Skip to main content
CVE-2026-44694 HIGH PATCH GHSA This Week

Server-side request forgery in n8n-mcp versions 2.18.7 through 2.50.1 allows authenticated attackers with MCP session access to bypass SSRF protections and send HTTP requests to cloud metadata endpoints and internal services, with response bodies returned directly to the attacker. Multi-tenant HTTP deployments are critically exposed: any tenant sharing an AUTH_TOKEN can exfiltrate AWS IAM, GCP service account, or Azure managed identity credentials from the operator's cloud metadata service (169.254.169.254 and related endpoints). Single-tenant and stdio deployments remain vulnerable via indirect prompt injection attacks that manipulate LLM tool calls. Vendor-released patch: n8n-mcp version 2.50.2. No CVSS score assigned; no public exploit code identified at time of analysis, though the advisory contains sufficient technical detail for proof-of-concept development.

SSRF Microsoft Google
NVD GitHub VulDB
CVSS 4.0
7.2
EPSS
0.0%
CVE-2026-42261 HIGH PATCH This Week

Server-Side Request Forgery (SSRF) in PromptHub 0.4.9 through 0.5.3 allows authenticated users to bypass IPv6 address validation and probe internal network resources. The /api/skills/fetch-remote endpoint accepts user-supplied URLs and fetches them server-side, reflecting up to 5 MB of response data. Flawed IPv6 validation allows attackers to reach RFC1918 private networks, loopback addresses, and link-local destinations using IPv4-mapped IPv6 hex representations and alternate ::1 notations. When ALLOW_REGISTRATION=true (a documented configuration), any internet user can register and exploit this vulnerability. Vendor-released patch: version 0.5.4. EPSS data not available; no evidence of active exploitation (not in CISA KEV).

Canonical SSRF
NVD GitHub
CVSS 3.1
7.1
EPSS
0.1%
CVE-2026-42212 HIGH PATCH This Week

SolidCAM-GPPL-IDE is an unofficial, independently developed extension, Postprocessor IDE for SolidCAM. From version 1.0.0 to before version 1.0.2, Opening a .gpp file in the SolidCAM Postprocessor IDE extension causes the language server to parse a companion .vmid file from the same directory (naming convention: foo.gpp to foo.vmid). The VMID parser called XDocument.Load(path) without any XmlReaderSettings, inheriting the framework defaults which in .NET 8 allow DTD processing. A malicious .vmid file could therefore: disclose local files via external entity references, exhaust memory via recursive entity expansion, and cause denial of service via oversized or deeply nested XML. This issue has been patched in version 1.0.2.

Denial Of Service
NVD GitHub
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-44556 HIGH PATCH GHSA This Week

Open WebUI versions through 0.8.12 allow any authenticated user to bypass model access controls and interact with restricted LLM models via the /api/openai/responses endpoint. The vulnerability permits low-privilege users to consume expensive models (GPT-4o, o1-pro) restricted by administrators, enabling budget exhaustion and denial of service against legitimate users in multi-tenant deployments. Publicly available exploit code exists via GitHub PR #23481. Vendor-released patch available in version 0.9.0. CVSS 7.1 (High) reflects network-accessible attack with low complexity requiring only basic authentication, yielding high availability impact and low confidentiality impact.

Authentication Bypass Denial Of Service
NVD GitHub
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-43453 HIGH PATCH This Week

Stack out-of-bounds read in the Linux kernel's netfilter nft_set_pipapo subsystem allows local low-privileged attackers to read 4 bytes past the end of a stack-allocated rulemap array via pipapo_drop(). The flaw was confirmed by KASAN and affects kernels from 5.6 onward until the fixed stable releases. No public exploit identified at time of analysis, and EPSS is very low (0.02%, 7th percentile), but the CVSS 7.1 score reflects the potential for kernel memory disclosure and availability impact.

Information Disclosure Linux Buffer Overflow Red Hat Suse
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-43450 HIGH PATCH This Week

Out-of-bounds read in the Linux kernel's netfilter nfnetlink_cthelper subsystem allows a local attacker with CAP_NET_ADMIN to trigger an 8-byte OOB read in nfnl_cthelper_dump_table() by racing helper deletion against a netlink dump operation. The flaw stems from a misplaced 'goto restart' that bypasses the for-loop bounds check when cb->args[0] equals nf_ct_helper_hsize, as detected by KASAN. EPSS is 0.02% and no public exploit identified at time of analysis, though a detailed reproducer call trace exists in the commit message.

Information Disclosure Linux Buffer Overflow Red Hat Suse
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-43449 HIGH PATCH This Week

Out-of-bounds read in the Linux kernel's NVMe PCI driver (nvme_dbbuf_set) allows a local attacker to trigger a slab-out-of-bounds memory access during NVMe controller reset, potentially leading to denial of service or information disclosure. The flaw stems from an incorrect loop bound that iterates past dev->online_queues, reading from kmalloc-2k slab memory belonging to adjacent allocations. No public exploit identified at time of analysis, and the EPSS score of 0.02% reflects a low probability of opportunistic exploitation.

Information Disclosure Linux Buffer Overflow Red Hat Suse
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-43427 HIGH PATCH This Week

Out-of-bounds read in the Linux kernel's USB CDC-WDM (Communication Device Class - Wireless Device Management) driver allows a local low-privileged attacker to disclose uninitialized kernel memory and potentially crash the host through a memory-ordering race between desc->length updates and a memmove() in the read path. The flaw stems from compiler reordering or CPU out-of-order execution that can cause wdm_read() to observe an updated length before the corresponding data is fully copied, leading copy_to_user() to operate on uninitialized memory. EPSS is very low (0.02%, 7th percentile), there is no public exploit identified at time of analysis, and the issue is not on the CISA KEV list.

Information Disclosure Linux Buffer Overflow Red Hat Suse
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-43386 HIGH PATCH This Week

Out-of-bounds read in the Linux kernel's rtl8723bs staging Wi-Fi driver allows a local authenticated attacker to read memory beyond the WMM IE buffer and potentially crash the kernel. The flaw resides in rtw_restruct_wmm_ie(), which accesses in_ie[i+5] before validating that the index is within in_len. EPSS is 0.02% (7th percentile) and no public exploit identified at time of analysis, but a vendor-released patch is available across multiple stable branches.

Information Disclosure Buffer Overflow Linux
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-43442 HIGH PATCH This Week

Local unprivileged users can trigger out-of-bounds memory reads in Linux kernel's io_uring subsystem (versions 6.19+) via crafted SQE array mappings when IORING_SETUP_SQE_MIXED is enabled without NO_SQARRAY. By manipulating sq_array indices to point to the last physical SQE slot and submitting 128-byte operations, attackers cause a 64-byte buffer over-read during memcpy operations, potentially leaking sensitive kernel memory. Vendor patches available for affected 6.19.x branches. EPSS score of 0.02% indicates very low observed exploitation probability; no CISA KEV listing or public exploit identified at time of analysis.

Information Disclosure Linux
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-41576 HIGH PATCH This Week

HTML injection in Brave CMS 2.0 contact form allows remote attackers to inject arbitrary HTML markup into administrative notification emails. The unauthenticated contact form passes user-supplied message text through nl2br() without HTML escaping, then renders it using Blade's unescaped {!! $msg !!} directive. While JavaScript execution is blocked by modern email clients, attackers can craft convincing phishing interfaces within the email body to target administrators. Upstream fix available via commit 6c56603, which implements HTML escaping using Laravel's e() helper function. EPSS and KEV data not provided. GitHub source diff confirms the vulnerability in ContactController.php and documents the server-side sanitization fix.

XSS Microsoft
NVD GitHub
CVSS 3.1
7.1
EPSS
0.1%
Prev Page 4 of 4

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy