Skip to main content
CVE-2026-45876 MEDIUM PATCH This Month

Error handling failure in the Linux kernel's arm64 Guarded Control Stack (GCS) subsystem allows a local low-privileged user on ARMv9 hardware to trigger a kernel denial of service by exploiting an incorrect NULL check in arch_set_shadow_stack_status(). Because alloc_gcs() propagates do_mmap() failures as error-encoded pointers rather than NULL, the existing guard is bypassed and the kernel proceeds to use an invalid GCS address, risking a kernel panic. No public exploit exists and EPSS sits at the 4th percentile, but the vulnerability is confirmed patched in Linux 6.18.14, 6.19.4, and 7.0.

Linux Denial Of Service Null Pointer Dereference Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-45854 MEDIUM PATCH This Month

Kernel panic in the Linux inside-secure/eip93 hardware crypto driver occurs when the driver teardown routine unconditionally unregisters all cryptographic algorithms, including those never registered because the underlying EIP93 silicon does not implement them. Platforms with partial EIP93 silicon support - where only a subset of algorithms are burned into hardware - trigger the panic during module removal or system shutdown. No public exploit exists and EPSS sits at the 4th percentile (0.02%), indicating this is primarily a stability defect with negligible exploitation interest rather than a targeted attack surface.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-9759 MEDIUM PATCH This Month

Null pointer dereference in Wireshark's ROHC protocol dissector causes application crashes across two active release branches, constituting a denial-of-service condition. Affected versions span Wireshark 4.6.0 through 4.6.5 and 4.4.0 through 4.4.15; patched releases 4.6.6 and 4.4.16 are available per the vendor advisory wnpa-sec-2026-51. The attack vector is local with required user interaction (CVSS AV:L/UI:R), meaning exploitation requires a victim to open a specially crafted packet capture file - no remote or automated exploitation path exists, and no public exploit code or active exploitation has been identified at time of analysis.

Denial Of Service Null Pointer Dereference Red Hat
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-6053 MEDIUM This Month

Denial of service in IBM Db2 11.5.x and 12.1.x allows a low-privileged local user to crash the database engine by executing a specially crafted query against range partitioned tables. The vulnerability stems from uncontrolled resource allocation (CWE-770) during query processing, resulting in complete availability loss with no impact to confidentiality or integrity. No public exploit code exists and this vulnerability has not been listed in the CISA KEV catalog at time of analysis.

Denial Of Service IBM
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-6051 MEDIUM This Month

Denial of service in IBM Db2 versions 11.5.0-11.5.9 and 12.1.0-12.1.4 allows a locally authenticated, low-privileged user to crash the database service by executing a specially crafted SQL query against an instance configured with a small statement heap. The vulnerability stems from uncontrolled resource consumption (CWE-400) during query processing, resulting in high availability impact with no confidentiality or integrity exposure. No public exploit code and no active exploitation have been identified at time of analysis; SSVC classifies exploitation status as none.

Denial Of Service IBM
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-5515 MEDIUM This Month

Sensitive information disclosure in IBM App Connect Enterprise 13.0.1.0 through 13.0.7.0 exposes potentially sensitive data via log files accessible to local users. The CVSS vector (AV:L/PR:L) confirms exploitation requires local, low-privileged authenticated access, limiting the attack surface to users already present on the system. No public exploit has been identified and CISA SSVC rates exploitation as none, but the confidentiality impact is rated High, meaning successful access to log files could yield significant sensitive data.

IBM Information Disclosure
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-3633 MEDIUM This Month

Cross-site scripting in IBM Cognos Analytics and IBM Cognos Transformer allows a remote authenticated attacker to inject arbitrary JavaScript into the web user interface, executing in the browser context of other users within a trusted session. Affected versions span IBM Cognos Analytics 11.2.0 through 12.1.0 and IBM Cognos Transformer 11.2.4 through 12.1.0. The primary risk is credential disclosure - an attacker who can plant a payload could harvest session tokens or credentials from other authenticated users. No public exploit code exists and CISA SSVC rates exploitation as none at time of analysis.

XSS IBM
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-38931 MEDIUM This Month

Stored cross-site scripting in creatorsofcode's simplephp admin panel allows authenticated low-privileged users to inject persistent malicious scripts via the /admin/config-module.php configuration endpoint. When an administrator or privileged user subsequently views the affected page, the stored payload executes in their browser context, enabling session hijacking, credential theft, or unauthorized administrative actions. A proof-of-concept exists per SSVC intelligence; this CVE is not currently listed in CISA KEV.

XSS PHP
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-6287 MEDIUM This Month

Stored Cross-Site Scripting in ShopLentor (WordPress plugin, versions ≤ 3.3.8) allows authenticated contributors to permanently embed malicious JavaScript into WordPress pages via the 'blockUniqId' attribute of Product Grid blocks. Any user who subsequently visits an injected page triggers script execution in their browser, enabling session hijacking, credential theft, or unauthorized actions on behalf of the victim. EPSS is negligible at 0.03% (9th percentile), no CISA KEV listing exists, and no public exploit has been identified at time of analysis.

XSS WordPress
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-42547 MEDIUM PATCH This Month

Incorrect authorization in DFIR-IRIS before version 2.4.28 allows authenticated low-privileged users to falsely attribute security alerts to arbitrary customers, corrupting case integrity in digital forensics and incident response workflows. Discovered by SBA Research and disclosed via oss-security on 2026-05-19, this flaw enables manipulation of alert-to-customer linkage without proper authorization checks. No active exploitation has been identified at time of analysis, and a patched release (2.4.28) is available.

CSRF Authentication Bypass Apache
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-45335 MEDIUM PATCH This Month

Open redirect in WeGIA before version 3.7.3 enables authenticated attackers to weaponize the trusted WeGIA domain for phishing, credential harvesting, and malware distribution by manipulating the unvalidated `nextPage` parameter at the `/WeGIA/controle/control.php` endpoint. Affected deployments include any WeGIA instance running versions prior to 3.7.3 where the control endpoint is accessible to low-privileged authenticated users. No public exploit code and no CISA KEV listing have been identified at time of analysis, but the social engineering abuse potential against users who trust the institution's domain is the primary real-world risk.

Open Redirect PHP
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-13167 MEDIUM PATCH This Month

Cross-site scripting in Synology Contacts before version 1.0.10-20659 allows authenticated remote users to read or write specific files containing non-sensitive information by injecting malicious input through the contact functionality. The CVSS scope change (S:C) confirms the injected script executes in a context beyond the originating application, affecting any victim who views the crafted contact entry. No public exploit identified at time of analysis, and CISA has not listed this in the Known Exploited Vulnerabilities catalog.

XSS Synology
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-9014 MEDIUM This Month

Unauthenticated statistics reset in WP Promoter plugin (WordPress, versions ≤1.3) allows any remote attacker to permanently delete promotional bar and popup campaign analytics by exploiting a missing capability check on the reset_stats() function. The function is registered on the wp_ajax_nopriv_wpp-reset_stats action hook - WordPress's mechanism for unauthenticated AJAX access - with no nonce validation, capability check, or authentication enforcement of any kind, making the destructive operation trivially invocable via a single HTTP POST request. No public exploit code has been identified at time of analysis, EPSS is 0.06% (18th percentile), and SSVC rates exploitation as none, indicating no observed active exploitation.

WordPress Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-7493 MEDIUM This Month

Uncontrolled resource consumption in the Simply Schedule Appointments WordPress plugin (all versions ≤ 1.6.11.5) enables unauthenticated remote attackers to exhaust PHP-FPM or mod_php worker processes, effectively rendering the WordPress site unavailable to legitimate users. The attack surface is a publicly accessible REST endpoint (/wp-json/ssa/v1/async) that directly passes a caller-controlled delay parameter into PHP's native sleep() function with no rate limiting or input sanitization. No public exploit code has been identified at time of analysis and EPSS is very low (0.05%, 15th percentile), suggesting limited opportunistic interest so far, though the trivially low attack complexity means any actor can attempt this with no tooling.

Denial Of Service WordPress PHP
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-44646 MEDIUM GHSA This Month

Prototype-chain property leakage in LiquidJS (npm/liquidjs <= 10.25.7) allows unauthenticated remote attackers to read prototype-chain properties of JavaScript objects passed to a {% render %} partial, even when the caller explicitly invoked parseAndRender() with { ownPropertyOnly: true } to lock down the render. The root cause is Context.spawn() failing to propagate the resolved per-render ownPropertyOnly value to child contexts, silently discarding a documented security override. A publicly available proof-of-concept exploit exists demonstrating that top-level {{ user.passwordHash }} is correctly blocked while the identical expression inside a {% render %} partial returns the sensitive value; no vendor-released patch is available at time of analysis.

Information Disclosure Node.js
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-7254 MEDIUM This Month

Denial-of-service exposure in IBM OpenBMC firmware versions FW1110.00 through FW1110.11 allows unauthenticated remote attackers to partially degrade system availability by sending specially crafted network requests exploiting improper input quantity validation (CWE-1284). The attack requires no authentication, no user interaction, and low complexity, making it fully automatable per SSVC assessment - though no public exploit code has been identified at time of analysis. Because BMCs operate independently of the host OS and remain network-accessible even when servers are powered down, disrupting this layer carries operational risk disproportionate to the CVSS 5.3 Medium score alone.

Denial Of Service IBM
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-38808 MEDIUM This Month

SQL injection in uzy-ssm-mall v1.1.0 exposes sensitive database information to unauthenticated remote attackers via unsanitized input passed through the ProductMapper.xml MyBatis mapper and OrderUtil.java components. The vulnerability requires no authentication or user interaction, making it trivially automatable according to the SSVC framework. No public exploit identified at time of analysis, and EPSS sits at 0.04% (12th percentile), indicating low current exploitation pressure despite the permissive attack surface.

Java SQLi
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-44838 MEDIUM PATCH This Month

{client_id}-sensors$', the unsanitized client_id value is embedded directly into the server-side regex, letting a crafted client_id (e.g., '.*' or 'legit|(admin)') alter the pattern's matching logic and grant access to topics the user should not reach. No public exploit has been identified at time of analysis, and the attack requires both valid MQTT credentials and a specifically configured authorization policy, but the high subsequent system impact (SC:H/SI:H per CVSS 4.0) elevates this beyond a simple medium-severity finding for affected deployments.

Authentication Bypass Rabbitmq Server
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-45334 MEDIUM PATCH GHSA This Month

Kirby CMS's content-locking feature leaks authenticated users' email addresses and internal identifiers to low-privilege Panel users who are explicitly prohibited from seeing those users under role-based `users.access` or `users.list` permission restrictions. Any low-privilege authenticated Panel user on an affected site can harvest admin email addresses and user IDs during active content lock windows (default 10 minutes) simply by triggering an edit conflict or inspecting Panel view payloads. No public exploit has been identified at time of analysis, and exploitation is bounded to sites with non-default user-visibility restrictions, but the harvested data directly enables downstream phishing, credential stuffing, and admin account enumeration.

Authentication Bypass
NVD GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-46544 MEDIUM This Month

Authenticated cross-client stale result replay in Microsoft UFO's WebSocket task handling allows a low-privileged attacker to retrieve another user's completed automation session output. The framework accepts client-supplied session_id values without verifying ownership, so a requester who knows or can predict a prior session's identifier can hijack its stored result via the normal send_task_end() callback path. No public exploit has been identified at time of analysis, and KEV listing is absent, but the High confidentiality impact (C:H) is significant given UFO orchestrates device automation tasks that may capture sensitive screen content, documents, or credentials.

Microsoft Authentication Bypass
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2024-28765 MEDIUM This Month

IBM SDI 7.2.0.0 through 7.2.0.14 and IBM Security Directory Integrator 10.0.0.0 through 10.0.0.2 could allow a remote attacker to obtain sensitive information when a detailed technical error message. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure IBM
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-47119 MEDIUM PATCH This Month

Stored cross-site scripting in Agent Zero before version 1.15 enables arbitrary JavaScript execution in the application origin by exploiting the image_get API endpoint's failure to set Content-Security-Policy, X-Content-Type-Options, or Content-Disposition headers when serving SVG files. An unauthenticated attacker (CVSS PR:N) who can write a crafted SVG to any filesystem path readable by the agent-zero process can then socially engineer an authenticated user into visiting the endpoint, causing the browser to execute embedded scripts, exfiltrate the csrf_token cookie, and issue unauthorized API calls on the victim's behalf. No public exploit has been identified at time of analysis, and SSVC classifies exploitation as none with automatable set to no, reflecting the mandatory user-interaction prerequisite.

XSS
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.0%
CVE-2025-67903 MEDIUM This Month

Cryptographic signature verification bypass in Northern.tech Mender Client 5 (before 5.0.4) allows unauthenticated remote attackers to circumvent JWT-based authentication controls. Tagged as both an Authentication Bypass and a JWT Attack, this CWE-347 flaw means the client fails to properly validate cryptographic signatures on tokens, potentially enabling unauthorized access to protected functionality or data. No public exploit code has been identified at time of analysis, and the low EPSS score of 0.02% (5th percentile) suggests exploitation is not currently widespread.

Jwt Attack Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-49001 MEDIUM This Month

CSRF vulnerability in ZTE ZXUniPOS NDS-LTE enables an attacker to forge authenticated cross-site requests that modify system configuration data on behalf of a high-privilege user. The CVSS vector (PR:H/UI:R/AC:H) tightly constrains exploitation: a high-privilege administrator must be actively tricked into visiting attacker-controlled content while an authenticated session is live. No public exploit code exists and no KEV listing is present; EPSS at 0.02% (4th percentile) and SSVC Exploitation=none collectively signal negligible observed real-world exploitation activity.

CSRF Zxunipos Nds Lte
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-6713 MEDIUM PATCH This Month

Unauthorized private project enumeration in GitLab CE/EE exposes confidential project metadata to unauthenticated network attackers due to incorrect authorization checks (CWE-863). All GitLab installations running versions from 18.2 through the patched releases are affected - both Community and Enterprise editions. While the direct impact is limited to information disclosure (project enumeration rather than content access), exposed project names and IDs can facilitate targeted follow-on attacks against otherwise hidden repositories. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.

Gitlab Authentication Bypass
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-4390 MEDIUM This Month

Use-after-free in TeamSpeak 3 Server versions 3.13.0 through 3.13.7 allows a low-privileged remote attacker to corrupt server memory via the process_resend_queue function within Connection State Management, resulting in limited integrity and availability impact. Discovered and disclosed by modzero.com (advisory MZ-26-01) and acknowledged by TeamSpeak via official security advisory TS-SA-2026-001, the vendor has released version 3.13.8 as the fix. No public exploit code exists and no active exploitation has been identified at time of analysis.

Denial Of Service Buffer Overflow
NVD VulDB
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-48148 MEDIUM PATCH GHSA This Month

Server-Side Request Forgery in Budibase's VectorDB configuration endpoint (versions prior to 3.35.3) allows authenticated builder-level users to supply arbitrary host values - including cloud metadata addresses such as 169.254.169.254 or localhost - causing the server to initiate outbound TCP connections to internal network resources on the attacker's behalf. No public exploit has been identified at time of analysis, though SSVC classifies exploitation status as 'poc', indicating proof-of-concept material exists. In cloud-hosted deployments, the real-world impact exceeds what the CVSS 5.3 score implies, as metadata endpoint access can expose instance credentials and enable privilege escalation.

SSRF
NVD GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-49053 MEDIUM This Month

Missing authorization in ElementsKit Elementor addons Lite (WordPress plugin by Wpmet) through version 3.9.6 allows unauthenticated remote attackers to exploit incorrectly configured access control, resulting in limited unauthorized read access to protected data or functionality. The CVSS vector confirms network-based, zero-interaction exploitation with no authentication required, and SSVC classifies it as automatable - meaning attackers can scan and exploit at scale without manual intervention. No public exploit or CISA KEV listing exists at time of analysis, but the unauthenticated, low-complexity nature of the flaw makes it a realistic target for automated WordPress scanning campaigns.

Authentication Bypass
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-47271 MEDIUM PATCH This Month

pam_usb prior to 0.9.0 crashes under memory pressure due to assert()-based OOM guards in src/mem.c that are silently stripped by standard distribution build flags, enabling a local denial-of-service against authentication subsystems. Any allocation failure in xmalloc(), xrealloc(), or xstrdup() returns NULL, which every caller then dereferences unconditionally - the intended abort-before-dereference guarantee exists only in debug builds, not in Debian, Fedora, or Arch Linux packages that define -DNDEBUG via CFLAGS. A local attacker who can induce memory pressure at authentication time causes the PAM module to crash, locking all users out of sudo and login for the duration of the crash. No public exploit has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog.

Denial Of Service Null Pointer Dereference Debian
NVD GitHub
CVSS 3.1
5.1
EPSS
0.0%
CVE-2026-47104 MEDIUM PATCH This Month

Out-of-bounds read in libusb's parse_iad_array() function (descriptor.c) affects all releases before 1.0.30, enabling local attackers in virtualized environments with USB passthrough to crash libusb-dependent processes via a crafted USB descriptor. The off-by-one error causes the bounds check to evaluate against the original total buffer size rather than the remaining unparsed size, allowing a one-byte read past the end of the malloc allocation when a descriptor's bLength is set to exactly (total_size - 1). No public exploit code exists and the vulnerability is absent from CISA KEV; a vendor-released patch is confirmed in v1.0.30.

Denial Of Service Buffer Overflow Information Disclosure Libusb
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-48128 MEDIUM PATCH GHSA This Month

Server-side request forgery in Budibase's automation engine (versions prior to 3.39.0) allows high-privileged authenticated users to redirect outbound HTTP requests from the Budibase server to attacker-controlled internal destinations by supplying an unvalidated queryId in the executeQuery automation step. When paired with a REST datasource pointed at internal infrastructure, automation execution causes the server to fetch arbitrary internal URLs and return their responses to the caller, potentially leaking sensitive internal service data. A proof-of-concept exists per SSVC assessment; no confirmed active exploitation or CISA KEV listing at time of analysis.

SSRF
NVD GitHub
CVSS 4.0
5.1
EPSS
0.1%
CVE-2026-2607 MEDIUM This Month

Sensitive information disclosure in IBM MQ Operator and IBM-supplied MQ Advanced container images exposes potentially sensitive data written to log files, readable by local users on the host or container system. Affected versions span three release tracks (LTS, CD, SC2) across both the MQ Operator (v2.0.0 through v3.9.1) and a broad range of container image releases from 9.3.x through 9.4.x. The CVSS score of 5.1 with a local attack vector and high complexity rating confines exploitation to users with existing local or container runtime access, and no public exploit has been identified at time of analysis.

IBM Information Disclosure
NVD
CVSS 3.1
5.1
EPSS
0.0%
CVE-2024-47271 MEDIUM PATCH This Month

Insufficiently protected credentials vulnerability in IPSpeaker component in Synology Surveillance Station before 9.2.2-11575 and 9.2.2-9575 allows remote authenticated users with administrator. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity.

Synology Information Disclosure
NVD VulDB
CVSS 3.1
4.9
EPSS
0.0%
CVE-2024-47268 MEDIUM PATCH This Month

Missing authorization vulnerability in AddOns functionality in Synology Surveillance Station before 9.2.2-11575 and 9.2.2-9575 allows remote authenticated users with administrator privileges to. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity.

Authentication Bypass Synology
NVD
CVSS 3.1
4.9
EPSS
0.0%
CVE-2026-7618 MEDIUM This Month

Time-based blind SQL Injection in the EnvíaloSimple: Email Marketing y Newsletters WordPress plugin (all versions through 2.4.5) allows authenticated administrators to extract sensitive data from the underlying database. The vulnerability is in the 'orderby' parameter, which is insufficiently escaped and passed into existing SQL queries without adequate preparation, enabling an attacker with administrator-level WordPress credentials to append arbitrary SQL and enumerate database contents. EPSS is very low (0.03%, 8th percentile), no public exploit has been identified, and the vulnerability is not listed in CISA KEV, suggesting limited real-world exploitation pressure at this time.

SQLi WordPress
NVD
CVSS 3.1
4.9
EPSS
0.0%
CVE-2024-47269 MEDIUM PATCH This Month

Cleartext transmission of sensitive information vulnerability in Export Key functionality in Synology Surveillance Station before 9.2.2-11575 and 9.2.2-9575 allows remote authenticated users with. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity.

Synology Information Disclosure
NVD
CVSS 3.1
4.9
EPSS
0.0%
CVE-2026-4410 MEDIUM This Month

Memory exhaustion in IBM WebSphere Application Server (Liberty 19.0.0.7-26.0.0.5, traditional WAS 8.5 and 9.0) allows an adjacent-network, low-privileged attacker to trigger uncontrolled memory consumption by sending a specially crafted request. The attack requires both network adjacency and high complexity conditions, constraining the realistic threat surface significantly compared to the High availability impact rating. No public exploit code exists and CISA SSVC rates exploitation as 'none' with technical impact classified as 'partial', placing this vulnerability in a lower operational priority tier despite the A:H component impact.

Denial Of Service IBM
NVD
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-2288 MEDIUM This Month

Stored Cross-Site Scripting in the myLinksDump WordPress plugin (all versions ≤1.6) allows authenticated administrators to permanently inject arbitrary JavaScript into pages via the unsanitized 'link_title' parameter, executing in any victim's browser upon page access. Exploitation is constrained to WordPress multi-site environments or single-site installs with unfiltered_html disabled, and requires administrator-level credentials plus victim interaction. EPSS is 0.03% (9th percentile) and SSVC confirms no known exploitation, placing this firmly in a low-priority tier despite the stored XSS class.

XSS WordPress
NVD
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-2280 MEDIUM This Month

Stored Cross-Site Scripting in the rexCrawler WordPress plugin (versions ≤ 1.0.15) allows authenticated administrators to inject persistent malicious scripts into settings pages, which then execute in the browsers of any user who accesses those pages. The vulnerability originates in admin_main.php at two distinct injection points (lines 108 and 239) and is constrained to multi-site WordPress environments or single-site installs where the unfiltered_html capability has been explicitly disabled. With an EPSS of 0.02% (7th percentile), no CISA KEV listing, and SSVC exploitation status of 'none', this represents a low-urgency finding despite its network-accessible attack vector. No public exploit code has been identified at time of analysis.

XSS WordPress
NVD
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-42329 MEDIUM PATCH This Month

Open redirect in DFIR-IRIS before version 2.4.28 allows unauthenticated remote attackers to craft URLs that silently redirect authenticated users to arbitrary external domains. The CVSS Scope:Changed (S:C) component confirms the vulnerability crosses the application's trust boundary, making it a viable vector for phishing and credential harvesting campaigns targeting incident responders and forensic analysts who use the platform. No public exploit code or active exploitation has been identified at time of analysis, and no CISA KEV listing is present.

File Upload Open Redirect
NVD GitHub VulDB
CVSS 3.1
4.7
EPSS
0.1%
CVE-2026-45905 MEDIUM PATCH This Month

Race condition in the Linux kernel's XFRM ICMP route lookup path causes a kernel WARN_ON that can crash affected systems. Within `icmp_route_lookup()`, a TOCTOU window between a locality check and a subsequent `ip_route_input()` call allows a concurrently executing `ip addr add` to return a LOCAL route whose `dst.output` is set to `ip_rt_bug()` - a debugging stub that fires `WARN_ON` when invoked during ICMP error transmission. Exploitation requires local access, active XFRM/IPsec policy, and precise race-window timing; no active exploitation is confirmed and EPSS sits at 0.02%, though a public reproducer exists that requires kernel modification to reliably trigger.

Linux Race Condition Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
4.7
EPSS
0.0%
CVE-2025-71303 MEDIUM PATCH This Month

Race condition in the Linux kernel's accel/amdxdna driver allows a local low-privileged user to cause device availability impact on systems equipped with AMD XDna AI accelerator hardware. The flaw in the rpm_on flag check permits command submissions to the accelerator during a narrow autosuspend transition window before the device has fully resumed, producing undefined hardware behavior or driver crashes. No public exploit exists and EPSS is at the 6th percentile (0.02%), indicating negligible real-world exploitation probability; no active exploitation is confirmed.

Linux Race Condition Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
4.7
EPSS
0.0%
CVE-2026-46017 MEDIUM PATCH This Month

Race condition in the Linux kernel memory management subsystem during large-folio migration can cause kernel availability disruption on SMP/NUMA systems. The flaw in migrate_folio_move() causes a destination folio to become visible to concurrent rmap-removal paths before being requeued onto the deferred split queue, triggering a kernel WARN in deferred_split_folio() or silently losing a folio from split_queue when the shrinker races the migration lock. With no public exploit, no CISA KEV listing, and an EPSS of 0.02%, this is a low real-world risk issue primarily relevant to HPC, virtualization, and database workloads with heavy NUMA migration activity.

Nvidia Race Condition Linux Information Disclosure Red Hat +1
NVD VulDB
CVSS 3.1
4.7
EPSS
0.0%
CVE-2026-46008 MEDIUM PATCH This Month

Deadlock in Linux kernel DAMON (Data Access Monitor) subsystem allows a local low-privileged user or kernel code path to cause an indefinite thread hang in the mm/damon/core module via a race condition between damos_walk() request registration and kdamond_fn() exit sequencing. Systems running Linux kernels from commit bf0eaba0ff9c9c8e6fd58ddfa1a8b6df4b813f61 through the patch commits are affected, with availability as the sole impact (CVSS C:N/I:N/A:H). No public exploit identified at time of analysis, and EPSS probability is 0.02% (5th percentile), indicating negligible real-world exploitation interest.

Race Condition Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
4.7
EPSS
0.0%
CVE-2026-45949 MEDIUM This Month

Use-after-free race condition in the Linux kernel hwrng (hardware random number generator) core subsystem allows a local attacker with low privileges to crash the kernel, causing a denial of service. The race occurs when hwrng_register() and hwrng_unregister() execute concurrently, leaving the hwrng_fill pointer dirty and enabling kthread_stop() to be invoked on an already-freed task_struct - confirmed in the virtrng_remove call path, making virtualized Linux environments a primary real-world attack surface. No public exploit code exists and no active exploitation (KEV) has been confirmed; the EPSS score of 0.02% reflects minimal opportunistic exploitation activity.

Race Condition Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
4.7
EPSS
0.0%
CVE-2026-46025 MEDIUM PATCH This Month

Deadlock and memory leak in the Linux kernel DAMON subsystem arise from a race condition between damon_call() request registration and kdamond_fn() thread exit, affecting systems using the Data Access MONitor (DAMON) API. A local low-privileged process can trigger the race at precisely the moment a kdamond thread is terminating - causing the calling thread to wait indefinitely for a handler that has already exited, resulting in a kernel-level availability denial. No active exploitation is confirmed (EPSS 0.02%, not in CISA KEV), and the high attack complexity required to win the race significantly constrains real-world risk.

Race Condition Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
4.7
EPSS
0.0%
CVE-2026-45927 MEDIUM PATCH This Month

BPF map hash verification in the Linux kernel is vulnerable to a TOCTOU race condition that allows a local low-privileged attacker to bypass integrity checks enforced by trusted BPF loaders. Userspace can call BPF_OBJ_GET_INFO_BY_FD to prime the hash cache, then modify the map contents in the race window before freezing it, causing a trusted loader to verify the original (stale) hash against the silently-altered map. No active exploitation is confirmed (not in CISA KEV) and EPSS is 0.02%, but the attack's integrity impact appears understated by the published CVSS vector, which records A:H/I:N - inconsistent with a hash-bypass that enables modified code/data to be loaded as trusted.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
4.7
EPSS
0.0%
CVE-2026-49059 MEDIUM This Month

Open redirect in the Facebook for WooCommerce WordPress plugin (versions through 3.7.0) allows unauthenticated remote attackers to redirect victims to arbitrary external domains via crafted URLs. Classified under CWE-601, the vulnerability enables phishing campaigns that abuse the plugin's trusted WooCommerce domain as a delivery mechanism - victims clicking a link that appears to originate from a legitimate storefront are silently forwarded to attacker-controlled sites. No public exploit code and no active exploitation (CISA KEV) have been identified at time of analysis; EPSS data was not available in the provided intelligence.

Open Redirect WordPress
NVD
CVSS 3.1
4.7
EPSS
0.0%
CVE-2026-44710 MEDIUM PATCH This Month

NULL pointer dereference in pam_usb prior to 0.8.7 allows a physically present attacker to crash the PAM authentication stack by inserting a USB device whose serial, vendor, or model metadata fields are absent. The module in src/device.c passes return values from udisks_drive_get_serial(), udisks_drive_get_vendor(), and udisks_drive_get_model() directly to strcmp() without NULL checks, despite the GIO/UDisks2 API explicitly documenting that these accessors can return NULL for devices not exposing those fields. The result is undefined behavior - typically a SIGSEGV - that terminates the authentication process. No public exploit has been identified at time of analysis and no active exploitation is confirmed.

Null Pointer Dereference Denial Of Service
NVD GitHub
CVSS 3.1
4.6
EPSS
0.0%
CVE-2026-5516 MEDIUM This Month

Security bypass via race condition in IBM WebSphere Application Server Liberty 22.0.0.11 through 26.0.0.5 allows a remote, highly-privileged attacker to circumvent access controls during a narrow timing window, resulting in high-confidentiality-impact data exposure. The CVSS vector confirms network-based exploitation requiring high privileges and high attack complexity, constraining real-world risk significantly. No public exploit code and no CISA KEV listing have been identified at time of analysis.

Authentication Bypass IBM Race Condition
NVD
CVSS 3.1
4.4
EPSS
0.0%
Prev Page 13 of 15 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy