Skip to main content
CVE-2026-46483 LOW PATCH Monitor

Command injection in Vim 9.x text editor allows local attackers to execute arbitrary shell commands when a user opens specially crafted .tgz archive filenames. The vulnerability exploits insufficient sanitization in the tar#Vimuntar() function's shellescape() call, enabling cmdline-special character expansion. Exploitation requires user interaction (opening the malicious archive) and high attack complexity (filename manipulation), limiting real-world risk despite the command injection class. Fixed in version 9.2.0479 via GitHub commit 3fb5e58f. No evidence of active exploitation or public POC beyond the vendor's test case.

Command Injection Vim
NVD GitHub VulDB
CVSS 3.1
3.6
EPSS
0.2%
CVE-2026-41962 LOW Monitor

HarmonyOS app management and control module permits local privilege escalation through improper permission controls, allowing unauthenticated local attackers with user interaction to access confidential service data. CVSS 3.6 (low severity) reflects local-only attack vector and requirement for user interaction, though the privilege escalation nature means affected systems warrant review for deployment context.

Privilege Escalation
NVD
CVSS 3.1
3.6
EPSS
0.0%
CVE-2026-45803 LOW PATCH GHSA Monitor

Terminal escape sequence injection in GitHub CLI 1.6.0 through 2.91.x allows authenticated attackers with pull request creation rights to inject malicious terminal control sequences into Actions workflow logs. When victims execute 'gh run view --log' or 'gh run view --log-failed' to inspect workflow runs, unsanitized escape sequences replay in their terminal, enabling window title manipulation, on-screen content alteration, or arbitrary command execution in vulnerable emulators like GNU screen. The attack requires low complexity and user interaction (victim must view logs), with impact limited to terminal integrity. CVSS score of 3.5 reflects low-severity integrity impact, though real-world risk varies significantly by terminal emulator capabilities. No active exploitation confirmed at time of analysis.

Code Injection Cli
NVD GitHub VulDB
CVSS 3.1
3.5
EPSS
0.0%
CVE-2026-4053 LOW PATCH Monitor

Authenticated users in Mattermost 11.5.x through 11.5.1 and 10.11.x through 10.11.13 can modify post attachments, properties, and pin status beyond the configured edit time window. The vulnerability bypasses the PostEditTimeLimit control via patch and update API endpoints, allowing indefinite modification of non-message post metadata after the intended edit window expires. CVSS 3.1 (Low) reflects network vector with high complexity and low-privilege requirements, while no public exploit or CISA KEV listing exists at time of analysis.

Mattermost Information Disclosure
NVD VulDB
CVSS 3.1
3.1
EPSS
0.0%
CVE-2026-41963 LOW Monitor

Stack overflow in Huawei HarmonyOS media platform allows local authenticated users to cause denial of service through a crafted media file that triggers stack memory exhaustion. The vulnerability requires user interaction and authenticated access (CVSS PR:L), limiting its real-world severity despite affecting availability. No public exploit code or active exploitation has been identified at the time of analysis.

Stack Overflow Buffer Overflow
NVD
CVSS 3.1
2.8
EPSS
0.0%
CVE-2025-52532 LOW Monitor

A race condition in the MxGPU-Virtualization driver’s ioctl path caused by concurrent unsynchronized access to the global variable amdgv_cmd in an unlocked ioctl handler could be exploited by an attacker to trigger a heap-based buffer overflow, potentially resulting in denial-of-service within the vulnerable system context.

Buffer Overflow Amd Radeon Pro V620 Amd Radeon Pro V710 Amd Instinct Mi250 Amd Instinct Mi308X +4
NVD
CVSS 4.0
2.0
EPSS
0.0%
CVE-2025-66660 LOW Monitor

Insufficient parameter sanitization in the AMD TEE SOC Driver's DRV_SOC_CMD_ID_SRIOV_CHECK_TA_COMPAT command handler allows high-privileged local attackers to trigger incorrect shared memory mapping via malformed parameters, potentially disclosing sensitive information. The vulnerability affects AMD Radeon RX 6000/7000, Radeon Pro W6000/W7000, and Instinct MI-series GPUs. CVSS 1.8 reflects high-privilege requirement and local-only attack vector with severe attack complexity, but the information disclosure impact and active vendor acknowledgment indicate targeted risk to privileged processes.

Information Disclosure Amd Radeon Rx 6000 Series Graphics Products Amd Radeon Rx 7000 Series Graphics Products Amd Radeon Pro W6000 Series Graphics Products Amd Radeon Pro W7000 Series Graphics Products +8
NVD
CVSS 4.0
1.8
EPSS
0.0%
CVE-2026-0428 LOW Monitor

Insufficient parameter sanitization in TEE SOC Driver on AMD Instinct MI300A, MI300X, MI308X, and MI325X accelerators allows local high-privileged attackers to issue malformed DRV_SOC_CMD_ID_SRIOV_COPY_VF_CHIPLET_REGS commands that write invalid data to remote Dies, resulting in availability impact through unexpected behavior. The vulnerability requires local access and high privileges, with a CVSS score of 1.8 indicating minimal real-world risk despite potential data integrity concerns.

Information Disclosure Amd Instinct Mi300A Amd Instinct Mi300X Amd Instinct Mi308X Amd Instinct Mi325X
NVD
CVSS 4.0
1.8
EPSS
0.0%
CVE-2024-21950 LOW Monitor

An out of bounds read in the remote management firmware could allow a privileged attacker read a limited section of memory outside of established bounds potentially resulting in loss of. Rated low severity (CVSS 1.8). No vendor patch available.

Buffer Overflow Information Disclosure Amd Instinct Mi300X Amd Instinct Mi300A Amd Instinct Mi325X +1
NVD
CVSS 4.0
1.8
EPSS
0.0%
CVE-2021-26380 LOW Monitor

A compromised Trusted OS (TOS) driver could issue a malformed call that could potentially allow memory access outside the intended range resulting in loss of integrity. Rated low severity (CVSS 1.8). No vendor patch available.

Information Disclosure Integer Overflow Amd Ryzen 5000 Series Desktop Processors With Radeon Graphics Amd Ryzen Threadripper Pro 5000 Wx Series Processors Amd Ryzen 7030 Series Mobile Processors With Radeon Graphics +25
NVD
CVSS 4.0
1.8
EPSS
0.0%
CVE-2022-23826 LOW Monitor

A TOCTOU (Time-Of-Check to Time-Of-Use) in the graphics interface may allow an attacker to load registers repeatedly creating a race condition potentially leading to a loss of integrity. Rated low severity (CVSS 1.8). No vendor patch available.

Information Disclosure Amd Ryzen 3000 Series Mobile Processors With Radeon Graphics Amd Athlon 3000 Series Mobile Processors With Radeon Graphics Amd Athlon 3000 Series Desktop Processors With Radeon Graphics Amd Ryzen Embedded R1000 Series Processors +17
NVD
CVSS 4.0
1.8
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy