrade user experience for targeted victims.
Authentication Bypass
Python
-
CVE-2026-44502
MEDIUM
CVSS 4.3
Bugsink versions 2.1.2 and earlier contain a webhook URL validation bypass (SSRF) where malformed URLs with backslashes and @ symbols pass validation checks but are interpreted differently by Python's urllib parser versus the requests HTTP client, allowing attackers with webhook configuration access to direct outbound POST requests to blocked hosts including loopback and private addresses. The vulnerability is narrower than full SSRF because requests do not follow redirects, the request shape is constrained by URL normalization, and this only affects webhook integrations, not arbitrary outbound proxying.
Python
SSRF
-
CVE-2026-44430
MEDIUM
CVSS 6.3
Server-side request forgery in MCP Registry's HTTP namespace verification endpoint allows unauthenticated attackers to reach internal IPv4 addresses via specially-crafted IPv6 addresses that encode or tunnel to RFC1918 and cloud-metadata services. The vulnerability exists in the private-address blocklist used by `safeDialContext`, which fails to block IPv6 6to4 (2002::/16), NAT64 well-known (64:ff9b::/96), NAT64 local-use (64:ff9b:1::/48), and deprecated site-local (fec0::/10) prefixes. On dual-stack and IPv6-only cloud deployments (GKE IPv6, AWS IPv6-only EC2, Azure NAT64), this enables direct connections to metadata services and internal Kubernetes API servers. No public exploit code identified at time of analysis, but proof-of-concept has been demonstrated against the production registry.
Kubernetes
SSRF
Open Redirect
Microsoft
Oracle
-
CVE-2026-44429
MEDIUM
CVSS 5.1
Stored cross-site scripting in MCP Registry's catalogue UI allows any user with a publish token to inject arbitrary event handlers via the `websiteUrl` field by breaking out of an `href` attribute with an unescaped double-quote character. The server-side URL validator accepts quotes and the client-side `escapeHtml` helper fails to encode them in attribute context, enabling attackers to execute JavaScript on the registry.modelcontextprotocol.io origin with access to localStorage, XHR, and auth tokens. Vendor-released patch version 1.7.7 available; actively confirmed via proof-of-concept.
XSS
Microsoft
Canonical
-
CVE-2026-44427
MEDIUM
Open redirect vulnerability in MCP Registry TrailingSlashMiddleware allows remote attackers to craft protocol-relative URLs that bypass path validation, redirecting users from the trusted registry domain to attacker-controlled sites. Affected versions 1.1.0 through 1.7.4 are vulnerable; vendor-released patch available in version 1.7.5. No public exploit code exists at time of analysis, but the vulnerability is trivially exploitable via simple HTTP requests without authentication.
Open Redirect
-
CVE-2026-44337
MEDIUM
CVSS 6.3
SQL and CQL injection vulnerability in PraisonAI multi-agent teams system versions 2.4.1 through 4.6.33 allows authenticated attackers to execute arbitrary SQL or CQL commands by injecting malicious collection names into knowledge-store implementations. The vulnerability affects applications that pass untrusted collection names to optional SQL/CQL-backed storage backends, enabling data exfiltration, modification, or deletion with low complexity exploitation.
Code Injection
-
CVE-2026-44324
MEDIUM
CVSS 6.5
### Summary
free5GC's UDR `nudr-dr` `DELETE /subscription-data/{ueId}/{servingPlmnId}/ee-subscriptions/{subsId}/amf-subscriptions` handler panics on a single authenticated request against a fresh UDR instance when the supplied `ueId` does not exist in `UESubsCollection`. The processor checks `value,...
Denial Of Service
Docker
-
CVE-2026-44323
MEDIUM
CVSS 4.3
### Summary
free5GC's UDR `nudr-dr` `DELETE /subscription-data/{ueId}/{servingPlmnId}/ee-subscriptions/{subsId}/amf-subscriptions` handler contains a nil-pointer dereference reachable from a single authenticated request, after one preparatory authenticated EE-subscription create. The handler checks ...
Denial Of Service
Docker
Null Pointer Dereference
-
CVE-2026-44318
MEDIUM
CVSS 6.5
### Summary
free5GC's BSF `PUT /nbsf-management/v1/subscriptions/{subId}` handler has an unsynchronized write on the global `Subscriptions` map. The handler first reads the map under `RLock()` via `BSFContext.GetSubscription(subId)`, but if the subscription does not exist, `ReplaceIndividualSubcript...
Denial Of Service
Python
Docker
Race Condition
-
CVE-2026-44317
MEDIUM
CVSS 6.5
### Summary
free5GC's PCF `POST /npcf-policyauthorization/v1/app-sessions` handler panics on a single authenticated request whose `ascReqData.suppFeat == "1"` (enabling traffic-routing feature negotiation) and whose `medComponents` entries supply an `afAppId` but NO `AfRoutReq`. The create path then...
Denial Of Service
Docker
Null Pointer Dereference
-
CVE-2026-44310
MEDIUM
CVSS 5.4
Authentication bypass in gitsign --verify allows attackers to make unsigned or invalid commits appear verified when callers check only exit codes. CertVerifier.Verify() unconditionally dereferences the first certificate from a PKCS7 signature without validating that certificates exist; a crafted signature with an empty certificate set causes an index-out-of-range panic that is silently recovered by internal error handling, returning exit code 0 instead of an error. Exit-code-only verification callers (scripts, CI pipelines) misinterpret this panic as successful verification, while git's own status-fd verification path is partially protected by checking for the GOODSIG status token. The vulnerability affects gitsign versions 0.4.0 through 0.14.x; confirmed actively exploited is not indicated, but a working proof-of-concept exists in the advisory.
Authentication Bypass
Denial Of Service
Suse
-
CVE-2026-44309
MEDIUM
CVSS 5.3
## Summary
`gitsign verify` and `gitsign verify-tag` re-encode commit/tag objects through go-git's `EncodeWithoutSignature` before checking the signature, instead of verifying against the raw git object bytes. For malformed objects with duplicate `tree` headers, git-core and go-git parse different ...
Authentication Bypass
Canonical
Suse
-
CVE-2026-44298
MEDIUM
CVSS 4.1
Kimai versions 2.32.0 through 2.55.x allow System-Admin users with invoice template upload permission to read arbitrary files from the PHP server via malicious PDF invoice templates. The vulnerability exploits mPDF's SetAssociatedFiles() function combined with unsanitized Twig template rendering to access any file readable by the PHP worker process and embed it within generated PDF invoices. No public exploit code or active exploitation has been identified; patch available in version 2.56.0.
PHP
Path Traversal
-
CVE-2026-44284
MEDIUM
CVSS 6.3
FastGPT is an AI Agent building platform. Prior to version 4.14.17, FastGPT had an inconsistent SSRF protection gap in MCP tool URL handling. The direct MCP preview/run endpoints already rejected internal/private network URLs, but the MCP tool create/update endpoints could still save an internal MCP...
SSRF
-
CVE-2026-44247
MEDIUM
CVSS 6.8
### Impact
The Volcano webhook server does not enforce a size limit on incoming HTTP request bodies. Any in-cluster pod that can reach the webhook endpoint may send an arbitrarily large request body, potentially causing the webhook server to be killed by OOM. All Volcano deployments with the webhook...
Denial Of Service
-
CVE-2026-44214
MEDIUM
CVSS 5.8
### Summary
`eventsource-encoder` does not sanitize the `event` or `id` fields of an `EventSourceMessage` before serializing them. An attacker who controls either field can inject arbitrary Server-Sent Events line terminators (`\n`, `\r`, or `\r\n`) and thereby forge additional SSE fields or entire...
RCE
-
CVE-2026-44213
MEDIUM
CVSS 6.5
### Summary
The `OpenTelemetry.Exporter.Instana` NuGet package does not validate HTTPS/TLS certificates are valid when sending telemetry to a configured Instana back-end when a proxy is configured using the `INSTANA_ENDPOINT_PROXY` environment variable.
If a network attacker can Man-in-the-Middle ...
Authentication Bypass
-
CVE-2026-44201
MEDIUM
CVSS 5.3
### Impact
The Documents and Images [API](https://docs.wagtail.org/en/stable/advanced_topics/api/index.html) incorrectly listed items in private collections. A user with access to the API could see the filename and name of documents and images in private collections.
### Patches
Patched versions ...
Information Disclosure
-
CVE-2026-44200
MEDIUM
CVSS 6.5
### Impact
A CMS user with limited access to pages could copy a page they don't have access to to an area of the site they do. Once copied, they'd be able to view its contents, and potentially publish it. Permissions were correctly checked for the copy destination, but not for the source page.
###...
Information Disclosure
-
CVE-2026-44199
MEDIUM
CVSS 6.5
### Impact
A CMS user with limited access to form pages could delete submissions to form pages they don't have access to by crafting a form submission to delete submissions on a page they do have access to for submissions they don't.
The vulnerability is not exploitable by an ordinary site visito...
Information Disclosure
-
CVE-2026-44198
MEDIUM
CVSS 4.3
### Impact
A CMS user without the ability to edit a page could still access the history report for the page, potentially resulting in disclosure of sensitive information.
### Patches
Patched versions have been released as Wagtail 7.0.7 and 7.3.2. The new 7.4 LTS feature release also incorporates t...
Information Disclosure
-
CVE-2026-44197
MEDIUM
CVSS 6.5
### Impact
A CMS user without the ability to edit a page could access revisions of the page through the revision compare view if they knew the primary key of two revisions. This could potentially result in disclosure of sensitive information.
### Patches
Patched versions have been released as Wag...
Information Disclosure
-
CVE-2026-43942
MEDIUM
CVSS 5.5
electerm 3.8.15 and prior exposes environment variables containing secrets through the getConstants() IPC handler, which serializes the entire process.env object and stores it as window.pre.env accessible to any JavaScript running in the renderer process. An attacker achieving JavaScript execution within the renderer-via DevTools, compromised webview, or client-side injection-can exfiltrate sensitive credentials to remote servers, enabling cloud account compromise and lateral movement. No public exploit code identified at time of analysis, but the vulnerability is trivial to exploit once renderer JavaScript execution is achieved.
Information Disclosure
-
CVE-2026-43475
MEDIUM
CVSS 5.5
Denial-of-service via kernel lock-up in the Linux kernel's Hyper-V storage controller driver (hv_storvsc) affects guests running PREEMPT_RT-enabled kernels on Microsoft Hyper-V. The storvsc_queuecommand function disables preemption and then acquires an RT spinlock inside hv_ringbuffer_write; under PREEMPT_RT semantics, RT spinlocks are sleepable, making this a fatal locking-discipline violation that triggers the 'scheduling while atomic' BUG splat and subsequent system lock-up. No public exploit and no public exploit identified at time of analysis, with EPSS at 0.02% (7th percentile) reflecting the niche configuration dependency.
Information Disclosure
Linux
Microsoft
Red Hat
Suse
-
CVE-2026-43474
MEDIUM
CVSS 5.5
Denial of service via uninitialized kernel memory in the Linux kernel's FUSE filesystem handler allows a local low-privileged user to crash the kernel by invoking the file_getattr syscall against a FUSE-mounted file. Affected are Linux kernel versions from the initial git history through stable branches predating the 6.18.19, 6.19.9, and 7.0 patch releases. No public exploit is identified at time of analysis, and EPSS sits at 0.02% (4th percentile), reflecting very low observed exploitation probability with no CISA KEV listing.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43473
MEDIUM
CVSS 5.5
Local denial-of-service in the Linux kernel's mpi3mr SCSI driver causes a system crash via NULL pointer dereference during resource cleanup. An authenticated local user on a system using MPI3-based storage controllers can trigger a kernel panic by inducing the error path where queue creation fails: the driver frees reply or request queue memory but subsequently attempts to memset the now-freed (NULL) pointer, crashing the system. No public exploit exists and EPSS sits at 0.02% (7th percentile), indicating low real-world exploitation probability at time of analysis.
Denial Of Service
Linux
Null Pointer Dereference
Red Hat
Suse
-
CVE-2026-43472
MEDIUM
CVSS 5.5
Improper error-path state management in the Linux kernel's unshare(2) syscall leaves calling processes with dangling filesystem root and working-directory pointers after partial namespace creation failure. When a local low-privileged process calls unshare() with both CLONE_NEWNS and CLONE_NEWCGROUP on an unshared fs_struct (users==1), a successful copy_mnt_ns() updates current->fs->root and current->fs->pwd into the new mount namespace before a subsequent copy_cgroup_ns() failure triggers cleanup - dissolving the mount tree while leaving those pointers referencing now-detached mounts. The calling process is stranded in a broken filesystem state, producing high availability impact (CVSS A:H) confined entirely to the calling process. No public exploit has been identified, EPSS is 0.02% (7th percentile), and this is not in CISA KEV, reflecting low real-world exploitation interest despite the bug existing since unshare(2) was first introduced.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43471
MEDIUM
CVSS 5.5
NULL pointer dereference in the Linux kernel's UFS host controller driver crashes the kernel when ufshcd_mcq_req_to_hwq() returns NULL during MCQ command completion, allowing an authenticated local user on affected hardware to trigger a denial of service. The vulnerability is confined to the SCSI UFS subsystem's ufshcd_add_command_trace() function and impacts systems with UFS storage operating in Multi-Circular Queue mode - primarily ARM64 embedded and mobile platforms using MediaTek UFS controllers. No public exploit has been identified at time of analysis, and EPSS at 0.02% (5th percentile) reflects the highly constrained attack surface.
Denial Of Service
Linux
Null Pointer Dereference
Red Hat
Suse
-
CVE-2026-43470
MEDIUM
CVSS 5.5
Kernel oops in the Linux NFSv3 client's create path exposes systems to local denial of service when concurrent directory and file creation races produce a directory alias via d_splice_alias. The affected code in nfs3_proc_create silently discards the alias without returning an error, leaving the original dentry in a negative (unresolved) state; a subsequent call from nfs_atomic_open_v23/finish_open passes this negative dentry to do_dentry_open, triggering the oops. No public exploit identified at time of analysis, and EPSS at 0.02% (5th percentile) signals very low probability of exploitation in the wild.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43468
MEDIUM
CVSS 5.5
Deadlock in the Linux kernel's mlx5 network driver eswitch subsystem allows a local low-privileged user to cause a complete system hang (denial of service) on hosts equipped with Mellanox/NVIDIA ConnectX NICs operating in SR-IOV eswitch mode. The deadlock arises from a lock-ordering inversion: the eswitch work queue acquires the devlink lock while processing VF change events, and concurrently the eswitch mode-set path holds the devlink lock and calls flush_workqueue, producing a circular wait. No public exploit code exists and no active exploitation has been identified at time of analysis; EPSS probability is 0.02%, reflecting the narrow, hardware-specific attack surface.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43467
MEDIUM
CVSS 5.5
Kernel denial-of-service in the mlx5_core driver (Mellanox/NVIDIA ConnectX) occurs when a privileged local user switches the eswitch to switchdev mode on hardware that does not support IPsec offload. The driver unconditionally invokes IPsec resource cleanup via mlx5e_ipsec_disable_events regardless of hardware capability, dereferencing a null or uninitialized pointer at offset 0xa0 and triggering a kernel page fault that crashes the system. No public exploit identified at time of analysis; EPSS of 0.02% (5th percentile) and no CISA KEV listing indicate negligible real-world exploitation activity.
Denial Of Service
Linux
Red Hat
Suse
-
CVE-2026-43463
MEDIUM
CVSS 5.5
Null pointer dereference in the Linux kernel's rxrpc and AFS subsystems allows a local authenticated attacker to trigger a kernel denial of service. The rxrpc_kernel_lookup_peer() function can return either NULL or an error pointer on failure, but its AFS callers only tested for NULL - leaving unchecked error pointer values that, when dereferenced, cause a kernel panic. No public exploit has been identified and EPSS probability sits at 0.02%, indicating low observed exploitation interest; however, the availability impact is rated High by CVSS due to the potential for full system crash.
Denial Of Service
Linux
Null Pointer Dereference
Red Hat
Suse
-
CVE-2026-43457
MEDIUM
CVSS 5.5
Memory leak in the Linux kernel's MCTP I2C driver receive path allows a local authenticated attacker to progressively exhaust kernel slab memory, resulting in denial of service. The flaw exists in all kernel versions from 5.18 (when the MCTP I2C driver was introduced at commit f5b8abf9fc3dacd7529d363e26fe8230935d65f8) through multiple stable branches now addressed by patches in 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, and 7.0. No public exploit identified at time of analysis; the EPSS score of 0.02% (7th percentile) confirms very low exploitation probability, consistent with the niche deployment context of MCTP I2C interfaces.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43455
MEDIUM
CVSS 5.5
Race condition in the Linux kernel MCTP route subsystem allows a local, low-privileged attacker to cause a device reference count leak leading to availability impact. The mctp_flow_prepare_output() function in the MCTP (Management Component Transport Protocol) networking stack fails to hold key->lock around the key->dev check-and-set sequence, enabling two concurrent threads to each acquire a device reference while only the final one is tracked for release - gradually exhausting kernel resources. No public exploit exists and EPSS is 0.02% (7th percentile), indicating very low exploitation probability; patch-confirmed fixes are available across multiple stable kernel branches.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43451
MEDIUM
CVSS 5.5
Repeated memory exhaustion in the Linux kernel's netfilter nfnetlink_queue subsystem allows a local low-privileged attacker to trigger a denial of service by leaking kernel memory on every crafted PF_BRIDGE verdict. The defect in nfqnl_recv_verdict() causes the nf_queue_entry, its sk_buff, and all held net_device and struct net reference counts to never be released when nfqa_parse_bridge() returns an error due to malformed VLAN netlink attributes. No public exploit has been identified at time of analysis, and the EPSS score of 0.02% (7th percentile) reflects the constrained local attack path and low exploitation probability.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43448
MEDIUM
CVSS 4.7
Race condition in the Linux kernel nvme-pci driver's nvme_poll_irqdisable() function causes an unbalanced IRQ enable/disable pair that crashes the kernel with a warning. Affected kernels from 5.7 through multiple stable branches are vulnerable when running PCIe NVMe storage with MSI-X interrupts: a concurrent NVMe device reset can change the IRQ vector between the disable_irq() and enable_irq() calls, making the kernel operate on different IRQ numbers. No public exploit identified at time of analysis and EPSS of 0.02% confirm this is a reliability/stability concern patched in kernel stable releases 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, and 7.0.
Denial Of Service
Linux
Race Condition
Red Hat
Suse
-
CVE-2026-43446
MEDIUM
CVSS 5.5
Deadlock in the Linux kernel's AMD XDna accelerator driver (accel/amdxdna) causes a local denial-of-service by hanging the runtime power management subsystem. An authenticated local user who triggers job execution on the AMD XDna accelerator while the system simultaneously attempts a runtime suspend can lock the kernel indefinitely. No active exploitation is confirmed and no public exploit code has been identified at time of analysis; the EPSS score of 0.02% (5th percentile) corroborates low exploitation probability.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43445
MEDIUM
CVSS 5.5
DMA mapping resource leak in Linux kernel e1000 and e1000e Intel Ethernet drivers results in local denial-of-service conditions via memory exhaustion. The flaw originates from an off-by-one error in the TX buffer error-cleanup path (dma_error), introduced by commit c1fa347f20f1 which fixed an infinite loop but simultaneously decremented the unmap counter prematurely - causing exactly one DMA mapping to leak per failed multi-buffer TX operation. No public exploit has been identified and no active exploitation is confirmed (not in CISA KEV); EPSS of 0.02% (7th percentile) reflects extremely low weaponization probability.
Denial Of Service
Linux
Red Hat
Suse
-
CVE-2026-43444
MEDIUM
CVSS 5.5
Denial of service in the Linux kernel's drm/amdkfd (AMD GPU Kernel Fusion Driver) subsystem allows a local authenticated user to crash the kernel via a NULL pointer dereference. The flaw originates in the error handling path of the queue update routine, where a buffer object (bo) is not unreserved upon failure, leaving the subsystem in an inconsistent state that triggers a null dereference. No active exploitation is known; EPSS is 0.02% (5th percentile), and the impact is limited strictly to availability - confidentiality and integrity are unaffected.
Denial Of Service
Linux
Null Pointer Dereference
Red Hat
Suse
-
CVE-2026-43443
MEDIUM
CVSS 5.5
Null pointer dereference in the Linux kernel's ASoC AMD ACP machine-common driver can be triggered by a local authenticated user to crash the kernel, resulting in a denial of service. The functions acp_card_rt5682_init() and acp_card_rt5682s_init() in sound/soc/amd/acp/acp-mach-common.c fail to validate the return value of clk_get(), allowing an invalid error pointer to be dereferenced by downstream clock core functions. No public exploit code exists and no active exploitation has been confirmed; EPSS probability stands at 0.02% (5th percentile), reflecting very low real-world exploitation likelihood.
Denial Of Service
Linux
Null Pointer Dereference
Red Hat
Amd
-
CVE-2026-43439
MEDIUM
CVSS 4.7
Race condition in the Linux kernel cgroup subsystem's task iterator exposes local low-privileged users to a denial-of-service condition when task migration and cgroup iteration execute concurrently. The cgroup infrastructure fails to advance active css_task_iters before a task is unlinked from cset->tasks during migration, allowing iterators to reference the wrong linked list and silently skip tasks - or in worst-case scenarios, cause css_task_iter_advance() to crash or loop infinitely on the destination css_set. No public exploit identified at time of analysis; EPSS of 0.02% at the 7th percentile reflects extremely low observed exploitation probability and aligns with the narrow race window required.
Denial Of Service
Linux
Google
Race Condition
Red Hat
-
CVE-2026-43436
MEDIUM
CVSS 5.5
NULL pointer dereference in the Linux kernel's ALSA USB-audio Scarlett2 mixer quirk allows a local low-privileged user to crash the kernel (denial of service) by presenting a malformed USB descriptor with zero endpoints. Affected systems running unpatched kernels from the initial commit onward through stable branches 6.1.x, 6.6.x, 6.12.x, 6.18.x, and 6.19.x are exposed whenever the USB-audio driver enumerates a crafted or emulated Scarlett2-type device. No active exploitation is confirmed (not in CISA KEV) and no public exploit identified at time of analysis; the EPSS score of 0.03% (8th percentile) confirms very low real-world exploitation probability.
Denial Of Service
Linux
Null Pointer Dereference
Red Hat
Suse
-
CVE-2026-43432
MEDIUM
CVSS 5.5
Memory leak in the Linux kernel xHCI USB host controller driver's xhci_disable_slot() function causes kernel memory exhaustion under error conditions, leading to denial of service. Affected kernels span multiple stable branches from the introduction commit through versions before 5.10.253, 5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, and 7.0. A local low-privileged user who can trigger USB xHCI slot disable error paths - requiring specific hardware fault conditions - could accumulate kernel memory leaks over time, ultimately causing system instability. No public exploit identified at time of analysis; EPSS is 0.03% (9th percentile), reflecting negligible real-world exploitation likelihood.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43431
MEDIUM
CVSS 5.5
NULL pointer dereference in the Linux kernel's xhci USB host controller debugfs interface allows a local low-privileged user to crash the kernel (denial of service) by reading portli debugfs files. The flaw surfaces when xhci's max_ports count exceeds the number of ports covered by Supported Protocol capabilities - producing NULL rhub pointers - which the portli read handler dereferences without checking. No public exploit has been identified and EPSS is 0.02% (5th percentile), indicating negligible broad exploitation interest; the vulnerability is not listed in CISA KEV.
Denial Of Service
Linux
Null Pointer Dereference
Red Hat
Suse
-
CVE-2026-43430
MEDIUM
CVSS 4.7
Race condition in the Linux kernel's yurex USB driver probe function allows a local low-privileged attacker to cause a denial of service by triggering a timing window between URB submission and bbu member initialization. Affected are all kernel versions from the initial commit through the stable branch fix points (patched in 5.10.253, 5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, and 7.0). No public exploit exists and the issue is not listed in CISA KEV; EPSS of 0.02% (7th percentile) reflects negligible widespread exploitation probability.
Information Disclosure
Linux
Race Condition
Red Hat
Suse
-
CVE-2026-43429
MEDIUM
CVSS 5.5
Indefinite kernel thread hang in the Linux kernel usbtmc (USB Test and Measurement Class) driver allows a local authenticated user to cause a denial of service by supplying an arbitrarily large timeout value via ioctl. The driver previously passed user-controlled timeout values directly to usb_bulk_msg(), which uses unkillable waits, meaning the kernel thread could never be interrupted or killed once blocked. No public exploit or active exploitation has been identified at time of analysis, and EPSS probability is negligible at 0.02%, but the straightforward local trigger path makes this a meaningful availability risk on systems with USBTMC devices.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43428
MEDIUM
CVSS 5.5
Unbounded uninterruptible USB synchronous timeout in the Linux kernel's usbcore subsystem allows a local low-privilege user to permanently hang a kernel task with no signal-based kill path. The usb_control_msg(), usb_bulk_msg(), and usb_interrupt_msg() APIs accept arbitrary timeout values and use TASK_UNINTERRUPTIBLE waits, meaning a task blocked on a misbehaving or absent USB device cannot be terminated by SIGKILL - only physical device removal can unblock it. CVSS 5.5 (AV:L/PR:L/A:H), EPSS at 0.02% (7th percentile), no KEV listing, and no public exploit code at time of analysis collectively indicate low active exploitation risk, though the denial-of-service primitive is straightforward once local access is established.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43425
MEDIUM
CVSS 5.5
Denial of service in the Linux kernel mdc800 USB imaging driver allows a local low-privileged user to crash the kernel by triggering a URB double-submission race condition. The mdc800_device_read() function submits a USB Request Block (URB) but fails to cancel it on timeout, leaving it active; a subsequent read() resubmits the same in-flight URB, triggering a kernel WARN in usb_submit_urb() that can destabilize the system. No public exploit exists and no active exploitation has been identified - EPSS is 0.02% (7th percentile), reflecting the hardware-specific, local-access-only nature of this flaw.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43424
MEDIUM
CVSS 5.5
NULL pointer dereference in the Linux kernel's USB gadget f_tcm (USB Target Controller Module) driver allows an authenticated local attacker with USB host access to trigger a kernel panic by sending Bulk-Only Transport (BOT) commands during a race window where the ConfigFS-managed nexus pointer is uninitialized or torn down. Affected systems are those acting as USB gadgets - primarily embedded devices and single-board computers - running kernel versions from commit c52661d60f636d17e26ad834457db333bd1df494 onward without the applied fix. No public exploit exists and the vulnerability is absent from CISA KEV; EPSS of 0.02% (7th percentile) confirms negligible observed exploitation activity.
Denial Of Service
Linux
Null Pointer Dereference
Red Hat
Suse
-
CVE-2026-43415
MEDIUM
CVSS 4.7
Kernel panic triggered by a race condition in the UFS Host Controller Driver (ufshcd) during system suspend affects Linux systems using Universal Flash Storage hardware where UFSHCD_CAP_CLK_GATING is not supported. The flaw allows a local low-privileged user - or automated power management - to crash the kernel by triggering a suspend sequence while ufshcd_rtc_work() is concurrently executing, producing an ARM64 asynchronous SError interrupt that halts the system. No public exploit code exists and no active exploitation has been identified; with an EPSS of 0.02% this is a low-probability but confirmed-availability-destroying defect patched across multiple stable kernel branches.
Information Disclosure
Linux
Race Condition
Red Hat
Suse
-
CVE-2026-43413
MEDIUM
CVSS 5.5
NULL pointer dereference in the Linux kernel's hisi_sas SCSI driver crashes systems when a local user triggers a host scan via sysfs. Authenticated local users with low privileges can write to the sysfs scan interface, causing kernel oops due to a channel iteration bug introduced in commit 37c4e72b0651 - the driver supports only one channel (channel 0) but its max_channel is set to 1, causing sas_user_scan() to attempt scanning channel 1 where no valid SAS device structure exists. The result is a denial-of-service via kernel NULL pointer dereference at sas_find_dev_by_rphy(). No public exploit or CISA KEV listing has been identified; EPSS is 0.02% (5th percentile), consistent with low-likelihood opportunistic exploitation.
Denial Of Service
Linux
Null Pointer Dereference
Red Hat
Suse
-
CVE-2026-43412
MEDIUM
CVSS 5.5
NULL pointer dereference in the Linux kernel's ASoC QCOM QDSP6 subsystem crashes systems built on Qualcomm SA8775P and SC8280XP SoCs during ADSP protection-domain restart cycles. The crash occurs because the q6apm-audio .remove callback prematurely deletes Runtime Descriptions (RTDs) containing q6apm DAI components during ASoC teardown, leaving those components still linked to the sound card and triggering a kernel oops on the subsequent rebind. Impact is limited to availability (kernel panic/denial of service); no public exploit has been identified at time of analysis, and EPSS at 0.02% reflects very low widespread exploitation probability.
Denial Of Service
Linux
Null Pointer Dereference
Red Hat
Qualcomm
-
CVE-2026-43411
MEDIUM
CVSS 5.5
Divide-by-zero in the Linux kernel's TIPC (Transparent Inter-Process Communication) subsystem allows a local low-privileged user to trigger a kernel oops/panic via a crafted setsockopt call. An attacker with local access sets conn_timeout to a value in the range [0, 3] on a TIPC socket, then initiates a connection that receives TIPC_ERR_OVERLOAD, causing integer division by zero in tipc_sk_filter_connect() and crashing the kernel. No public exploit has been identified at time of analysis and EPSS is 0.02%, but the low-complexity, low-privilege local trigger makes this a practical local denial-of-service in shared or container environments.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43410
MEDIUM
CVSS 5.5
NULL pointer dereference in the Linux kernel's stratix10-rsu firmware driver triggers a kernel panic (denial of service) on Intel/Altera SoCFPGA Stratix 10 systems running kernel 6.19.x when RSU is disabled in the First Stage Boot Loader. A local authenticated user can cause a full system crash by triggering the svc_normal_to_secure_thread kernel thread, which dereferences an already-freed service channel pointer. No public exploit identified at time of analysis; EPSS score of 0.02% at the 5th percentile reflects the narrow hardware-specific exposure.
Denial Of Service
Linux
Null Pointer Dereference
Red Hat
Suse
-
CVE-2026-43409
MEDIUM
CVSS 5.5
Kernel crash (page fault) in the Linux kernel's kprobes subsystem allows a local authenticated user to trigger a system denial-of-service by removing a module containing kprobe probes after ftrace has been killed due to prior errors. The affected code path in kprobes_module_callback does not check the kprobe_ftrace_disabled flag set by ftrace_kill(), causing invalid memory access traceable via KASAN at address fffffbfff805000d. No active exploitation has been confirmed; EPSS is 0.02% (5th percentile), reflecting the niche preconditions required.
Denial Of Service
Linux
Null Pointer Dereference
Red Hat
Suse
-
CVE-2026-43404
MEDIUM
CVSS 5.5
Livelock and CPU starvation in the Linux kernel memory management subsystem allows a local authenticated user to hang the system by triggering an unbounded spin loop in hmm_range_fault(). The root cause is in do_swap_page(), where failure to acquire folio_trylock() on a device-private folio causes the kernel to spin indefinitely while a competing process holding the lock is blocked waiting for work items on the same CPU - work items that are starved by the spinner. This vulnerability requires a highly specific combination of HMM device-private memory migration conditions and is confirmed reproduced by the Intel GPU test suite. No public exploit exists and no active exploitation is identified at time of analysis.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43401
MEDIUM
CVSS 5.5
NULL pointer dereference in the Linux kernel's intel_pstate cpufreq driver crashes systems booted with the 'nosmt' parameter when CPU QoS requests are processed for SMT sibling threads. On 'nosmt'-booted systems, all_cpu_data[cpu] is NULL for disabled SMT siblings; update_cpu_qos_request() dereferences cpudata->pstate.turbo_freq before validating the policy pointer, producing a kernel panic and local denial of service. EPSS at 0.02% (4th percentile) reflects very low exploitation probability, no public exploit code has been identified, and no CISA KEV listing exists at time of analysis.
Denial Of Service
Linux
Null Pointer Dereference
Red Hat
Suse
-
CVE-2026-43400
MEDIUM
CVSS 5.5
Out-of-memory exploitation in the Linux kernel's amdgpu DRM subsystem allows a local, low-privileged user to crash the system by supplying unchecked huge values to the amdgpu_userq_signal_ioctl interface. The missing upper-bound validation on user inputs enables resource exhaustion that can destabilize or deny service on any Linux system equipped with a supported AMD GPU. No public exploit code exists and no active exploitation has been confirmed (no CISA KEV listing), with an EPSS of 0.02% placing this firmly in the low-priority tier for most environments outside high-assurance or shared multi-user GPU workloads.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43399
MEDIUM
CVSS 5.5
Reference leak in the Linux kernel's amdgpu userqueue subsystem allows a local low-privileged user to exhaust kernel resources by repeatedly triggering an early-abort code path in amdgpu_userq_wait_ioctl. When the ioctl aborts because the caller-supplied output array is too small, the kernel omits required reference drops on syncobj and timeline fence objects, preventing those objects from ever being freed. No active exploitation is confirmed (not in CISA KEV), and EPSS sits at 0.02% (4th percentile), signaling negligible real-world exploitation activity.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43398
MEDIUM
CVSS 5.5
Out-of-memory exploitation in the Linux kernel's amdgpu DRM driver allows a local low-privileged user to crash or destabilize a system by supplying oversized input values to the amdgpu_userq_wait_ioctl interface. Systems running affected kernel versions with AMD GPU hardware are vulnerable to availability loss. No public exploit code has been identified at time of analysis, and an EPSS score of 0.02% (4th percentile) reflects very low real-world exploitation probability; this is not confirmed actively exploited (not in CISA KEV).
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43397
MEDIUM
CVSS 5.5
Memory leak in the Linux kernel's samsung-dsim DRM bridge driver allows a local low-privileged user to exhaust kernel memory by repeatedly triggering error paths in samsung_dsim_host_attach() where drm_bridge_remove() is never called after a failed samsung_dsim_register_te_irq() or host attach operation. Affected systems must be running Samsung MIPI DSI display hardware with the samsung-dsim module loaded. No public exploit has been identified at time of analysis, and the EPSS score of 0.02% (5th percentile) combined with absence from CISA KEV confirms this is a low-exploitation-likelihood maintenance fix rather than an active threat.
Information Disclosure
Linux
Samsung
Red Hat
Suse
-
CVE-2026-43396
MEDIUM
CVSS 5.5
Memory leak in the Linux kernel's drm/xe (Intel Xe GPU) sync subsystem allows a local low-privileged user to cause a denial of service by exhausting kernel memory. The flaw exists in the drm/xe/sync error-handling path: when dma_fence_chain_alloc() fails, the user fence reference is not properly released (CWE-401), leaving allocated memory permanently inaccessible to the allocator. No active exploitation has been identified (EPSS 0.02%, 4th percentile, not in CISA KEV), and patches have been backported to stable kernel branches including 6.18.20 and 6.19.9.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43395
MEDIUM
CVSS 5.5
Incomplete cleanup in the Linux kernel's DRM/Xe GPU driver allows a local low-privileged user to leak kernel object references (syncobj, fence, chain fence, or user fence) by triggering error paths in xe_sync_entry_parse(), resulting in kernel memory exhaustion and local denial of service. Affected kernels include those shipping the Intel Xe GPU driver from the introducing commit (dd08ebf6c352) up to the fix commits landed in stable series 6.12, 6.18, 6.19, and 7.0. No public exploit code exists and no active exploitation has been reported; EPSS probability sits at 0.02% (5th percentile), reflecting extremely low real-world exploitation interest.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43375
MEDIUM
CVSS 5.5
Linux kernel MCTP driver leaks USB device references when probe fails, allowing local authenticated attackers to trigger denial of service through resource exhaustion. The flaw affects kernels from 6.15 through 6.19.9 and has been patched in versions 6.18.19, 6.19.9, and 7.0. EPSS score of 0.02% indicates minimal active exploitation risk, and no public exploit code has been identified at time of analysis.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43372
MEDIUM
CVSS 5.5
Resource leak in Linux kernel's Microchip DSA PTP driver allows local authenticated users with low privileges to cause denial of service through high availability impact. The ksz_ptp_irq_setup() function fails to dispose of newly created IRQ mappings when request_threaded_irq() fails during PTP message IRQ setup, leading to resource exhaustion. Vendor patches available across multiple stable kernel branches (6.6.130, 6.12.78, 6.18.19, 6.19.9, 7.0). EPSS score of 0.02% (5th percentile) indicates very low probability of exploitation in the wild, and no public exploit identified at time of analysis.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43371
MEDIUM
CVSS 5.5
Memory leak and denial-of-service in the Linux kernel macb network driver (used in AMD ZynqMP platforms) allows local authenticated users to cause prolonged network disruption and system resource exhaustion. The flaw manifests during suspend/resume cycles when the transmit ring pointer resets incorrectly, silently dropping queued packets without releasing their memory, and causing the driver to become stuck waiting for already-transmitted packets. Real-world impact observed in NFS rootfs recovery delays. EPSS score of 0.02% (7th percentile) indicates low exploitation likelihood. Vendor patches available across multiple stable kernel branches (6.1.167, 6.6.130, 6.12.78, 6.18.20, 6.19.9).
Information Disclosure
Linux
Red Hat
Amd
Suse
-
CVE-2026-43369
MEDIUM
CVSS 5.5
A NULL pointer dereference in Linux kernel AMD GPU driver cleanup code causes local denial of service when GPU initialization fails on systems with unsupported AMD hardware blocks. Local authenticated users with low privileges can trigger kernel crashes during device teardown sequences. The vulnerability affects multiple stable kernel versions (6.18.16-6.18.19, 6.19.6-6.19.9) with patches available from upstream. EPSS score of 0.02% (4th percentile) indicates very low observed exploitation probability, and no active exploitation or public exploits are confirmed. Real-world impact is limited to systems with specific AMD GPU hardware experiencing initialization failures, making this primarily a reliability issue rather than a direct security threat.
Denial Of Service
Linux
Null Pointer Dereference
Red Hat
Amd
-
CVE-2026-43367
MEDIUM
CVSS 5.5
Null pointer dereference in Linux kernel's AMD DRM driver causes system crash during device cleanup on unsupported hardware. The flaw (CWE-476) affects multiple 6.18.x and 6.19.x kernel versions, allowing local authenticated users to trigger denial of service through AMD GPU driver initialization or cleanup operations. Patches available via kernel stable tree commits with EPSS score of 0.02% indicating minimal exploitation likelihood. No active exploitation or public POC identified at time of analysis.
Denial Of Service
Linux
Null Pointer Dereference
Red Hat
Amd
-
CVE-2026-43364
MEDIUM
CVSS 5.5
NULL pointer dereference in Linux kernel's ublk driver allows local authenticated users to crash the system by sending UBLK_CMD_UPDATE_SIZE to a device before it starts or after it stops. The vulnerability exists in ublk_ctrl_set_size() which unconditionally dereferences ub->ub_disk without validating the device state, triggering a kernel panic and causing a denial of service. Patches are available from the Linux kernel maintainers for versions 6.18.20, 6.19.9, and 7.0. EPSS score of 0.02% (4th percentile) indicates low observed exploitation probability, consistent with the local-only attack vector and absence from CISA KEV.
Denial Of Service
Linux
Null Pointer Dereference
Red Hat
Suse
-
CVE-2026-43363
MEDIUM
CVSS 5.5
System hangs on Linux kernel resume from s2ram when firmware re-enables x2apic mode that kernel disabled during boot. Affects x86 systems with APIC hardware where kernel disabled x2apic (due to missing IRQ remapping support or other reasons) but ACPI-compliant firmware restores x2apic to initial boot state per spec. Kernel continues using xapic interface while hardware operates in x2apic mode, causing denial of service through system freezes. CVSS 5.5 (local low-complexity authenticated attack, high availability impact). EPSS 0.02% (7th percentile) indicates low observed exploitation probability. Vendor patches available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, 7.0 mainline). No KEV listing or public exploit identified at time of analysis.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43361
MEDIUM
CVSS 5.5
Filesystem denial-of-service in the Linux kernel's btrfs subsystem allows a local low-privileged user to force a mounted btrfs filesystem into read-only mode by repeatedly snapshotting a received subvolume until the BTRFS_UUID_KEY_RECEIVED_SUBVOL B-tree leaf overflows its maximum item size, triggering a transaction abort in create_pending_snapshot(). Critically, the operations involved - snapshot, send, receive, and set_received_subvol - require only inode_owner_or_capable() rather than CAP_SYS_ADMIN, meaning unprivileged users owning subvolumes can mount this attack. No public exploit identified at time of analysis beyond the detailed reproducer script embedded in the advisory itself; EPSS at 0.02% (7th percentile) reflects low widespread automated exploitation probability, though multi-tenant environments face elevated practical risk.
Buffer Overflow
Linux
-
CVE-2026-43360
MEDIUM
CVSS 5.5
Btrfs filesystem transaction abort in the Linux kernel allows a local low-privileged user to force any btrfs-mounted volume into read-only mode by deliberately creating files whose names produce identical crc32c hash values. When enough hash-colliding filenames are created in a single directory, the dir item leaf node fills beyond its size limit, triggering a kernel transaction abort that renders the entire btrfs volume inaccessible for all users. A detailed reproducer script including a curated list of crc32c-colliding filenames is embedded directly in the CVE description, making exploitation trivially repeatable; however, the EPSS score of 0.02% (7th percentile) and absence from CISA KEV indicate no confirmed widespread exploitation at time of analysis.
Information Disclosure
Linux
-
CVE-2026-43359
MEDIUM
CVSS 5.5
Denial of service via transaction abort in Linux kernel btrfs subsystem when a non-privileged subvolume owner repeatedly calls the set received ioctl with identical UUID values, causing filesystem to transition to read-only mode. The vulnerability exploits insufficient pre-flight validation that allows metadata updates to commence before detecting item overflow conditions, requiring only local access and subvolume ownership rather than root privileges. EPSS score of 0.02% indicates low exploitation probability despite CVSS 5.5 severity, suggesting practical exploitation barriers despite low privilege requirements.
Buffer Overflow
Linux
Integer Overflow
Red Hat
Suse
-
CVE-2026-43358
MEDIUM
CVSS 5.5
RCU locking imbalance in Linux kernel btrfs filesystem code causes local denial of service. The try_release_subpage_extent_buffer() function in btrfs can exit an error path without properly releasing an RCU read lock, creating a locking inconsistency that leads to system instability. Affects Linux kernel versions 6.17 through pre-7.0, with patches available in stable branches 6.18.19, 6.19.9, and mainline 7.0. EPSS score of 0.02% (4th percentile) indicates minimal observed exploitation activity. The flaw was detected through static analysis using Clang's thread-safety analyzer rather than field exploitation, suggesting lower immediate real-world risk despite the high-availability CVSS impact rating.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43357
MEDIUM
CVSS 5.5
Local denial of service in Linux kernel's MPU3050 gyroscope driver allows authenticated users with low privileges to crash the system by triggering power management failures. The mpu3050-core driver fails to validate pm_runtime_get_sync() return values, enabling hardware access when device resume fails and causing improper reference counting that leads to kernel instability. EPSS score of 0.02% indicates minimal active exploitation likelihood, and patches are available across multiple stable kernel versions (5.10.253, 5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, 7.0).
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43356
MEDIUM
CVSS 5.5
A NULL pointer dereference in the Linux kernel's adis_init() function causes kernel crashes when initializing ADIS IMU drivers (adis16480, adis16490, adis16545). The function attempts to dereference adis->ops without first verifying it is non-NULL, triggering denial of service on affected systems during device probe. Exploitation requires local access with low privileges (CVSS AV:L/AC:L/PR:L). EPSS score of 0.02% (4th percentile) indicates minimal real-world exploitation likelihood. Vendor patches available across multiple stable kernel versions (6.19.9, 6.18.19, 7.0).
Denial Of Service
Linux
Null Pointer Dereference
Red Hat
Suse
-
CVE-2026-43355
MEDIUM
CVSS 5.5
Local attackers with low-level privileges can trigger a denial of service in Linux kernel versions 4.7 through 7.0 by exploiting a power management reference leak in the bh1780 ambient light sensor driver. The vulnerability causes system resource exhaustion through improper PM runtime reference counting in the IIO subsystem's error handling path. Vendor patches are available across multiple stable kernel branches (5.10.253, 6.1.167, 6.6.130, 6.18.19, 6.19.9, 7.0), with EPSS probability of 0.02% indicating low observed exploitation likelihood and no active exploitation confirmed.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43354
MEDIUM
CVSS 5.5
Local denial of service in the Linux kernel's HX9023S proximity sensor driver (iio subsystem) allows authenticated users with low privileges to crash the system via division by zero when setting sampling frequency with an unspecified value. Patch available from kernel.org stable trees for versions 6.12.78, 6.18.19, 6.19.9, and mainline 7.0. EPSS score of 0.02% (5th percentile) indicates minimal observed exploitation activity. No public exploit code or active exploitation (not in CISA KEV) confirmed at time of analysis.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43351
MEDIUM
CVSS 5.5
Denial of service in Linux kernel KVM/arm64 vGIC subsystem allows local authenticated users with low privileges to crash the hypervisor via use-after-free during virtual interrupt controller teardown. CVSS rates this 5.5 (medium severity, local vector), but EPSS exploitation probability is very low at 0.02% (4th percentile). Patches available across multiple stable kernel versions (6.18.19, 6.19.9, 7.0). No active exploitation confirmed per CISA KEV, and the local-only attack vector with specific KVM/ARM64 deployment requirements limits real-world impact to environments running ARM64 virtualization workloads.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43349
MEDIUM
CVSS 5.5
Use of uninitialized memory in Linux kernel f2fs filesystem node footer validation causes local denial of service. Linux kernel versions 7.0 through 7.1-rc1 with f2fs support allow local authenticated users to trigger a kernel crash by mounting a maliciously crafted f2fs filesystem image. The vulnerability occurs when f2fs_sanity_check_node_footer() accesses uninitialized folio data after a failed disk read operation during filesystem mount, as reported by syzbot. EPSS score of 0.02% (4th percentile) indicates minimal real-world exploitation likelihood. Vendor patches available for stable kernel branches 6.18.25, 7.0.2, and 7.1-rc1.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43348
MEDIUM
CVSS 5.5
The Linux kernel mshv_vtl driver permits local denial-of-service via memory registration failure when VTL0 memory ranges are sufficiently aligned (35+ trailing zeros in physical address). An unclamped vmemmap_shift calculation can exceed MAX_FOLIO_ORDER, causing memremap_pages() to reject the operation and potentially destabilize virtualization infrastructure. CVSS 5.5 indicates local authenticated exploitation with low complexity. EPSS 0.02% suggests minimal real-world targeting. Vendor patches available for kernel 7.0.2 and 7.1-rc1 address both the shift clamping and error propagation issues.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43346
MEDIUM
CVSS 5.5
Local denial of service in Linux kernel PTP (Precision Time Protocol) driver for Intel Ethernet (ice) allows authenticated users with low privileges to crash the system when PF passthrough is configured without the controlling PF. The vulnerability is caused by improper null pointer handling (CWE-617) when ice_ptp_setup_pf() attempts to access an uninitialized PTP controlling PF in VFIO passthrough configurations. Affects Linux kernel 6.13 through 7.0-rc7. EPSS probability is very low (0.02%, 4th percentile) and no active exploitation has been reported. Patches are available in stable branches 6.18.24, 6.19.14, and mainline 7.0.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43344
MEDIUM
CVSS 5.5
Die ID initialization and lookup bugs in the Linux kernel's Intel uncore performance monitoring subsystem (perf/x86/intel/uncore) can cause a reachable assertion trigger or silent loss of PMON unit visibility on Intel Sapphire Rapids (SPR) and Emerald Rapids (EMR) server hardware. Authenticated local users on affected systems may crash the kernel via the WARN_ON_ONCE reachable assertion (CWE-617) or, when NUMA is disabled on a NUMA-capable platform, cause all uncore PMON units to be silently dropped from the RB tree - rendering hardware performance monitoring inoperative. No public exploit exists and EPSS is 0.02%, indicating no active exploitation pressure at time of analysis.
Information Disclosure
Linux
Red Hat
Intel
Suse
-
CVE-2026-43343
MEDIUM
CVSS 5.5
Unbalanced reference counting in the Linux kernel USB gadget CDC Subset Ethernet driver (f_subset) causes a resource leak that denies availability of USB gadget reconfiguration. A local authenticated user can trigger the condition by allocating and freeing the geth USB gadget function, leaving the reference count permanently elevated due to a missing decrement in geth_free(). The practical impact is a denial-of-service against the configfs interface for USB gadget management - subsequent attempts to unlink and re-configure the USB function fail silently. No public exploit is identified and EPSS exploitation probability is negligible at 0.02% (7th percentile).
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43342
MEDIUM
CVSS 4.7
Race condition in the Linux kernel's USB RNDIS gadget function driver (f_rndis) allows a local low-privileged attacker to crash the kernel by concurrently manipulating class/subclass/protocol configfs attributes without mutex protection. Identified during code inspection - not observed in active exploitation - this vulnerability affects multiple stable kernel branches from 4.14 through 7.0-rc3, with patches released across all maintained stable series. With an EPSS of 0.02% (7th percentile), no public exploit, and no CISA KEV listing, real-world risk is low but meaningful on embedded or IoT devices using Linux as a USB RNDIS peripheral.
Information Disclosure
Linux
Race Condition
Red Hat
Suse
-
CVE-2026-43340
MEDIUM
CVSS 5.5
Local denial of service in Linux kernel COMEDI subsystem allows authenticated users to trigger inconsistent lock states when reattaching low-level drivers to legacy COMEDI devices. Exploitation probability is low (EPSS 2%, percentile 7%) with no public exploit identified at time of analysis. Vendor-released patches available across all stable kernel branches from 5.10.253 through 7.0. Affects systems configured with non-zero comedi_num_legacy_minors parameter and requires local authenticated access to COMEDI device nodes.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43338
MEDIUM
CVSS 5.5
Transaction abort and denial of service in Linux kernel btrfs qgroup ioctls occurs when quota group operations fail to reserve transaction space for metadata updates and delayed references, resulting in -ENOSPC errors under filesystem pressure. Affected versions include mainline kernel through 6.19.x and stable branches 6.12.x and 6.18.x, with patches available in 6.12.81, 6.18.22, 6.19.12, and 7.0. Local authenticated users can trigger filesystem unavailability through qgroup operations. EPSS exploitation probability is low (0.02%), no active exploitation confirmed, and this represents a stability issue rather than a direct security compromise, though availability impact is high per CVSS 5.5 score.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43337
MEDIUM
CVSS 5.5
NULL pointer dereference in the Linux kernel's AMD display driver (DRM subsystem) allows local authenticated users to crash the system via dcn401_init_hw() function. Affects kernel 6.12 through 7.0-rc6, specifically the DCN 4.01 hardware sequencer in amdgpu driver. Vendor patches available for stable branches (6.18.22, 6.19.12, 7.0). EPSS exploitation probability is very low (0.02%, 4th percentile), indicating minimal real-world threat despite moderate CVSS score. Not listed in CISA KEV, and no public exploit code identified at time of analysis.
Denial Of Service
Linux
Null Pointer Dereference
Red Hat
Amd
-
CVE-2026-43335
MEDIUM
CVSS 5.5
Null pointer dereference in Linux kernel's Qualcomm SM8450 interconnect driver causes local denial of service during device probe. The vulnerability affects Linux kernel 6.19.x through 7.0-rc6 on Qualcomm SM8450 platforms when the interconnect driver initializes. Upstream patches are available (commits 77d22bf3fc5d and dbbd550d7c8d). EPSS score of 0.02% indicates very low observed exploitation probability, and no active exploitation or public POC has been identified. Real-world risk is limited to local authenticated users on affected Qualcomm SoC platforms during driver initialization.
Denial Of Service
Linux
Null Pointer Dereference
Red Hat
Suse
-
CVE-2026-43333
MEDIUM
CVSS 5.5
Kernel NULL pointer dereference in Linux kernel's BPF verifier allows local authenticated users to trigger a denial of service. The vulnerability stems from improper handling of nullable PTR_TO_BUF pointers in check_mem_access(), where map iterator callbacks can dereference NULL ctx->key or ctx->value pointers without validation, causing a kernel crash. Affects Linux kernel versions 5.17 through 7.0-rc4, with patches available across stable branches (5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.02% (7th percentile) indicates very low probability of exploitation in the wild, and no evidence of public exploit code or active exploitation exists. Local access with low privileges required makes this a targeted risk rather than widespread threat.
Denial Of Service
Linux
Null Pointer Dereference
Red Hat
Suse
-
CVE-2026-43331
MEDIUM
CVSS 5.5
Kernel crash loop in x86_64 Linux when kexec is executed on a kernel built with both CONFIG_KCOV and CONFIG_KEXEC enabled. The load_segments() function invalidates the GS base register that KCOV relies on for per-cpu data access; any subsequently instrumented C function call (e.g. native_gdt_invalidate()) triggers an endless crash loop resulting in a kernel panic and complete system unavailability. No public exploit exists and EPSS is 0.02% (4th percentile), consistent with the highly constrained triggering environment - this primarily affects kernel developers and syzkaller-based fuzzing infrastructure rather than general-purpose production systems.
Denial Of Service
Linux
Red Hat
Suse
-
CVE-2026-43327
MEDIUM
CVSS 5.5
Race condition in Linux kernel's dummy-hcd USB gadget driver causes kernel crash and denial of service when USB reset occurs simultaneously with driver unbind. Syzbot testing triggered NULL pointer dereference in usb_gadget_udc_reset() due to improper spinlock handling in stop_activity() that allowed dum->driver to be cleared prematurely. Vendor patches available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.02% (7th percentile) suggests very low observed exploitation probability. Not listed in CISA KEV, indicating no confirmed active exploitation.
Denial Of Service
Linux
Red Hat
Suse
-
CVE-2026-43326
MEDIUM
CVSS 5.5
A deadlock vulnerability in the Linux kernel's sched_ext (extensible scheduler) subsystem allows local authenticated users to trigger a denial of service by creating cyclic wait dependencies between CPUs. The flaw exists in the SCX_KICK_WAIT mechanism where busy-waiting in hardirq context prevents rescheduling and kick_sync advancement, causing multi-CPU deadlocks when wait cycles form. Patch available from mainline kernel (commit c3a7903f65cf for mainline, 415cb193bb97 for stable 6.12+). EPSS score of 0.02% suggests minimal real-world exploitation activity. No public exploit code or active exploitation confirmed at time of analysis.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43325
MEDIUM
CVSS 5.5
A firmware crash in Linux kernel's iwlwifi driver (versions 6.9 through 7.0-rc7) occurs when the AX201 Wi-Fi adapter incorrectly receives a 6GHz-related command (MCC_ALLOWED_AP_TYPE_CMD) despite lacking 6E support. This triggers a local denial of service (CVSS 5.5, AV:L) requiring low privileges. Vendor patches are available across stable branches (6.18.22, 6.19.12, 7.0). EPSS score of 0.02% (4th percentile) indicates minimal real-world exploitation risk, with no active exploitation or public POC identified. Priority for systems using Intel AX201 adapters where local users could trigger system instability.
Denial Of Service
Linux
Red Hat
Suse
-
CVE-2026-43323
MEDIUM
CVSS 5.5
Local denial of service in Linux kernel scheduler (6.12.78-6.19.12) allows low-privileged users to trigger system-wide instability via stress-ng-yield workloads. The flaw stems from incomplete vruntime tracking in commit b3d99f43c72b, where yield()-heavy tasks can leapfrog past tick updates and cause overflow conditions. EPSS exploitation probability is negligible (0.02%, 5th percentile), and vendor patches are available across all affected stable branches. No active exploitation or public POC identified at time of analysis.
Buffer Overflow
Linux
Red Hat
Suse
-
CVE-2026-43320
MEDIUM
CVSS 5.5
A null pointer dereference in the AMD Display Core driver's DSC (Display Stream Compression) handling for eDP panels causes local system crashes on Linux kernel 6.12 through 7.0-rc5. The vulnerability stems from missing function hook validation before use, allowing local authenticated users with low privileges to trigger a high-severity denial-of-service condition. Patches available across kernel 6.12.75, 6.18.16, 6.19.6, and 7.0 stable branches. EPSS score of 0.02% (5th percentile) indicates minimal observed exploitation activity, and no KEV listing or public POC identified at time of analysis.
Information Disclosure
Linux
Red Hat
Amd
Suse
-
CVE-2026-43319
MEDIUM
CVSS 5.5
Local denial-of-service deadlock in Linux kernel spidev driver allows authenticated users with low privileges to freeze the SPI subsystem via concurrent write() and ioctl() calls. The AB-BA lock inversion between spi_lock and buf_lock is reproducible with simple multithreaded userspace programs accessing the same spidev file descriptor. Patch available across stable kernel branches (6.12.75, 6.18.16, 6.19.6, 7.0) with extremely low EPSS score (0.02%, 5th percentile) indicating minimal real-world exploitation likelihood. No active exploitation or public POC identified at time of analysis.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43318
MEDIUM
CVSS 5.5
Race condition in Linux kernel AMDGPU driver allows local attackers with low privileges to trigger denial of service through GPU page faults during DMA buffer operations. The vulnerability affects multi-GPU systems where shared buffer objects are accessed across different GPUs, particularly impacting AMD Radeon graphics driver stability. Patch available from upstream kernel maintainers for versions 6.12.75, 6.18.16, 6.19.6, and 7.0. EPSS score of 0.02% indicates low observed exploitation probability, and no public exploit code or active exploitation has been identified.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43317
MEDIUM
CVSS 5.5
Resource leak in Linux kernel MOST (Media Oriented Systems Transport) core driver allows local authenticated users to trigger denial of service through repeated interface registration failures. The vulnerability stems from incomplete error handling in the driver's registration path, where resources allocated for MOST interfaces are not properly released when early registration failures occur. While CVSS rates this 5.5 with local access and low attack complexity, the EPSS score of 0.02% (5th percentile) indicates minimal real-world exploitation likelihood. Vendor patches are available across multiple kernel stable branches (6.12.75, 6.18.16, 6.19.6, 7.0).
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43316
MEDIUM
CVSS 5.5
An out-of-bounds shift operation in the Linux kernel's solo6x10 media driver causes a local denial of service. Affects Linux kernel versions from the initial commit through 7.0-rc3, with patches available in stable versions 5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, and 7.0. The flaw, triggered by improper chip_id bounds checking, causes Clang's undefined behavior sanitizer to instrument code that can lead to system instability when exploited by low-privileged local users. EPSS exploitation probability is 0.02% (7th percentile), indicating minimal widespread threat. Vendor-released patches address the issue by adding explicit bounds validation and using unsigned shift operations.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43315
MEDIUM
CVSS 5.5
Local users with low privileges can trigger a denial of service in Linux kernel KVM (Kernel-based Virtual Machine) by manipulating nested virtualization state on AMD SVM systems. The vulnerability allows unprivileged users to cause a kernel warning and potential system instability by modifying CPUID after loading CR3 register state in nested SVM configurations. With CVSS 5.5 (AV:L/AC:L/PR:L) and low EPSS (0.02%), this represents a localized availability risk rather than a critical remote threat. Vendor patches are available across multiple kernel versions (5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0).
Authentication Bypass
Linux
Red Hat
Suse
-
CVE-2026-43314
MEDIUM
CVSS 5.5
Local attackers with low privileges can cause indefinite system hangs in Linux kernel device-mapper (dm) subsystem by injecting io-timeout-fail errors, triggering CWE-772 resource leaks where I/O requests are never completed. Affects longstanding kernel code from 5.10.x through mainline 6.19.x; vendor-patched versions available (5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0). EPSS score of 0.02% (7th percentile) indicates low real-world exploitation probability. No active exploitation confirmed (not in CISA KEV), no public POC identified at time of analysis.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43313
MEDIUM
CVSS 5.5
NULL pointer dereference in Linux kernel ACPI processor module allows local authenticated attackers to crash the system. The flaw occurs in acpi_processor_errata_piix4() when device lookup logic overwrites a valid pointer with NULL, triggering a crash when accessed by dev_dbg(). Vendor-released patches are available across multiple stable kernel branches (5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0). EPSS exploitation probability is very low (0.02%, 7th percentile), and no public exploit or active exploitation has been identified. The vulnerability requires local access with low privileges (CVSS AV:L/PR:L), making it a lower priority than network-exposed flaws despite the high availability impact.
Denial Of Service
Linux
Null Pointer Dereference
Red Hat
Suse
-
CVE-2026-43312
MEDIUM
CVSS 5.5
A use-after-free in the OmniVision OV5647 camera sensor driver (media: i2c: ov5647) can trigger a kernel crash. The ov5647_init_controls() function dereferences an uninitialized subdev pointer via v4l2_get_subdevdata() when error conditions occur during probe. This affects Linux kernel versions from 5.12 through multiple stable branches including 5.15.x, 6.1.x, 6.6.x, 6.12.x, 6.18.x, and 6.19.x prior to patches. Vendor patches available across all affected stable trees. EPSS exploitation probability is very low (0.02%, 7th percentile) with no public exploit identified at time of analysis.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43311
MEDIUM
CVSS 5.5
Linux kernel's Tegra PMC driver can trigger kernel warnings and potential denial of service during system resume by calling generic_handle_irq() from non-interrupt context. Affects Tegra186 and later platforms running Linux kernel versions prior to 6.19.6 and 7.0. CVSS 5.5 indicates local low-complexity exploitation requiring authenticated access. EPSS score of 0.02% (5th percentile) suggests minimal observed exploitation activity. Vendor patches available via stable kernel tree commits.
Information Disclosure
Linux
Red Hat
Nvidia
Suse
-
CVE-2026-43310
MEDIUM
CVSS 5.5
Hardware-level denial of service in Linux kernel verisilicon media driver on i.MX8MQ platform allows local authenticated users to trigger VPU bus errors and system hangs through simultaneous H.264/HEVC decoding. Affects kernel versions 5.14 through pre-6.19.6 and pre-7.0. Patches available via stable kernel commits 286d629d1064 and e0203ddf9af7. EPSS score of 0.02% indicates minimal observed exploitation, and CVSS 5.5 reflects local scope with low complexity. No public exploit code identified, and not listed in CISA KEV.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43309
MEDIUM
CVSS 5.5
System hang during RAID array teardown affects Linux kernel's dm-raid target when metadata devices are suspended before removal. The vulnerability triggers when stopping dm-raid managed arrays, causing md_stop() to indefinitely block while attempting to flush write-intent bitmaps to already-suspended metadata devices. With EPSS exploitation probability at 0.02% (4th percentile) and vendor patches available for kernel versions 6.18.16, 6.19.6, and 7.0, this represents a local denial-of-service risk requiring low privileges but poses minimal risk in most environments due to the specific dm-raid configuration prerequisite.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43308
MEDIUM
CVSS 5.5
Denial of service vulnerability in Linux kernel btrfs filesystem allows local authenticated users to trigger a kernel panic via unexpected delayed reference types. The vulnerability stems from improper error handling in run_one_delayed_ref() that invokes BUG() instead of gracefully returning an error. Patched in Linux 6.19.6 and 7.0 with proper error logging. EPSS exploitation probability is very low (0.02%, 5th percentile) with no public exploit or active exploitation reported, indicating minimal real-world risk despite the high availability impact in the CVSS score.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43306
MEDIUM
CVSS 5.5
Local denial-of-service in Linux kernel BPF crypto subsystem allows authenticated attackers to crash the system via CFI policy violations. The vulnerability stems from a type mismatch in BPF's crypto destructor function when Control Flow Integrity (CONFIG_CFI) is enabled, causing kernel panics during object cleanup operations. Patches available across kernel versions 6.12.75, 6.18.16, 6.19.6, and 7.0. EPSS score of 0.02% (5th percentile) indicates very low likelihood of mass exploitation. No KEV listing or public exploits identified at time of analysis.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43305
MEDIUM
CVSS 5.5
Denial of service via system hang in Linux kernel's AMD display driver occurs when the DMUB hardware lock evaluation mismatches between lock acquisition and release in the HWSS fast path, affecting ASIC variants without FAMS support. Local authenticated attackers can trigger this condition through display operations, causing a hang with high availability impact. Patch available in stable releases 6.19.6 and 7.0; EPSS score of 0.02% indicates low real-world exploitation probability despite KEV status.
Information Disclosure
Linux
Red Hat
Amd
Suse
-
CVE-2026-43302
MEDIUM
CVSS 5.5
Linux kernel DMA API debug warnings in V3D rendering driver cause denial of service when CONFIG_DMA_API_DEBUG is enabled and V3D segment sizes exceed the default 64K maximum. The vulnerability affects systems using V3D graphics rendering (particularly Raspberry Pi 5) with debug DMA API enabled, allowing local authenticated users to trigger kernel warnings and potential system instability by creating V3D buffer objects larger than the device's claimed DMA segment size limit.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43301
MEDIUM
CVSS 5.5
A reference count underflow in the Linux kernel's chips-media wave5 video codec driver causes a runtime PM usage count to decrement below zero during module removal, triggering a kernel warning and potentially causing denial of service when the driver is unloaded. The vulnerability affects unprivileged local users on systems with the wave5 codec driver enabled, and occurs when the device has already been suspended via autosuspend before the remove path executes pm_runtime_put_sync(). EPSS score of 0.02% indicates low exploitation probability despite the denial-of-service capability.
Information Disclosure
Linux
Integer Overflow
Red Hat
Suse
-
CVE-2026-43300
MEDIUM
CVSS 5.5
Null-pointer dereference in the Linux kernel DRM panel driver (jdi_panel_dsi_remove function) allows local authenticated attackers to cause a denial of service by triggering device removal when the jdi structure is NULL. The vulnerability exists because the function checks for NULL but fails to return early, allowing subsequent code to dereference the NULL pointer. CVSS score is 5.5 (local attack vector, low complexity); EPSS indicates low exploitation probability (0.02%, 5th percentile), and no public exploit code or active exploitation has been confirmed.
Denial Of Service
Linux
Null Pointer Dereference
Red Hat
Suse
-
CVE-2026-43299
MEDIUM
CVSS 5.5
Linux kernel btrfs filesystem crashes with kernel BUG when read-repair operations execute after filesystem transitions to read-only state during critical ENOSPC errors. Affects btrfs users experiencing metadata space exhaustion, causing denial of service through kernel panic in the bio repair path. Local attackers with low privileges can trigger this condition in specific filesystem states. EPSS score of 0.02% and no KEV listing indicate low probability of widespread exploitation. Vendor-released patches available in kernel versions 6.19.6 and 7.0.
Denial Of Service
Linux
Red Hat
Suse
-
CVE-2026-43298
MEDIUM
CVSS 5.5
Denial of service in Linux kernel drm/amdgpu driver (VCNv2.5) affects virtual function (VF) GPU environments running kernel versions prior to 6.18.16, 6.19.6, and 7.0. During module unload or system deinitialization, VF configurations trigger a kernel warning and potential crash when attempting to release an uninitialized VCN poison interrupt handler. EPSS exploitation probability is very low (0.02%, 4th percentile) with no public exploit or active exploitation (not in CISA KEV). Vendor patches available across multiple stable kernel branches via upstream commits.
Information Disclosure
Linux
Ubuntu
Red Hat
Amd
-
CVE-2026-43297
MEDIUM
CVSS 5.5
Local denial-of-service in Linux kernel's Rockchip RGA media driver allows authenticated users with low privileges to crash the system through NULL pointer dereference. The vulnerability affects kernel versions 6.8+ containing the Rockchip RGA driver, where rga_buf_init() fails to validate ERR_PTR returns from rga_get_frame() before dereferencing frame size. Vendor patches available across stable branches (6.12.75, 6.18.16, 6.19.6). EPSS score 0.02% (5th percentile) indicates minimal real-world exploitation likelihood, consistent with local-only attack vector requiring authenticated access.
Denial Of Service
Linux
Null Pointer Dereference
Red Hat
Suse
-
CVE-2026-43295
MEDIUM
CVSS 5.5
Denial of service in Linux kernel RapidIO subsystem occurs when idtab allocation fails during rio_scan_alloc_net(), causing the function to incorrectly invoke rio_free_net() instead of kfree() on unregistered memory, leaving a dangling pointer in mport->net that can be dereferenced later to trigger a crash. Authenticated local attackers with low privilege can trigger this condition on systems with RapidIO support enabled, resulting in kernel panic and service unavailability. EPSS probability is low (0.02%) despite moderate CVSS, indicating limited real-world exploitability; no public exploit code or active KEV exploitation confirmed.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43294
MEDIUM
CVSS 5.5
Kernel panic occurs in the Renesas RZ/G2L MIPI DSI driver during system reboot when display panels attempt to send DSI commands in their unprepare callback, due to incorrect sequencing of driver shutdown. The vulnerability affects Linux kernel versions from commit 56de5e305d4b onwards on ARM64 systems running RZ/G2L platforms with specific panel types, allowing local users with standard privileges to trigger a denial of service by initiating a reboot.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43293
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
media: chips-media: wave5: Fix kthread worker destruction in polling mode
Fix the cleanup order in polling mode (irq < 0) to prevent kernel warnings
during module removal. Cancel the hrtimer before destroying the kthread
worker to...
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43292
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
mm/vmalloc: prevent RCU stalls in kasan_release_vmalloc_node
When CONFIG_PAGE_OWNER is enabled, freeing KASAN shadow pages during
vmalloc cleanup triggers expensive stack unwinding that acquires RCU read
locks. Processing a large...
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43289
MEDIUM
CVSS 5.5
Local denial of service in Linux kernel's kexec subsystem allows authenticated attackers to trigger kernel warning and system instability. The kexec_load_purgatory() function incorrectly derives the purgatory entry point when multiple executable sections have overlapping sh_addr values, causing a WARN condition that disrupts kexec operations. With CVSS 5.5 (AV:L/AC:L/PR:L/UI:N) and EPSS at 0.02%, this represents low real-world exploitation risk. Patches available across multiple stable kernel versions including 5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, and 6.19.6.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43288
MEDIUM
CVSS 5.5
Local privilege escalation in Linux kernel ext4 filesystem causes kernel panic during mount operations when DOUBLE_CHECK is enabled. Affects multiple stable kernel versions from 6.6.128 through 7.0. The initialization race condition allows local authenticated users to trigger a denial of service by mounting specially crafted ext4 filesystems with corrupted block bitmaps. EPSS score of 0.02% (5th percentile) indicates low observed exploitation probability. Vendor patches available across all affected stable branches.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43287
MEDIUM
CVSS 5.5
Local users with low privileges can trigger unbounded kernel memory consumption in the Linux kernel's DRM subsystem via DRM_IOCTL_MODE_CREATEPROPBLOB, bypassing memory cgroup accounting and causing system-wide denial of service. The vulnerability affects all Linux kernel versions from 2.6.12-rc2 (commit 1da177e4) through 6.19.x until patched in 5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, and mainline 7.0. EPSS score is low (0.02%) and no active exploitation is documented; however, the attack requires only local access and low privileges (CVSS AV:L/AC:L/PR:L), making it easily exploitable by unprivileged users on multi-tenant systems.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43286
MEDIUM
CVSS 5.5
Memory accounting errors in Linux kernel hugetlb subsystem cause subpool reservation counters to incorrectly increment on failed global allocations, eventually rendering hugetlb subpools permanently unusable. The vulnerability affects Linux kernels from 6.15 onward where commit a833a693a490 introduced the flaw. When a process requests hugepages that require both subpool and global pool resources, failed global allocations leave the subpool's used_hpages counter elevated despite no actual page consumption, progressively exhausting the subpool's apparent capacity until all future allocations fail. Patches available for kernels 6.18.16, 6.19.6, and 7.0. EPSS score of 0.02% and lack of KEV listing indicate low exploitation probability, though local authenticated attackers can trigger the condition to cause denial of service against hugetlb-dependent workloads.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43285
MEDIUM
CVSS 5.5
Denial of service via NMI-unsafe seqcount access in Linux kernel memory slab allocator allows local privileged attackers to trigger kernel deadlock when get_from_any_partial() is called in NMI context. The vulnerability stems from unsafe access to current->mems_allowed_seq (a spinlock-based seqcount) without NMI-safety guarantees, causing lockdep warnings and potential system hang. EPSS exploitation probability is low at 0.02%, and no active exploitation has been confirmed.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-42876
MEDIUM
CVSS 4.9
External Secrets Operator versions 0.1.0 through 2.4.0 allow authenticated users with ExternalSecret creation permissions to escalate privileges by crafting Service Account token templates that cause the operator to generate long-lived tokens for any service account in the namespace. An attacker can impersonate service accounts without requiring direct TokenRequest or Secret creation permissions, effectively bypassing RBAC controls. The attack requires the attacker already has ExternalSecret creation permissions and the cluster must have service account token generation enabled, limiting the practical scope to already-privileged users seeking lateral privilege expansion within a namespace.
Authentication Bypass
Kubernetes
-
CVE-2026-42456
MEDIUM
CVSS 4.3
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to version 1.12.1, GET /api/workspace/:slug/tts/:chatId in AnythingLLM returns the text-to-speech audio for another user's chat response within the same workspace because...
Information Disclosure
-
CVE-2026-42451
MEDIUM
CVSS 6.3
Grimmory is a self-hosted digital library. Prior to version 2.3.1, a stored cross-site scripting (XSS) vulnerability in Grimmory's browser-based EPUB reader allows an attacker to embed arbitrary JavaScript in a crafted EPUB file. When a victim opens the book, the script executes in their browser wit...
XSS
-
CVE-2026-42350
MEDIUM
CVSS 5.1
Open redirect vulnerability in Kargo UI OIDC login flow allows unauthenticated remote attackers to redirect users to arbitrary external websites via a malicious redirectTo query parameter. Versions prior to 1.7.10, 1.8.13, 1.9.8, and 1.10.2 are affected. This requires user interaction (clicking a crafted link) but can facilitate phishing attacks by making malicious redirects appear legitimate within the Kargo authentication flow.
Open Redirect
-
CVE-2026-42346
MEDIUM
CVSS 6.5
Postiz is an AI social media scheduling tool. From version 2.16.6 to before version 2.21.7, all SSRF protections added in v2.21.4-v2.21.6 share a fundamental TOCTOU (Time-of-Check-Time-of-Use) vulnerability: isSafePublicHttpsUrl() resolves DNS to validate the target IP, but subsequent fetch() calls ...
SSRF
-
CVE-2026-42344
MEDIUM
CVSS 6.3
FastGPT is an AI Agent building platform. In versions 4.14.11 and prior, FastGPT's isInternalAddress() function in packages/service/common/system/utils.ts is vulnerable to DNS rebinding (TOCTOU - Time-of-Check to Time-of-Use). The function resolves the hostname via dns.resolve4()/dns.resolve6() and ...
Information Disclosure
-
CVE-2026-42343
MEDIUM
CVSS 6.3
Denial of service vulnerability in FastGPT 4.14.13 and prior affects the code-sandbox component due to insufficient resource isolation and reliance on weak application-level memory limits. Unauthenticated remote attackers can trigger complete service unavailability by launching time-window memory attacks or exhausting the JavaScript worker pool via concurrent CPU-intensive requests. Attack complexity is reported as low with attack timing considerations (AT:P), and no vendor-released patch is available at time of publication.
Denial Of Service
-
CVE-2026-42307
MEDIUM
CVSS 4.4
Vim is an open source, command line text editor. Prior to version 9.2.0383, an OS command injection vulnerability exists in the netrw standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the sftp:// or file:// protocol handlers), an attacker can execute arbitrary s...
Command Injection
-
CVE-2026-42291
MEDIUM
CVSS 6.8
SysReptor is a fully customizable pentest reporting platform. From version 2026.4 to before version 2026.27, the endpoints for reading and creating sharing links for personal notes is not properly authorized. This allows authenticated attackers who obtain the note ID of victim users to list and crea...
Authentication Bypass
-
CVE-2026-42282
MEDIUM
CVSS 4.3
n8n-MCP prior to version 2.47.13 logs sensitive credential material from authenticated MCP tool-call requests when running in HTTP transport mode, allowing disclosure of bearer tokens, OAuth credentials, API keys, and webhook authentication headers to any system with access to server logs. The vulnerability requires valid authentication (AUTH_TOKEN) and affects deployments where logs are collected, forwarded to external systems, or viewable outside the request trust boundary; no public exploit code has been identified.
RCE
-
CVE-2026-42279
MEDIUM
CVSS 5.8
Cross-organization time-entry modification in solidtime 0.12.0 allows authenticated users with time-entries:update:all permission in their own organization to modify and rebind time entries belonging to different organizations by exploiting insufficient route-parameter validation in the PUT /api/v1/organizations/{organization}/time-entries/{timeEntry} endpoint. An attacker can supply a known foreign time-entry UUID and reassign it to projects within their own organization, causing unauthorized data manipulation across organizational boundaries. Vendor-released patch: version 0.12.1.
Authentication Bypass
-
CVE-2026-42277
MEDIUM
CVSS 6.5
Onyx versions prior to 3.0.9, 3.1.6, and 3.2.6 expose an authorization bypass in the GET /chat/file/{file_id} endpoint that permits authenticated users to download any other user's files by directly accessing file UUIDs. The endpoint enforces authentication but lacks per-file ownership validation, allowing attackers with valid credentials to exfiltrate confidential documents and chat attachments belonging to other users system-wide. No public exploit code or active exploitation has been identified at time of analysis.
Authentication Bypass
-
CVE-2026-42276
MEDIUM
CVSS 4.3
Onyx versions before 3.0.9, 3.1.6, and 3.2.6 permit authenticated users to terminate any other user's active chat session via the POST /chat/stop-chat-session/{chat_session_id} endpoint without verifying session ownership. An attacker with valid credentials can interrupt another user's LLM generation mid-stream by supplying a known session UUID, causing denial of service to targeted chat sessions. Vendor-released patches are available, and no public exploit code or active exploitation has been identified at time of analysis.
Authentication Bypass
-
CVE-2026-42213
MEDIUM
CVSS 5.1
SolidCAM-GPPL-IDE is an unofficial, independently developed extension, Postprocessor IDE for SolidCAM. From version 1.0.0 to before version 1.0.2, the inc "filename" directive in GPPL postprocessor files is resolved by GpplDocumentLinkHandler into a clickable link (VS Code textDocument/documentLink)...
Information Disclosure
Path Traversal
-
CVE-2026-42209
MEDIUM
CVSS 6.5
FlashMQ is a MQTT broker/server, designed for multi-CPU environments. Prior to version 1.26.1, a remote client with retained publish permission can crash the FlashMQ broker when both set_retained_message_defer_timeout and set_retained_message_defer_timeout_spread are configured to non-default values...
Denial Of Service
-
CVE-2026-42202
MEDIUM
CVSS 6.5
nova-toggle-5 enables fliping booleans in the index. Prior to version 1.3.0, the toggle endpoint (POST/nova-vendor/nova-toggle/toggle/{resource}/{resourceId}) was protected only by web + auth:<guard> middleware. Any user authenticated on the configured guard could call the endpoint and flip boolean ...
Authentication Bypass
-
CVE-2026-42199
MEDIUM
CVSS 6.2
Grid is a data structure grid for rust. From version 0.17.0 to before version 1.0.1, an integer overflow in Grid::expand_rows() can corrupt the relationship between the grid’s logical dimensions and its backing storage. After the internal invariant is broken, the safe API get() may invoke get_unchec...
Buffer Overflow
Integer Overflow
-
CVE-2026-42192
MEDIUM
CVSS 5.4
Plunk is an open-source email platform built on top of AWS SES. Prior to version 0.9.0, a stored cross-site scripting (XSS) vulnerability exists in the campaign management feature, where the email body content created by authenticated project members is stored and later rendered in the admin dashboa...
XSS
-
CVE-2026-42190
MEDIUM
CVSS 5.3
Same-site Cross-Site Request Forgery (CSRF) in RedwoodSDK server actions allows attackers controlling same-site origins to invoke arbitrary server actions with victim session cookies in versions 1.0.0-beta.50 through 1.2.2. The vulnerability stems from missing origin validation despite HTTP method enforcement, enabling attackers to trigger state-changing operations through subdomain takeover, sibling-application XSS, or local development vectors. Vendor-released patch version 1.2.3 enforces Origin/Host matching validation. CVSS 5.3 reflects high integrity impact (UI:R) but constrained attack complexity (AC:H) and no information disclosure.
CSRF
-
CVE-2026-42185
MEDIUM
CVSS 5.5
Privilege escalation in Suite Numérique People prior to version 1.25.0 allows authenticated domain administrators to remotely promote any existing user to Owner role via a crafted invitation request, without requiring acceptance from the target user. The vulnerability requires valid Administrator credentials on a mail domain but grants immediate full domain ownership, creating a severe lateral privilege escalation risk within multi-tenant deployments.
Privilege Escalation
-
CVE-2026-42181
MEDIUM
CVSS 6.5
Server-side request forgery (SSRF) in Lemmy prior to version 0.19.18 allows authenticated low-privileged users to bypass internal IP range restrictions and access internal image endpoints. An attacker can submit a crafted post whose Open Graph image tag points to an internal server; Lemmy will fetch and cache the image server-side, potentially exposing sensitive internal resources. The vulnerability exists because the initial page URL is validated against internal IP ranges, but the extracted og:image URL is not subject to the same restriction, creating a two-stage bypass.
SSRF
-
CVE-2026-42180
MEDIUM
CVSS 6.3
Server-side request forgery (SSRF) in Lemmy prior to version 0.19.18 allows authenticated low-privileged users to trigger arbitrary HTTP requests to internal services by creating link posts with URLs targeting loopback, private, or link-local addresses. When a post is created in a public community, the backend asynchronously sends a Webmention to the attacker-controlled URL without validating against internal address ranges, enabling reconnaissance or exploitation of internal services. No public exploit code has been identified at time of analysis, but the vulnerability is straightforward to demonstrate and requires only user-level account access.
SSRF
-
CVE-2026-42176
MEDIUM
CVSS 6.7
Authentication bypass in Scoold prior to version 1.67.0 allows high-privileged attackers to inject arbitrary administrator email addresses via the /api/config/set/admins endpoint using a forged Bearer token, establishing persistent administrative access after application restart. The vulnerability exploits insufficient token validation in the configuration API, enabling attackers to escalate privileges reliably by injecting their own email into the admin configuration file, which is loaded on startup.
Authentication Bypass
-
CVE-2026-42150
MEDIUM
CVSS 5.1
Cross-site scripting in wlc command-line client versions prior to 2.0.0 allows authenticated users with high privileges to inject malicious HTML/JavaScript into API responses, which are then embedded unescaped in HTML output. When the HTML output is rendered in a browser, this enables XSS attacks. The vulnerability requires explicit use of the HTML output format (non-default), user interaction to open/view the HTML file, and elevated API credentials, limiting real-world risk despite the network vector.
XSS
-
CVE-2026-42030
MEDIUM
CVSS 6.1
Reflected XSS in MapServer 6.0 through 8.6.1 allows unauthenticated remote attackers to inject arbitrary HTML and JavaScript into the browsers of users clicking crafted WMS URLs. The vulnerability exists in the OpenLayers template when FORMAT=application/openlayers is combined with an unsanitized SRS parameter in WMS 1.3.0 requests. MapServer 8.6.2 patches this issue, and no public exploit code or active exploitation has been confirmed, though the attack requires user interaction (clicking a malicious link).
XSS
-
CVE-2026-42028
MEDIUM
CVSS 5.3
Path traversal vulnerability in novaGallery prior to version 2.1.1 allows unauthenticated remote attackers to read arbitrary image files outside the intended gallery root directory via crafted album or image parameters. The vulnerability has low real-world impact (confidentiality only, CVSS 5.3) but affects all unpatched installations since exploitation requires no authentication, user interaction, or special configuration. Vendor-released patch version 2.1.1 is available.
PHP
Path Traversal
-
CVE-2026-41887
MEDIUM
CVSS 4.9
Authenticated administrators in Flarum can read arbitrary files and trigger server-side request forgery via LESS injection in theme color settings. The vulnerability exploits an incomplete patch for CVE-2023-27577 that restricted @import and data-uri() only in the custom_less setting but failed to apply the same restrictions to other LESS config variables such as theme_primary_color and theme_secondary_color. An attacker with admin credentials can inject arbitrary @import directives into compiled forum.css, exposing sensitive files or making outbound HTTP requests to internal networks and cloud metadata endpoints. Vendor-released patches: Flarum 1.8.16 and 2.0.0-rc.1.
PHP
Path Traversal
SSRF
-
CVE-2026-41885
MEDIUM
CVSS 6.5
URL injection via unsanitized path parameters in i18next-locize-backend prior to 9.0.2 allows remote attackers to manipulate translation resource URLs by injecting path traversal sequences, query strings, or fragments through user-controlled lng, ns, projectId, or version parameters. When these values are exposed via query parameters, cookies, or request headers through i18next-browser-languagedetector, an attacker can redirect requests to unintended translation resources or trigger SSRF/arbitrary-file-read attacks against internal/file-scheme URLs. No public exploit code has been identified, but the vulnerability is straightforward to exploit given network-accessible backend services.
Path Traversal
Node.js
-
CVE-2026-41682
MEDIUM
CVSS 6.9
pupnp is an SDK for development of UPnP device and control point applications. Prior to version 1.18.5, pupnp is vulnerable to SRRF port confusion due to port truncation via atoi() cast in parse_uri(). This issue has been patched in version 1.18.5.
Information Disclosure
-
CVE-2026-41585
MEDIUM
CVSS 6.9
Denial of service in Zebra's JSON-RPC HTTP middleware allows authenticated RPC clients to crash a Zebra node by disconnecting mid-request, exploiting improper error handling that treats incomplete HTTP body reads as unrecoverable failures instead of returning error responses. Affects zebrad versions 2.2.0 through 4.3.0 and zebra-rpc versions 1.0.0-beta.45 through 6.0.1. No public exploit code or active exploitation confirmed; patch available in zebrad 4.3.1 and zebra-rpc 6.0.2.
Denial Of Service
-
CVE-2026-41575
MEDIUM
CVSS 6.1
DOM-based cross-site scripting (XSS) in th30d4y/IP versions 1.0.1 through 2.0.0 allows remote attackers to execute arbitrary JavaScript in a victim's browser by crafting malicious input to the IP Reputation Checker application. The vulnerability requires user interaction (clicking a malicious link) but affects all users of vulnerable versions. Vendor-released patch: version 2.0.1.
XSS
-
CVE-2026-41509
MEDIUM
CVSS 6.9
Buffer overflow in CROSS crypto_sign_open() function allows remote attackers to corrupt memory via malformed signature input due to integer underflow in message length validation. The vulnerability affects the reference implementation prior to commit fc6b7e7, enabling potential code execution or denial of service when processing untrusted signatures. The flaw exists in the core cryptographic signing operation with no authentication required, making it exploitable in any system integrating this algorithm for signature verification.
Buffer Overflow
Stack Overflow
-
CVE-2026-41506
MEDIUM
CVSS 4.7
go-git versions prior to 5.18.0 and 6.0.0-alpha.2 leak HTTP authentication credentials when following cross-host redirects during smart-HTTP clone and fetch operations. Remote unauthenticated attackers controlling a redirect target can capture credentials intended for the original repository host. User interaction (initiating a clone/fetch to a malicious or compromised server) is required. Vendor-released patches are available in v5.18.0 and v6.0.0-alpha.2.
Information Disclosure
Red Hat
Suse
-
CVE-2026-41493
MEDIUM
CVSS 6.9
Path traversal vulnerability in YARD prior to version 0.9.42 allows remote attackers to access arbitrary files on a server running yard server with unsanitized HTTP requests when using the --docroot flag. The vulnerability affects the documentation serving functionality and has been patched in version 0.9.42. No public exploit code or active exploitation has been identified at the time of analysis.
Path Traversal
Suse
-
CVE-2026-41487
MEDIUM
CVSS 5.3
Langfuse versions 3.68.0 through 3.166.x contain an insufficient access control flaw allowing authenticated project members to modify LLM connection endpoints and exfiltrate stored provider API keys in plaintext. An attacker with 'member' role can update an existing LLM connection's baseUrl to an attacker-controlled server, causing Langfuse to reuse the stored provider secret and redirect test requests to that endpoint, exposing credentials like OpenAI API keys. The vulnerability requires prior project membership but no elevated privileges; it was patched in version 3.167.0.
Authentication Bypass
-
CVE-2026-41308
MEDIUM
CVSS 6.5
Unauthenticated attackers can create file-type pushes through Password Pusher's JSON API endpoints when the application is configured to allow anonymous pushes, bypassing intended authentication requirements for file uploads. Affected versions prior to 1.69.3 and 2.4.2 permit remote POST requests to /p.json and /api/v2/pushes endpoints with file payloads without valid credentials, allowing unauthorized file storage and potential information disclosure. Vendor-released patches versions 1.69.3 and 2.4.2 enforce mandatory authentication for all file-type push creation regardless of anonymous-push configuration.
Information Disclosure
-
CVE-2026-41161
MEDIUM
CVSS 6.9
Sync-in Server is a secure, open-source platform for file storage, sharing, collaboration, and syncing. Prior to version 2.2.0, the /api/auth/login endpoint contains a logic flaw that allows unauthenticated remote attackers to enumerate valid usernames by measuring the application's response time. T...
Information Disclosure
-
CVE-2026-40295
MEDIUM
CVSS 6.1
Open redirect in Devise's Timeoutable module allows unauthenticated attackers to redirect users with expired sessions to arbitrary external URLs via an unvalidated HTTP Referer header on non-GET requests. An attacker can host a page with an auto-submitting form to transparently redirect victims through a trusted domain, enabling credential harvesting or malware distribution without triggering browser phishing warnings. Affects Devise versions up to 5.0.3; patched in 5.0.4.
Open Redirect
-
CVE-2026-29203
MEDIUM
CVSS 5.3
A chmod call in the cPanel Nova plugin's Cpanel::Nova::Connector follows symlinks, allowing setting root permissions on arbitrary system files or directories. That can cause DoS or local privilege escalation when an authenticated cPanel user places a symlink at a user-controlled legacy Nova path und...
Privilege Escalation
-
CVE-2026-29202
MEDIUM
CVSS 5.3
Insufficient input validation of the `plugin` parameter of the `create_user` plugin allows arbitrary Perl code execution on behalf of the already authenticated account's system user.
RCE
-
CVE-2026-23557
MEDIUM
CVSS 6.5
Pre-NVD disclosure via oss-security: oss-security mailing list - 2026/04/28. ck_archive() doesn't check for Windows absolute paths in ZIPs (Alan Coopersmith <alan.coopersmith@...cle.com>) Xen Security Advisory 483 v2 (CVE-2026-23556) - oxenstored keeps quota related use counts across domain destruct...
Buffer Overflow
Linux
Microsoft
Suse
-
CVE-2026-8149
MEDIUM
CVSS 5.1
Availability degradation in Bouncy Castle BC-FJA cryptographic library versions 2.1.0 through 2.1.2 on Linux X86_64 systems with AVX or AVX-512f SIMD extensions affects GCM-128 and GCM-512 operations, allowing local attackers to cause denial of service without authentication. The vulnerability is associated with optimized assembly implementations (gcm128w, gcm512w) and results in availability impact with no confidentiality or integrity compromise. No public exploit code or active exploitation has been identified at time of analysis.
Information Disclosure
-
CVE-2026-8133
MEDIUM
CVSS 5.5
SQL injection in FilePress up to version 2.2.0 allows unauthenticated remote attackers to manipulate the order parameter in the Shares Filelist API (dzz/shares/admin.php and dzz/shares/ajax.php) to execute arbitrary SQL queries. The vulnerability exploits insufficient input validation on the order parameter, enabling data exfiltration or manipulation. Publicly available exploit code exists, and a vendor patch has been released.
PHP
SQLi
-
CVE-2026-8132
MEDIUM
CVSS 5.5
SQL injection in CodeAstro Leave Management System 1.0 allows remote unauthenticated attackers to manipulate the txt_username parameter in /login.php, enabling database queries to be executed with low confidentiality and integrity impact. Publicly available exploit code exists for this vulnerability, increasing real-world exploitation risk despite the moderate CVSS score of 5.5.
PHP
SQLi
-
CVE-2026-8131
MEDIUM
CVSS 5.5
SQL injection in SourceCodester SUP Online Shopping 1.0 allows remote unauthenticated attackers to execute arbitrary SQL queries via the msgid parameter in /admin/replymsg.php, enabling data extraction or modification. Publicly available exploit code exists and the vulnerability has a CVSS score of 5.5 with confirmed low impact to confidentiality, integrity, and availability.
PHP
SQLi
-
CVE-2026-8130
MEDIUM
CVSS 5.5
SQL injection in SourceCodester SUP Online Shopping 1.0 allows remote unauthenticated attackers to execute arbitrary SQL queries via the seenid parameter in /admin/message.php. The vulnerability has a publicly available exploit and presents moderate confidentiality and integrity risk with a CVSS score of 5.5, though impact is limited to partial data access and modification without availability impact.
PHP
SQLi
-
CVE-2026-8129
MEDIUM
CVSS 5.5
SQL injection in SourceCodester SUP Online Shopping 1.0 allows remote unauthenticated attackers to manipulate the delwlistid parameter in wishlist.php, enabling arbitrary SQL query execution with potential impact on data confidentiality and integrity. The vulnerability has been publicly disclosed with exploit code available, increasing real-world exploitation risk despite the moderate CVSS 5.5 score.
PHP
SQLi
-
CVE-2026-8128
MEDIUM
CVSS 5.5
SQL injection in SourceCodester SUP Online Shopping 1.0 allows unauthenticated remote attackers to execute arbitrary SQL queries via manipulation of the msgid parameter in /admin/viewmsg.php. The vulnerability has a publicly available exploit and impacts data confidentiality, integrity, and availability with a CVSS score of 5.5. While actively demonstrated through public proof-of-concept code, the lack of authentication requirements combined with network accessibility presents moderate real-world risk to exposed instances.
PHP
SQLi
-
CVE-2026-8126
MEDIUM
CVSS 5.5
SQL injection in SourceCodester Comment System 1.0 allows remote unauthenticated attackers to manipulate the Name argument in post_comment.php, enabling arbitrary SQL query execution with low confidentiality and integrity impact. Publicly available exploit code exists and the attack requires no special user interaction or authentication, making it accessible to any network-connected attacker.
PHP
SQLi
-
CVE-2026-7864
MEDIUM
CVSS 6.9
SEPPmail Secure Email Gateway before version 15.0.4 exposes server environment variables through an unauthenticated endpoint in the GINA UI, allowing remote attackers to retrieve sensitive system information including configuration details, internal paths, and potentially credentials. The vulnerability requires only network access to the affected endpoint with no authentication, authentication complexity, or user interaction; it is classified as an information disclosure flaw with limited confidentiality impact (CVSS 6.9).
Information Disclosure
-
CVE-2026-7650
MEDIUM
CVSS 6.4
Stored Cross-Site Scripting in E2Pdf - Export Pdf Tool for WordPress plugin versions up to 1.32.17 allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript via the 'id' attribute of the e2pdf-download shortcode, which executes when any user views the affected page. The vulnerability stems from insufficient input sanitization and output escaping on shortcode attributes, enabling persistent script injection with moderate confidentiality and integrity impact across site scopes.
WordPress
XSS
-
CVE-2026-7475
MEDIUM
CVSS 6.4
Stored cross-site scripting in Sky Addons plugin for WordPress (versions up to 3.3.2) allows authenticated attackers with Author-level access to inject arbitrary JavaScript via the REST API that persists in the `sky-custom-scripts` post type and executes on all frontend pages for every site visitor. The vulnerability stems from insufficient input sanitization on the `sky_script_content` meta field combined with lack of output escaping during frontend rendering. No public exploit code or active exploitation has been identified at time of analysis, but the attack requires only Author-level privileges and standard REST API access, making it a practical threat in multi-user WordPress environments.
WordPress
XSS
-
CVE-2026-7168
MEDIUM
CVSS 5.3
Cross-proxy Digest authentication state leak in curl allows remote attackers to obtain sensitive authentication credentials when curl is used with proxy authentication across multiple proxy hops. The vulnerability affects curl versions from 7.12.0 through 8.19.0 due to improper handling of Digest authentication state between proxies, enabling credential disclosure with network-level access and no authentication requirements. EPSS score of 0.03% suggests low real-world exploitation probability despite the information disclosure impact.
Information Disclosure
Apple
Jenkins
Red Hat
-
CVE-2026-7009
MEDIUM
CVSS 5.3
OCSP stapling validation bypass in curl 8.17.0-8.19.0 allows remote attackers to obtain sensitive certificate validation information when curl uses Apple SecTrust for TLS connections, potentially enabling man-in-the-middle attacks by bypassing server certificate revocation checks.
Information Disclosure
Apple
-
CVE-2026-6429
MEDIUM
CVSS 5.3
curl versions 7.14.0 through 8.19.0 leak netrc credentials when reusing proxy connections, allowing authenticated local attackers to obtain sensitive authentication data via connection pooling that ignores credential requirements. CVSS 5.3 reflects high confidentiality impact but requires low-privilege authentication and high attack complexity; EPSS 0.02% indicates minimal real-world exploitation probability despite broad version coverage. No public exploit code identified at time of analysis.
Information Disclosure
Apple
Red Hat
Suse
-
CVE-2026-5341
MEDIUM
CVSS 6.4
Stored Cross-Site Scripting (XSS) in the NMR Strava Activities WordPress plugin through version 1.0.14 allows authenticated contributors and above to inject arbitrary JavaScript into pages via the `strava_nmr_connect` shortcode due to insufficient input sanitization and output escaping. The injected scripts execute in the context of any user viewing the affected page, compromising session security and enabling account takeover or malware distribution. A vendor patch addressing the vulnerability is available in version 1.0.15.
WordPress
XSS
-
CVE-2026-3508
MEDIUM
CVSS 6.8
Out-of-bounds read in ASUS System Control Interface IOCTL handler allows local authenticated users to trigger denial of service via oversized read operations. A local user with limited privileges can supply a read size exceeding the allocated buffer, causing a system crash (BSOD). No public exploit code or active exploitation has been confirmed at this time.
Buffer Overflow
Information Disclosure
-
CVE-2026-3318
MEDIUM
CVSS 5.3
Open redirection in Cradle eCommerce login form endpoint allows attackers to redirect authenticated users to arbitrary external URLs via the unvalidated 'returnUrl' parameter, enabling phishing and credential theft attacks. The vulnerability affects the latest demo version and requires user interaction to click a malicious link, but carries low real-world exploitation probability (EPSS 0.04%) and no confirmed active exploitation at time of analysis.
Open Redirect
-
CVE-2025-71302
MEDIUM
CVSS 5.5
Race condition in drm/panthor GPU driver violates dma-fence safe access rules, allowing local authenticated users to cause denial of service via timeline name retrieval racing with queue freeing. CVSS 5.5 (local, low complexity) with EPSS 0.02% indicating minimal real-world exploitation likelihood despite active kernel-level flaw.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2025-71301
MEDIUM
CVSS 5.5
Denial of service in Linux kernel DRM GEM shmem helper functions allows local privileged attackers to trigger CPU warnings and system instability via improper reservation lock handling around vmap/vunmap operations. The vulnerability affects Linux 6.16 and multiple stable branches (6.18, 6.19, 7.0) and is resolved in patched versions; exploitation requires local access with limited privileges and produces availability impact through kernel warnings rather than remote compromise.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2025-71300
MEDIUM
CVSS 5.5
Memory access violations occur in Linux kernel on Xilinx ZynqMP systems when OP-TEE device tree nodes are manually defined, preventing U-Boot's OP-TEE injection logic from properly inserting reserved-memory nodes. This affects Linux kernel versions 6.9 through 7.0 on ARM64 ZynqMP platforms, allowing local authenticated users to cause denial of service through runtime memory access faults. Vendor-released patches are available across multiple stable branches (6.12.75, 6.18.16, 6.19.6, 7.0).
Linux
Code Injection
Red Hat
Suse
-
CVE-2025-71299
MEDIUM
CVSS 5.5
A denial of service vulnerability in the Linux kernel's Cadence QSPI driver causes duplicate clock disables during device probe error handling when flash device tree descriptions are missing or malformed. An unprivileged local user can trigger this vulnerability by providing broken device tree configuration for attached SPI flash devices, resulting in kernel warnings and potential system instability.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2025-71298
MEDIUM
CVSS 5.5
Denial of service via missing reservation lock in drm/tests shmem allows local authenticated users to trigger a kernel warning and crash the DRM graphics subsystem. The vulnerability exists in DRM test code that calls drm_gem_shmem_madvise_locked() without properly acquiring the GEM object's reservation lock, causing CPU warnings and potential system instability on affected kernel versions.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2025-71297
MEDIUM
CVSS 5.5
Kernel denial of service in rtw88 WiFi driver 8822b chipset allows local authenticated users to trigger a kernel WARNING and potential system instability by setting antenna configuration while the wireless chip is powered off, causing unexpected values when RF registers are read during power-down state.
Information Disclosure
Linux
Red Hat
Suse
Lenovo
-
CVE-2025-71296
MEDIUM
CVSS 5.5
Denial of service in Linux kernel DRM GEM shmem helper when drm_gem_shmem_purge_locked() is called without properly holding the GEM object's reservation lock, affecting local authenticated users. The vulnerability causes a kernel warning and denial of service condition in the direct rendering manager's shared memory handling code. CVSS 5.5 with low EPSS (0.02%) indicates limited real-world exploitation despite availability of patch. Affected Linux versions prior to kernels with commits cdf8bbbd9017adcfb91ad9a902198d4b507719a9, 8baeee2c1c0cdb3a8eac3b8f38156cce6ee1a69f, and 3f41307d589c2f25d556d47b165df808124cd0c4.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2025-69233
MEDIUM
CVSS 6.5
Apache CloudStack fails to properly validate resource allocation limits due to time-of-check time-of-use race conditions and missing validations, allowing authenticated users to exceed configured account and domain resource quotas and trigger denial of service conditions. Authenticated network attackers can exploit this vulnerability without user interaction to exhaust infrastructure resources. Affected versions prior to 4.20.3.0 and 4.22.0.1 require immediate patching.
Denial Of Service
Apache
-
CVE-2025-67886
MEDIUM
CVSS 6.3
Remote code execution in Bitrix24 through version 25.100.300 allows authenticated users with SOURCE/WRITE permissions on the Translate Module to execute arbitrary PHP code by uploading malicious PHP and .htaccess files. The vulnerability exploits unrestricted file upload capability in a high-privilege context; while the vendor disputes this as intended behavior for administrative users, the low EPSS score (0.02%) and lack of evidence of active exploitation suggest this poses minimal real-world risk despite the moderate CVSS rating.
PHP
RCE
File Upload
N A
-
CVE-2025-66171
MEDIUM
CVSS 6.5
Improper access control in the CloudStack Backup plugin allows authenticated users in CloudStack 4.21.0.0 through 4.22.0.0 to create new virtual machines using backups belonging to other users, enabling unauthorized data access and VM provisioning. The vulnerability requires valid CloudStack credentials and access to specific backup-related APIs but carries elevated risk in multi-tenant environments. Vendor-released patch available in CloudStack 4.22.0.1.
Information Disclosure
-
CVE-2025-66170
MEDIUM
CVSS 6.5
Improper authorization logic in the CloudStack Backup plugin allows authenticated users to enumerate backups from any account in the environment across versions 4.21.0.0 through 4.22.0.0. An attacker with valid user credentials can exploit this to gain unauthorized visibility into backup metadata and existence across all accounts, though backup contents remain protected. The vulnerability requires the Backup plugin to be enabled and affects multi-tenant CloudStack environments where account isolation is a critical security boundary.
Authentication Bypass
-
CVE-2026-44987
LOW
CVSS 3.8
SysReptor is a fully customizable pentest reporting platform. Prior to version 2026.29, users with "User Admin" permissions can change the email addresses of users with "Superuser" permissions. If the SysReptor installation has the "Forgot Password" functionality enabled (non-default), they can rese...
Privilege Escalation
Python
-
CVE-2026-44928
LOW
CVSS 2.9
The EqualsUri function in uriparser before version 1.0.2 incorrectly classifies structurally distinct URIs as equivalent due to flawed absolutePath comparison logic when a host is present. An attacker can craft two different URIs that the library treats as identical, potentially bypassing URI-based access control checks or authentication mechanisms that rely on URI comparison. The vulnerability affects all versions before 1.0.2 and requires local access with high attack complexity; the impact is limited to integrity (logic bypass) with no confidentiality or availability impact.
Information Disclosure
-
CVE-2026-44927
LOW
CVSS 2.9
Pointer difference truncation to signed int in uriparser before version 1.0.2 allows local attackers to cause integer overflow and data integrity issues through specially crafted URI inputs. The vulnerability stems from unsafe casting of pointer arithmetic results (afterLast - first) to int, which can overflow on systems where pointer differences exceed INT_MAX, leading to buffer overflows, incorrect memory calculations, and potential information disclosure. While CVSS score is low (2.9) due to local attack vector and high complexity, the fix adds comprehensive overflow detection using SIZE_MAX checks, indicating real risk in applications processing untrusted URIs locally.
Information Disclosure
-
CVE-2026-44916
LOW
CVSS 3.0
Server-side template injection in OpenStack Ironic through version 35.x allows authenticated administrators to disclose sensitive information by rendering unsandboxed Jinja2 templates in the instance_info['ks_template'] parameter. The vulnerability requires high-privilege user interaction and has low confidentiality impact with no integrity or availability consequences.
Information Disclosure
Ssti
-
CVE-2026-44428
LOW
CVSS 2.1
MCP Registry's GitHub OIDC token exchange allows cross-registry replay attacks due to use of a shared global audience string instead of registry-specific identifiers. An attacker controlling or observing any registry deployment can capture a legitimately issued OIDC token and replay it to another registry instance sharing the same codebase to obtain publish-capable JWTs for the victim GitHub owner namespace, breaking deployment isolation. The vulnerability affects all versions prior to 1.7.6; vendor-released patch available.
Authentication Bypass
SSRF
Microsoft
-
CVE-2026-44286
LOW
CVSS 2.3
Server-side request forgery (SSRF) in FastGPT prior to version 4.14.17 allows authenticated users with App editing privileges to bypass SSRF protections in the lafModule workflow node's fetchData function, enabling arbitrary HTTP requests to internal and private network addresses via unvalidated user-controlled URLs passed to axios without filtering against the application's isInternalAddress blocklist.
SSRF
-
CVE-2026-43435
None
In the Linux kernel, the following vulnerability has been resolved:
rust_binder: fix oneway spam detection
The spam detection logic in TreeRange was executed before the current
request was inserted into the tree. So the new request was not being
factored in the spam calculation. Fix this by moving...
Information Disclosure
Linux
-
CVE-2026-43423
None
In the Linux kernel, the following vulnerability has been resolved:
usb: gadget: f_ncm: Fix atomic context locking issue
The ncm_set_alt function was holding a mutex to protect against races
with configfs, which invokes the might-sleep function inside an atomic
context.
Remove the struct net_devi...
Information Disclosure
Linux
-
CVE-2026-43422
None
In the Linux kernel, the following vulnerability has been resolved:
usb: legacy: ncm: Fix NPE in gncm_bind
Commit 56a512a9b410 ("usb: gadget: f_ncm: align net_device lifecycle
with bind/unbind") deferred the allocation of the net_device. This
change leads to a NULL pointer dereference in the legac...
Denial Of Service
Linux
-
CVE-2026-43421
None
In the Linux kernel, the following vulnerability has been resolved:
usb: gadget: f_ncm: Fix net_device lifecycle with device_move
The network device outlived its parent gadget device during
disconnection, resulting in dangling sysfs links and null pointer
dereference problems.
A prior attempt to ...
Denial Of Service
Linux
-
CVE-2026-43420
None
In the Linux kernel, the following vulnerability has been resolved:
ceph: fix i_nlink underrun during async unlink
During async unlink, we drop the `i_nlink` counter before we receive
the completion (that will eventually update the `i_nlink`) because "we
assume that the unlink will succeed". That...
Information Disclosure
Linux
-
CVE-2026-43419
None
In the Linux kernel, the following vulnerability has been resolved:
ceph: fix memory leaks in ceph_mdsc_build_path()
Add __putname() calls to error code paths that did not free the "path"
pointer obtained by __getname(). If ownership of this pointer is not
passed to the caller via path_info.path,...
Information Disclosure
Linux
-
CVE-2026-43418
None
In the Linux kernel, the following vulnerability has been resolved:
sched/mmcid: Prevent CID stalls due to concurrent forks
A newly forked task is accounted as MMCID user before the task is visible
in the process' thread list and the global task list. This creates the
following problem:
CPU1 C...
Information Disclosure
Linux
-
CVE-2026-43417
None
In the Linux kernel, the following vulnerability has been resolved:
sched/mmcid: Handle vfork()/CLONE_VM correctly
Matthieu and Jiri reported stalls where a task endlessly loops in
mm_get_cid() when scheduling in.
It turned out that the logic which handles vfork()'ed tasks is broken. It
is invoke...
Information Disclosure
Linux
-
CVE-2026-42794
LOW
CVSS 2.3
Reflected cross-site scripting (XSS) in absinthe_plug GraphiQL interface allows unauthenticated attackers to execute arbitrary JavaScript in victims' browsers via the query GET parameter. The vulnerability exploits incomplete input escaping in the js_escape/1 function, which fails to escape backslashes before embedding user-controlled query strings into inline JavaScript. An attacker can bypass existing single-quote and newline escaping by prefixing a quote with a backslash (e.g., \'), breaking out of the string context. Vendor-released patch available (version 1.10.2 and later); exploitation requires user interaction (clicking a malicious link).
XSS
-
CVE-2026-42486
None
Pre-NVD disclosure via oss-security: oss-security mailing list - 2026/04/29. e LLM Age (Lucas Holt <luke@...lishgames.com>) CVE-2026-7111: Text::CSV_XS versions before 1.62 for Perl have a use-after-free when registered callbacks extend the Perl argumen… (Stig Palmquist <stig@...g.io>) Xen Security ...
Information Disclosure
-
CVE-2026-42195
LOW
CVSS 3.4
draw.io is a configurable diagramming and whiteboarding application. Prior to version 29.7.9, the draw.io client accepts a ?gitlab= URL parameter that overrides the GitLab server URL used during OAuth sign-in. A crafted link causes the user's click on draw.io's "Authorize in GitLab" dialog to open a...
Gitlab
Open Redirect
-
CVE-2026-41889
LOW
CVSS 2.3
SQL injection vulnerability in pgx (Go PostgreSQL driver) prior to version 5.9.2 allows authenticated attackers to manipulate queries when the non-default simple protocol is used in conjunction with dollar-quoted string literals containing attacker-controlled placeholder-like text. The vulnerability requires specific configuration (simple protocol mode enabled) and precise SQL structure (dollar-quoted strings with embedded placeholder syntax), making exploitation unlikely in typical deployments but possible in applications explicitly using QueryExecModeSimpleProtocol.
SQLi
PostgreSQL
-
CVE-2026-41517
NONE
Emlog is an open source website building system. Prior to version 2.6.11, insecure plugin upload functionality allows attackers to upload and execute arbitrary PHP code, leading to complete server compromise and persistent backdoor installation. This issue has been patched in version 2.6.11.
PHP
File Upload
-
CVE-2026-32803
LOW
CVSS 3.3
Dell PowerScale OneFS versions 9.5.0.0 through 9.12.0.1 contain an insufficient logging vulnerability that allows low-privileged local attackers to tamper with information without generating adequate audit trails, enabling attack obfuscation and compliance violation. The vulnerability affects multiple version branches across OneFS 9.5 through 9.12, with no public exploit code identified at time of analysis. CVSS score of 3.3 reflects low-to-medium integrity impact with local access requirement and low complexity.
Information Disclosure
Dell
-
CVE-2026-23562
None
Pre-NVD disclosure via oss-security: oss-security mailing list - 2026/04/29. isclosure in the LLM Age (Lucas Holt <luke@...lishgames.com>) CVE-2026-7111: Text::CSV_XS versions before 1.62 for Perl have a use-after-free when registered callbacks extend the Perl argumen… (Stig Palmquist <stig@...g.io>...
Information Disclosure
-
CVE-2026-23561
None
Pre-NVD disclosure via oss-security: oss-security mailing list - 2026/04/29. : Coordinated Disclosure in the LLM Age (Lucas Holt <luke@...lishgames.com>) CVE-2026-7111: Text::CSV_XS versions before 1.62 for Perl have a use-after-free when registered callbacks extend the Perl argumen… (Stig Palmquist...
Information Disclosure
-
CVE-2026-23560
None
Pre-NVD disclosure via oss-security: oss-security mailing list - 2026/04/29. ..kweb.net>) Re: Coordinated Disclosure in the LLM Age (Lucas Holt <luke@...lishgames.com>) CVE-2026-7111: Text::CSV_XS versions before 1.62 for Perl have a use-after-free when registered callbacks extend the Perl argumen… ...
Information Disclosure
-
CVE-2026-23559
None
Pre-NVD disclosure via oss-security: oss-security mailing list - 2026/04/29. niel Beck <ml@...kweb.net>) Re: Coordinated Disclosure in the LLM Age (Lucas Holt <luke@...lishgames.com>) CVE-2026-7111: Text::CSV_XS versions before 1.62 for Perl have a use-after-free when registered callbacks extend the...
Information Disclosure
-
CVE-2026-23556
None
Pre-NVD disclosure via oss-security: oss-security mailing list - 2026/04/28. libc language bindings: Specially crafted input can crash a c_glib Thrift server with invalid poin… (Jens Geyer <jensg@...che.org>) [CVE-2026-3087] shutil.unpack_archive() doesn't check for Windows absolute paths in ZIPs (A...
Denial Of Service
Microsoft
-
CVE-2026-8136
LOW
CVSS 1.9
Cross-site scripting (XSS) in SourceCodester Pharmacy Sales and Inventory System 1.0 allows high-privileged users with user interaction to inject malicious scripts via the Name parameter in /index.php?page=users, affecting application integrity with low severity. The vulnerability requires administrative privileges and user interaction to exploit, limiting real-world impact despite public exploit availability.
PHP
XSS
-
CVE-2026-8127
LOW
CVSS 2.1
Improper access controls in eladmin up to version 2.7 allow authenticated remote attackers to bypass user level checks through the checkLevel function in the Users API Endpoint (/rest/UserController.java), resulting in unauthorized access to resources. Publicly available exploit code exists, and the vendor has not responded to early notification of the vulnerability.
Authentication Bypass
Java
-
CVE-2026-8125
LOW
CVSS 2.1
SQL injection in code-projects Simple Chat System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via manipulation of the type, length, or business parameters in sendMessage.php, potentially compromising data confidentiality, integrity, and availability. Publicly available exploit code exists and the vulnerability carries a CVSS score of 6.3 with authenticated network access.
PHP
SQLi
-
CVE-2026-8124
LOW
CVSS 1.9
Resource exhaustion in GPAC up to version 26.02.0 allows local attackers with limited privileges to trigger a denial-of-service condition via the sidx_box_read function in src/isomedia/box_code_base.c. The vulnerability stems from improper validation of allocation size parameters when parsing ISO media files, enabling exhaustion of system memory without requiring elevated privileges. Publicly available exploit code exists, and a patch is available from the vendor.
Denial Of Service
-
CVE-2026-8123
LOW
CVSS 2.1
Denial of service in Open5GS up to version 2.7.7 affects the NSSF component's ogs_sbi_discovery_option_add_snssais function, allowing authenticated remote attackers to crash the service via a network request. The vulnerability has been publicly disclosed with exploit code available on GitHub, though the vendor has not yet responded to early notification.
Denial Of Service
-
CVE-2026-8122
LOW
CVSS 2.1
Denial of service vulnerability in Open5GS up to version 2.7.7 affects the NSSF component's service discovery function, allowing remote authenticated attackers to cause availability impact through manipulation of the ogs_sbi_discovery_option_add_service_names function. Public exploit code exists and the vulnerability carries low CVSS score (2.1) reflecting limited impact scope, though the project has not yet responded to early notification.
Denial Of Service
-
CVE-2026-8121
LOW
CVSS 2.1
Denial of service in Open5GS up to version 2.7.7 allows authenticated remote attackers to crash the NSSF (Network Slice Selection Function) component via a crafted PLMN list in the SBI (Service Based Interface) parser. The vulnerability exists in the ogs_sbi_parse_plmn_list function within /lib/sbi/conv.c and has been publicly disclosed with exploit code available; the vendor has not yet released a patch despite early notification.
Denial Of Service
-
CVE-2026-8120
LOW
CVSS 2.1
Denial of service in Open5GS up to version 2.7.7 allows authenticated remote attackers to manipulate the NSSF network selection function via the nssf_nnrf_nsselection_handle_get_from_amf_or_vnssf handler in /src/nssf/nnssf-handler.c, causing service unavailability. Public exploit code exists and the vulnerability has been reported to the project, though no patch has been released as of analysis time.
Denial Of Service
-
CVE-2026-8119
LOW
CVSS 1.9
Denial of service in Open5GS up to version 2.7.7 affects the NSSF component's stream identification function in the nghttp2-server library. Local authenticated attackers can manipulate the ogs_sbi_stream_find_by_id function to cause service unavailability. Publicly available exploit code exists, though the vendor has not yet responded to early disclosure notification.
Denial Of Service
-
CVE-2026-8117
LOW
CVSS 2.1
Reflected cross-site scripting (XSS) in SourceCodester Pizzafy Ecommerce System 1.0 via the page parameter in /admin/index.php allows remote attackers to inject malicious scripts that execute in a victim's browser with user interaction. CVSS 2.1 (low) reflects the requirement for user click-through; however, the vulnerability is disclosed publicly with proof-of-concept code available.
PHP
XSS
-
CVE-2026-6737
LOW
CVSS 2.0
AsusPTPFilter driver allows local authenticated users to bypass security mechanisms via crafted IOCTL requests, potentially leaking restricted touchpad information or disabling the touchpad entirely. The vulnerability requires local access and low-level privileges but impacts the integrity and availability of the touchpad subsystem. CVSS 2.0 reflects limited scope (low severity across confidentiality, integrity, availability), but the attack vector is local and requires existing user privileges.
Authentication Bypass