Skip to main content
CVE-2025-32750 HIGH PATCH This Week

Information disclosure in Dell PowerFlex Manager (Appliance, Rack, and core Manager) versions 4.6.2 and earlier allows unauthenticated remote attackers to enumerate server contents through exposed directory listings. The flaw carries a CVSS 7.5 (high) rating driven entirely by confidentiality impact and requires no privileges or user interaction, though no public exploit identified at time of analysis and the issue is not on CISA KEV.

Dell Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-3039 HIGH PATCH This Week

Denial of service in ISC BIND 9 DNS servers configured with TKEY GSS-API authentication allows remote unauthenticated attackers to trigger excessive memory consumption by sending maliciously crafted packets. The flaw primarily impacts Active Directory-integrated DNS and Kerberos-secured DNS deployments, where service exhaustion can disrupt authentication, name resolution, and dependent enterprise services. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the CVSS 7.5 score and network-reachable, unauthenticated nature warrant timely patching.

Information Disclosure Bind 9
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-45804 HIGH PATCH GHSA This Week

Remote code execution in Hugging Face diffusers (Python package, versions < 0.38.0) is achievable via a TOCTOU race between two sequential Hub downloads inside DiffusionPipeline.from_pretrained, letting a malicious repo owner bypass the trust_remote_code guard and silently execute arbitrary Python during model loading. Exploitation requires user interaction (loading a malicious repo without pinning a revision) and high attack complexity due to a sub-second race window, but no public exploit beyond the reporter's PoC is identified at time of analysis. Affected users running diffusers <0.38.0 should upgrade to 0.38.0 where the issue is fixed.

Python RCE
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-24209 HIGH This Week

Denial of service in NVIDIA Triton Inference Server can be triggered remotely without authentication via a path traversal flaw (CWE-22), enabling unauthenticated network attackers to disrupt model-serving availability. The CVSS 7.5 score reflects high availability impact with no confidentiality or integrity loss, and no public exploit has been identified at time of analysis.

Denial Of Service Nvidia Path Traversal
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-24210 HIGH This Week

Denial of service in NVIDIA Triton Inference Server can be triggered remotely by unauthenticated attackers via an integer overflow condition (CWE-190). The CVSS 7.5 score reflects high availability impact with no confidentiality or integrity loss, and no public exploit has been identified at time of analysis. Defenders running Triton in network-exposed inference deployments should prioritize patching since exploitation requires no privileges, no user interaction, and low attack complexity.

Nvidia Denial Of Service Integer Overflow
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-5946 HIGH PATCH This Week

Remote denial of service in ISC BIND 9 named allows unauthenticated attackers to trigger assertion failures and crash the resolver by sending DNS messages with non-Internet classes (CHAOS, HESIOD) or meta-classes (ANY, NONE) through code paths involving recursion, dynamic UPDATE, NOTIFY, or IN-specific record processing in non-IN data. The flaw affects BIND 9.11.0 through 9.21.21 across both open-source and Supported Preview (S1) branches, with no public exploit identified at time of analysis. CVSS 7.5 reflects high availability impact with network-reachable, low-complexity, unauthenticated exploitation.

Denial Of Service Bind 9
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-9117 HIGH PATCH This Week

Sandbox escape in Google Chrome (Linux and ChromeOS) prior to 148.0.7778.179 allows a remote attacker who has already compromised the renderer process to break out via a crafted video file processed by the GFX component. The flaw is a type confusion (CWE-843) rated High severity by Chromium, with no public exploit identified at time of analysis and SSVC indicating exploitation has not been observed. It requires user interaction and chained exploitation of a prior renderer compromise, which raises the bar despite the High CVSS of 7.5.

Memory Corruption Information Disclosure Google Suse Red Hat +1
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-47373 HIGH PATCH This Week

Timing side-channel in the Perl module Crypt::SaltedHash through version 0.09 allows remote attackers to recover stored password hashes by measuring response-time discrepancies during hash validation. The flaw stems from use of Perl's short-circuiting `eq` operator inside the `validate()` routine, enabling byte-by-byte hash inference. EPSS is very low (0.02%) and there is no public exploit identified at time of analysis, but the upstream maintainer has shipped a fix in version 0.10 replacing the comparison with a constant-time routine.

Information Disclosure Suse
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-20239 HIGH PATCH This Week

Sensitive information disclosure in Splunk Enterprise (below 10.2.2 and 10.0.5) and Splunk Cloud Platform (multiple branches below 10.3.2512.8, 10.2.2510.11, 10.1.2507.21, and 10.0.2503.13) allows authenticated users with a role granting access to the `_internal` index to view session cookies and response bodies containing sensitive data logged by the platform. Cisco-reported and patched by Splunk in advisory SVD-2026-0503, the issue is a CWE-532 sensitive-data-in-logs flaw rather than a remote code execution bug, with no public exploit identified at time of analysis.

Information Disclosure Splunk
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-9123 HIGH PATCH This Week

Heap buffer overflow in the Chromecast component of Google Chrome on Android, Linux, and ChromeOS prior to version 148.0.7778.179 allows an adjacent-network attacker to execute arbitrary code within the renderer sandbox via malicious network traffic. Google's Chrome team reported the issue with a Medium severity rating, and no public exploit identified at time of analysis. The vulnerability requires adjacent network positioning rather than full internet-based access, limiting practical exploitation to attackers on the same local network segment.

Google Buffer Overflow RCE Heap Overflow Chrome
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-39047 HIGH This Week

Buffer Overflow vulnerability in EPSON L14150 FL27PB allows a remote attacker to execute arbitrary code via the RAW Printing Service (JetDirect) on TCP port 9100

Buffer Overflow RCE Stack Overflow
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-7460 HIGH This Week

Stored cross-site scripting in the mailcow-dockerized administrator Queue Manager allows attackers who can influence Postfix queue metadata to inject HTML/JavaScript that executes in an authenticated administrator's browser. The flaw exists because the /api/v1/get/mailq/all endpoint feeds server-controlled queue fields into DataTables rows that are rendered as HTML without sufficient output encoding. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

XSS Mailcow Dockerized
NVD GitHub
CVSS 4.0
7.4
EPSS
0.0%
CVE-2026-24206 HIGH This Week

Authentication bypass in NVIDIA Triton Inference Server allows remote unauthenticated attackers to circumvent access controls, potentially leading to privilege escalation, denial of service, or information disclosure. With a CVSS 7.3 score and network-reachable attack vector (AV:N/AC:L/PR:N/UI:N), the flaw is exploitable without user interaction or credentials, though no public exploit identified at time of analysis. The vulnerability is not currently listed in CISA KEV, and EPSS data was not provided in the source intelligence.

Information Disclosure Nvidia Denial Of Service Authentication Bypass
NVD VulDB
CVSS 3.1
7.3
EPSS
0.1%
CVE-2026-29518 HIGH PATCH This Week

Local privilege escalation in Rsync daemon (versions ≤ 3.4.2) is possible via a TOCTOU symlink race when the daemon is configured with 'use chroot = no'. An authenticated local attacker with write access to a module can swap a parent directory component for a symlink between the receiver's path check and its open() call, redirecting writes outside the module and overwriting sensitive files. No public exploit identified at time of analysis, but the upstream patch in release 3.4.3 and a detailed VulnCheck advisory disclose the precise race window.

Privilege Escalation Rsync
NVD GitHub VulDB
CVSS 4.0
7.3
EPSS
0.0%
CVE-2026-20199 HIGH This Week

Command injection in the SSL certificate handling of Cisco ThousandEyes Virtual Appliance lets an authenticated administrator upload a crafted certificate to execute arbitrary commands as root on the underlying operating system. The flaw stems from insufficient validation of user-supplied input (CWE-74) and carries a CVSS 7.2 (High) rating; the elevated impact comes from full root-level code execution despite the high-privilege precondition. No public exploit identified at time of analysis, and EPSS is very low at 0.04% (13th percentile), consistent with the CISA SSVC determination of no observed exploitation.

RCE Cisco Cisco Thousandeyes Enterprise Agent
NVD VulDB
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-22315 HIGH This Week

Privilege misassignment in Mesalvo Meona Client Launcher and Server components allows authenticated high-privilege users to abuse the built-in SQL editor to exfiltrate user records - including cleartext-stored passwords - from the application backend. The flaw affects Meona Client Launcher up to build dated 19.06.2020 15:11:49 and Meona Server Component up to 2025.04 5+323020. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Information Disclosure Meona Client Launcher Component Meona Server Component
NVD
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-43619 HIGH PATCH This Week

Symlink race condition in Rsync 3.4.2 and earlier allows local attackers with filesystem access to redirect path-based system calls (chmod, lchown, utimes, rename, unlink, mkdir, symlink, mknod, link, rmdir, lstat) to files outside the exported rsync module boundary. The flaw affects rsync daemons configured with 'use chroot = no' and was reported by VulnCheck; no public exploit identified at time of analysis. A patched release (v3.4.3) is available from the RsyncProject upstream, which adds openat2 RESOLVE_BENEATH for secure relative path resolution.

Information Disclosure Rsync
NVD GitHub VulDB
CVSS 4.0
7.2
EPSS
0.0%
CVE-2026-7613 HIGH This Week

Stored cross-site scripting in the Cost of Goods by PixelYourSite WordPress plugin (versions ≤1.2.12) allows remote unauthenticated attackers to inject persistent JavaScript via the 'csvdata[0][cost_of_goods_value]' parameter. Injected payloads execute in the browser of any user (including administrators) who later views the affected page, enabling session hijacking and admin takeover. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

WordPress XSS
NVD
CVSS 3.1
7.2
EPSS
0.1%
Prev Page 2 of 2

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy