347 CVEs tracked today. 23 Critical, 69 High, 92 Medium, 12 Low.
-
CVE-2026-46840
CRITICAL
CVSS 10.0
Remote takeover of Oracle REST Data Services (ORDS) versions 24.2.0 through 26.1.0 allows unauthenticated attackers to compromise the service over HTTPS and pivot into adjacent products due to a scope-changing flaw. With a maximum CVSS 10.0 score and trivial exploitability (AV:N/AC:L/PR:N/UI:N), this Backend-as-a-Service component vulnerability poses critical risk, though no public exploit identified at time of analysis and no EPSS or CISA KEV signal has been provided in the available data.
Information Disclosure
Oracle
-
CVE-2026-46839
CRITICAL
CVSS 9.9
Privilege escalation to full takeover in Oracle REST Data Services (ORDS) versions 24.2.0 through 26.1.0 allows a low-privileged remote attacker over HTTPS to fully compromise the service and pivot into adjacent products via a CVSS scope change. CVSS 3.1 base score is 9.9 with attack complexity rated low, and no public exploit identified at time of analysis. The scope-change designation is the key differentiator - successful exploitation extends beyond ORDS itself into systems it fronts, most notably the backing Oracle Database.
Information Disclosure
Oracle
-
CVE-2026-46833
CRITICAL
CVSS 9.0
Net Service takeover in Oracle Database Server 23.4.0 through 23.26.2 allows unauthenticated remote attackers reaching the TLS-protected Net Service listener to fully compromise confidentiality, integrity, and availability, with scope change indicating impact on adjacent components. CVSS 9.0 reflects high impact tempered by high attack complexity (AC:H), and no public exploit identified at time of analysis. Reported and tracked in Oracle's May 2026 Critical Patch Update advisory.
Information Disclosure
Oracle
Oracle Database Server
-
CVE-2026-46824
CRITICAL
CVSS 9.9
Account takeover in Oracle Universal Work Queue (component: Work Provider Site Level Administration) within Oracle E-Business Suite versions 12.2.3 through 12.2.15 allows low-privileged remote attackers over HTTP to fully compromise the product with confidentiality, integrity, and availability impact. The CVSS 9.9 score reflects a scope-changing flaw whose blast radius extends to other Oracle E-Business Suite products beyond Universal Work Queue itself. No public exploit identified at time of analysis, but the low attack complexity and minimal privilege requirement make this a high-priority Oracle Critical Patch Update item.
Information Disclosure
Oracle
Oracle Universal Work Queue
-
CVE-2026-46822
CRITICAL
CVSS 9.9
Account takeover in Oracle iAssets (part of Oracle E-Business Suite versions 12.2.3 through 12.2.15) allows a low-privileged attacker with HTTP network access to fully compromise the iAssets component and pivot into adjacent products via a scope change. The 9.9 CVSS score reflects high impact on confidentiality, integrity, and availability combined with low attack complexity; no public exploit identified at time of analysis, but Oracle's inclusion in the May 2026 Critical Patch Update warrants immediate attention.
Information Disclosure
Oracle
Oracle Iassets
-
CVE-2026-46819
CRITICAL
CVSS 9.1
Remote unauthenticated compromise of Oracle Internet Procurement Connector (a component of Oracle E-Business Suite versions 12.2.3 through 12.2.15) allows attackers to read, modify, create, or delete all data accessible to the component over HTTP. The CVSS 9.1 score reflects high confidentiality and integrity impact with low attack complexity and no privileges or user interaction required. No public exploit identified at time of analysis, but the trivial exploitability profile combined with EBS's history of being targeted (e.g., CVE-2025 Cl0p campaigns) makes this a priority patch for any internet-exposed deployment.
Authentication Bypass
Oracle
Oracle Internet Procurement Connector
-
CVE-2026-46817
CRITICAL
CVSS 9.8
Remote takeover of Oracle Payments in Oracle E-Business Suite versions 12.2.3 through 12.2.15 is possible via the File Transmission component, allowing unauthenticated network-based attackers to fully compromise confidentiality, integrity, and availability (CVSS 9.8). The flaw is described by Oracle as easily exploitable over HTTP with no user interaction, and no public exploit identified at time of analysis. Tagged as Information Disclosure and listed in Oracle's May 2026 Critical Patch Update advisory.
Information Disclosure
Oracle
Oracle Payments
-
CVE-2026-46775
CRITICAL
CVSS 9.9
Takeover of Oracle REST Data Services (ORDS) versions 24.2.0 through 26.1.0 is achievable by a low-privileged remote attacker over HTTPS, with scope-changed impact extending to additional Oracle products beyond ORDS itself. Oracle rates this 9.9 CVSS due to the combination of low attack complexity, minimal privilege requirement, and full confidentiality/integrity/availability compromise; no public exploit identified at time of analysis, but the easy exploitability noted in Oracle's advisory makes this a high-priority patch target.
Information Disclosure
Oracle
Oracle Rest Data Services
-
CVE-2026-45323
CRITICAL
CVSS 9.6
Stored cross-site scripting in MeshCore Card (Lovelace card for Home Assistant) prior to 0.3.3 allows any MeshCore radio node within direct or repeated mesh range to inject JavaScript into the Home Assistant frontend by setting a malicious node name. Exploitation requires a victim to view the card, and no public exploit has been identified at time of analysis, though the GHSA-5vrg-xpcj-xppc advisory confirms the issue and the 0.3.3 fix.
XSS
-
CVE-2026-45261
CRITICAL
CVSS 9.3
Remote code execution in GitButler desktop application versions prior to 0.19.7 allows attackers to execute arbitrary scripts within the Tauri webview by injecting malicious links into pull request bodies. The flaw activates when a user with forge integration enabled clicks the crafted link, leading to full compromise of the desktop client context. No public exploit identified at time of analysis, though the GitHub Security Advisory GHSA-xpmj-536r-9fc6 publicly documents the issue.
RCE
Code Injection
Gitbutler
-
CVE-2026-45039
CRITICAL
CVSS 9.8
Authentication bypass in RustFS distributed object storage (versions prior to 1.0.0-beta.2) allows unauthenticated remote attackers to forge valid internode RPC requests by exploiting a hardcoded fallback secret 'rustfsadmin' used when neither RUSTFS_RPC_SECRET nor the global S3 secret key is configured. With a CVSS of 9.8 and full CIA impact, this represents a critical pre-auth compromise vector against the storage cluster's internal trust boundary. No public exploit identified at time of analysis, though the fallback secret is publicly visible in the source tree, making weaponization trivial.
Authentication Bypass
-
CVE-2026-38707
CRITICAL
CVSS 9.8
Remote code execution as root in InHand Networks industrial cellular routers (IR302, IR305, IR315, IR615) allows unauthenticated network attackers to inject operating system commands through the IPSec VPN feature. The CVSS 9.8 score reflects network-reachable, low-complexity, unauthenticated exploitation with full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Command Injection
N A
-
CVE-2026-38704
CRITICAL
CVSS 9.8
Remote root command injection in InHand Networks industrial routers (IR302, IR305, IR315, IR615) allows unauthenticated network attackers to fully compromise affected devices via the WireGuard VPN feature. With CVSS 9.8 and no required privileges or user interaction, this flaw grants attackers ROOT-level control over edge industrial networking equipment. No public exploit identified at time of analysis, but a vendor advisory (InHand-PSA-2026-05) has been published.
Command Injection
N A
-
CVE-2026-38703
CRITICAL
CVSS 9.8
Remote unauthenticated command injection in the ZeroTier VPN feature of InHand Networks IR302, IR305, IR315, and IR615 industrial routers grants ROOT-level code execution on affected devices. The flaw carries a CVSS 9.8 critical rating with no authentication required, exposing industrial network gateways to full compromise; no public exploit identified at time of analysis, but the vendor (InHand Networks PSA-2026-05) has acknowledged the issue.
Command Injection
N A
-
CVE-2026-38702
CRITICAL
CVSS 9.8
Remote root command injection in InHand Networks IR302, IR305, IR315, and IR615 industrial cellular routers allows unauthenticated attackers to execute arbitrary OS commands as root via the Admin Access feature. The flaw affects IR302 V3.5.108, IR305/IR315/IR615 V1.0.118, and earlier firmware, with CVSS 9.8 reflecting network-reachable, no-auth exploitation; no public exploit identified at time of analysis but vendor PSA-2026-05 confirms the issue.
Command Injection
N A
-
CVE-2026-34311
CRITICAL
CVSS 9.8
Remote takeover of Oracle Hospitality OPERA 5 Property Services (versions 5.6.19.24, 5.6.22, 5.6.25.19, 5.6.27.6, and 5.6.28) is achievable by unauthenticated network attackers over HTTP, per Oracle's May 2026 CPU. With CVSS 9.8 and full CIA impact, this is a critical hospitality-sector exposure, though no public exploit is identified at time of analysis and KEV status is not present. EPSS data was not supplied, so probability-of-exploitation cannot be quantified.
Information Disclosure
Oracle
Oracle Hospitality Opera 5 Property Services
-
CVE-2026-32999
CRITICAL
CVSS 9.0
Remote code execution in Comet Backup server allows a tenant administrator to inject arbitrary code into the backup agent signing module via insufficient character filtering, ultimately running code with elevated privileges on the Comet server and on connected backup agent devices. The vendor advisory links the issue to the branding configuration path, and no public exploit has been identified at time of analysis. Combined with a Scope:Changed CVSS:3.1 score of 9.0, successful exploitation pivots from a single tenant context into the underlying server and downstream endpoints.
RCE
Code Injection
-
CVE-2026-32998
CRITICAL
CVSS 9.4
Remote code execution in Veeam Service Provider Console versions 9.0 through 9.2 allows authenticated remote attackers to execute arbitrary code on the server, per the CVSS 4.0 vector requiring low privileges (PR:L) over the network. With a CVSS score of 9.4 and a scope change indicating impact beyond the vulnerable component (SC:H/SI:H/SA:H), successful exploitation could compromise managed downstream customer environments. No public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.
RCE
Service Provider Console
-
CVE-2026-24444
CRITICAL
CVSS 9.3
Unauthenticated remote root access on SDMC NE6037 cable modem routers running firmware 7.1.6.0.25 and 7.1.6.1.9_B9 is achievable by submitting a hardcoded credential to recovery endpoints (mgmt.php, npcmd.php) in the web management interface. Attackers can then enable filtered SSH/Telnet services to obtain persistent root-level shell access. CVSS is 9.8 with publicly available exploit code, though no public exploit identified at time of analysis in CISA KEV.
PHP
Authentication Bypass
-
CVE-2026-9645
CRITICAL
CVSS 9.9
Remote code execution in ScadaBR allows authenticated users to abuse exposed server-side methods to create and execute arbitrary JavaScript that runs as root, resulting in full host compromise. The CVSS 9.9 rating reflects scope change and complete confidentiality, integrity, and availability impact, and no public exploit is identified at time of analysis despite the issue being formally reported by Tenable Research (TRA-2026-46).
Command Injection
-
CVE-2026-9037
CRITICAL
CVSS 9.3
Unauthorized firmware installation in the XCharge C6 charging controller stems from missing cryptographic signature verification in its management-channel update mechanism, enabling remote attackers who can interpose on or impersonate the management interface to push malicious firmware. Successful exploitation yields high-privilege code execution on the EV charging device, and the issue is tracked in CISA ICS advisory ICSA-26-148-08 with no public exploit identified at time of analysis.
Authentication Bypass
C6
-
CVE-2026-8980
CRITICAL
CVSS 9.3
Privilege escalation in Mennekes Amtron EV charging stations (firmware ≤ 5.22.3) allows a low-privileged authenticated user to overwrite credentials for the admin (operator) and manufacturer accounts through crafted POST requests, effectively granting full takeover of the charger's management interface. Publicly available exploit code exists per the CyberDanube research advisory, and the CVSS 4.0 base score of 9.3 reflects high impact across confidentiality, integrity, and availability with cascading effects on subsequent systems. Not currently listed in CISA KEV.
Privilege Escalation
-
CVE-2026-8979
CRITICAL
CVSS 9.3
Unauthenticated password reset in Mennekes Amtron EV charging stations running firmware 5.22.3 and earlier allows remote attackers to seize the operator account by sending a crafted POST to /operator/operator. CVSS 4.0 of 9.3 with PR:N/UI:N and CWE-287 reflects a complete authentication bypass, and the CVSS exploit maturity flag (E:P) plus the cyberdanube research disclosure indicate publicly available exploit code exists, though the vulnerability is not currently listed in CISA KEV.
Authentication Bypass
-
CVE-2026-49238
HIGH
CVSS 8.4
Virtual machine escape in Canonical Multipass before 1.16.3 allows a root user inside a guest VM to read arbitrary files on the host filesystem by bypassing the host-side sshfs_server path containment. The flaw lives in the validate_path function (CWE-22 path traversal), which uses naive string prefix matching and accepts dot-dot sequences. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV, though the technical write-up in the GHSA advisory provides enough detail to make exploitation reproducible.
Path Traversal
Canonical
-
CVE-2026-49237
HIGH
CVSS 7.8
Local privilege escalation in Canonical Multipass for macOS before 1.16.3 allows a low-privileged local user to obtain root execution by replacing co-located auxiliary binaries that the multipassd LaunchDaemon invokes via a user-writable PATH directory. The flaw is an incomplete remediation of CVE-2025-5199: while 1.16.0 corrected ownership of the multipassd binary itself, five sibling binaries (multipass, qemu-img, qemu-system-aarch64, qemu-system-x86_64, sshfs_server) were left owned by the installing user and writable, enabling binary planting. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Privilege Escalation
Apple
Canonical
-
CVE-2026-49128
HIGH
CVSS 8.7
Information disclosure in Music Player Daemon (MPD) before 0.24.11 allows unauthenticated remote attackers to read arbitrary directories and image files outside the configured music_directory via path traversal in the local storage plugin. The flaw, reported by VulnCheck, is exploitable through the standard MPD protocol commands listfiles and albumart, and a vendor patch is available in 0.24.11. No public exploit identified at time of analysis, but the CVSS 4.0 score of 8.7 reflects trivial network-based exploitation against any default-configured MPD instance reachable on its protocol port.
Path Traversal
-
CVE-2026-49127
HIGH
CVSS 8.8
Stack buffer overflow in Music Player Daemon (MPD) versions prior to 0.24.11 allows remote unauthenticated attackers to crash the daemon or potentially execute code by serving a malicious HTTP audio stream processed by the PCM decoder plugin. The flaw stems from an off-by-one miscalculation in pcm_unpack_24be (src/pcm/Pack.cxx) that writes four bytes (three attacker-controlled) past a 1365-entry int32_t stack array. No public exploit identified at time of analysis, but the upstream fix is confirmed via commit 5991102 and release 0.24.11.
RCE
Buffer Overflow
-
CVE-2026-48526
HIGH
CVSS 7.4
Authentication bypass in PyJWT versions prior to 2.13.0 allows remote attackers to forge valid JSON Web Tokens by exploiting an algorithm confusion flaw where the library fails to validate that a JSON Web Key intended for asymmetric verification is not reused as an HMAC shared secret. An attacker who knows the issuer's public key (typically distributed openly via JWKS endpoints) can sign HMAC-algorithm tokens with that public key and have them accepted as legitimate. No public exploit identified at time of analysis, though the underlying algorithm-confusion class is a well-documented JWT attack pattern.
Authentication Bypass
Python
-
CVE-2026-47762
HIGH
CVSS 8.7
Stored cross-site scripting in TinyMCE rich text editor allows authenticated attackers to inject persistent JavaScript by forging mce:protected comments that bypass the editor's sanitization layer. Affected deployments are those using the protect configuration option in versions prior to 5.11.1, 7.9.3, and 8.5.1, where malicious scripts execute when previously stored content is restored into the editor context. No public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the CVSS 8.7 (scope-changed) rating reflects high confidentiality and integrity impact against the user's browser session.
XSS
-
CVE-2026-47761
HIGH
CVSS 8.7
Stored cross-site scripting in TinyMCE's media plugin allows authenticated attackers to inject malicious JavaScript via crafted data-mce-* attributes that execute in victim browsers when the rendered content is viewed. Affects TinyMCE versions prior to 5.11.1, 7.9.3, and 8.5.1 where the media plugin is enabled, with no public exploit identified at time of analysis despite a high CVSS score of 8.7 driven by scope change and confidentiality/integrity impact.
XSS
-
CVE-2026-47760
HIGH
CVSS 8.7
Stored/reflected cross-site scripting in TinyMCE rich text editor versions 6.8.0 through 7.0.x allows authenticated users to inject and execute arbitrary JavaScript in the context of any application embedding the editor. The flaw stems from improper SVG namespace scope handling in the built-in sanitizer, letting nested-element payloads bypass attribute sanitization. No public exploit identified at time of analysis, but the issue is disclosed via a GitHub security advisory with a CVSS of 8.7 reflecting scope change to the embedding application.
XSS
-
CVE-2026-47759
HIGH
CVSS 8.7
Stored cross-site scripting in TinyMCE rich text editor versions prior to 5.11.1, 7.9.3, and 8.5.1 allows authenticated attackers to inject malicious payloads via unsanitized data-mce-href, data-mce-src, and data-mce-style attributes that override safe attributes during serialization. The scope-changing CVSS 8.7 score reflects that successful exploitation impacts other users viewing the rendered content, and no public exploit identified at time of analysis though the upstream GitHub advisory provides technical detail useful to researchers.
XSS
-
CVE-2026-47333
HIGH
CVSS 7.8
Out-of-bounds heap read in Ubuntu Linux kernels 6.8, 6.17, and 7.0 stems from AppArmor SAUCE patches miscomputing an internal buffer size during notification handling, allowing an unprivileged local user to feed invalid data into the AppArmor DFA policy engine. The flaw carries a CVSS 7.8 (high) and currently has no public exploit identified at time of analysis, though Canonical has shipped an upstream kernel fix. Impact is limited to local attackers but high-severity given full CIA impact in the CVSS vector.
Buffer Overflow
Information Disclosure
Ubuntu
-
CVE-2026-47331
HIGH
CVSS 7.8
Local privilege escalation in Ubuntu Linux 6.8 kernel stems from an AppArmor SAUCE patch that omits proper locking when modifying a linked list, enabling a race condition that can be exploited by an unprivileged local user. Successful exploitation leads to a use-after-free condition with theoretical arbitrary code execution in kernel context. No public exploit identified at time of analysis, and the issue is not present on the CISA KEV list.
RCE
Use After Free
Memory Corruption
Ubuntu
-
CVE-2026-47074
HIGH
CVSS 8.7
SNS signature verification bypass in the Elixir ex_aws_sns library (versions 2.0.1 through 2.3.4) allows remote unauthenticated attackers to forge messages that pass ExAws.SNS.verify_message/1 checks. The verify_message/1 routine fetched the signing certificate from the attacker-supplied SigningCertURL field without restricting the scheme to HTTPS or the host to an AWS SNS certificate domain, so an attacker can host their own certificate, sign a forged payload, and have verification return :ok. No public exploit identified at time of analysis and the CVE is not listed in CISA KEV, but the upstream fix is published on GitHub (commit 1853d28) and shipped in 2.3.5.
Authentication Bypass
-
CVE-2026-46837
HIGH
CVSS 8.8
Full product takeover of Oracle Flow Manufacturing (versions 12.2.9 through 12.2.15) is achievable by a low-privileged remote attacker via SQL-based network access, per Oracle's advisory. The flaw scores CVSS 8.8 with high impact across confidentiality, integrity, and availability, and no public exploit has been identified at time of analysis. As a component of Oracle E-Business Suite, exploitation provides an attacker with control over a business-critical manufacturing execution system.
Information Disclosure
Oracle
Oracle Flow Manufacturing
-
CVE-2026-46835
HIGH
CVSS 7.5
Remote denial of service in Oracle Database Server 23.4.0 through 23.26.2 allows unauthenticated network attackers to crash or hang the Net Service component via crafted TLS traffic. The flaw scores CVSS 7.5 with availability-only impact and was disclosed by Oracle in the May 2026 Critical Patch Update; no public exploit identified at time of analysis.
Denial Of Service
Oracle
Oracle Database Server
-
CVE-2026-46834
HIGH
CVSS 7.5
Remote denial-of-service in Oracle Database Server's Net Service component (versions 23.4.0 through 23.26.2) allows unauthenticated attackers with TLS network access to hang or repeatedly crash the listener, producing a complete DoS of database connectivity. The flaw is rated CVSS 7.5 (availability-only) and was disclosed by Oracle in the May 2026 Critical Patch Update; no public exploit identified at time of analysis and the issue is not currently listed in CISA KEV.
Denial Of Service
Oracle
Oracle Database Server
-
CVE-2026-46829
HIGH
CVSS 7.5
Remote denial-of-service in Oracle REST Data Services (ORDS) versions 24.2.0 through 26.1.0 allows unauthenticated network attackers to cause a complete hang or repeatable crash of the service via the Mongoapi component over HTTPS. The vulnerability is rated CVSS 7.5 with availability-only impact and no public exploit identified at time of analysis, but the unauthenticated, low-complexity attack profile makes it operationally significant for any internet-exposed ORDS instance.
Denial Of Service
Oracle
Oracle Rest Data Services
-
CVE-2026-46828
HIGH
CVSS 8.1
Unauthorized data access and modification in Oracle Payroll (a module of Oracle E-Business Suite) versions 12.2.3 through 12.2.15 allows a low-privileged authenticated attacker with HTTP network access to read, create, delete, or modify any data accessible to the Oracle Payroll application. The flaw carries a CVSS 8.1 due to high confidentiality and integrity impact with low attack complexity, but no public exploit identified at time of analysis and it is not listed in CISA KEV. The advisory was published as part of Oracle's Critical Patch Update cycle (CPU May 2026).
Authentication Bypass
Oracle
Oracle Payroll
-
CVE-2026-46827
HIGH
CVSS 8.8
Account takeover in Oracle Payroll (Self Service Manager component) of Oracle E-Business Suite versions 12.2.3 through 12.2.15 allows a low-privileged authenticated attacker to fully compromise the Payroll module over HTTP. The CVSS 3.1 base score of 8.8 reflects high impacts to confidentiality, integrity, and availability, and Oracle has issued a fix in the May 2026 Critical Patch Update. No public exploit identified at time of analysis.
Information Disclosure
Oracle
Oracle Payroll
-
CVE-2026-46826
HIGH
CVSS 8.8
Account takeover in Oracle Payroll (component: Internal Operations) within Oracle E-Business Suite versions 12.2.3 through 12.2.15 allows a low-privileged remote attacker with HTTPS network access to fully compromise the Payroll application. The CVSS 8.8 vector indicates low complexity and no user interaction, meaning any authenticated EBS user can pivot to full confidentiality, integrity, and availability impact on Payroll. No public exploit identified at time of analysis, but the issue was disclosed in Oracle's Critical Patch Update advisory and warrants prompt patching given the sensitivity of payroll data.
Information Disclosure
Oracle
Oracle Payroll
-
CVE-2026-46823
HIGH
CVSS 7.7
Unauthorized data access in Oracle Public Sector Financials (International), a module of Oracle E-Business Suite versions 12.2.6 through 12.2.15, allows low-privileged remote attackers to read sensitive data across module boundaries due to a flaw in the Authorization component. The scope-changed CVSS 7.7 vector indicates exploitation can affect resources beyond the vulnerable component itself, expanding the blast radius to other EBS data. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Authentication Bypass
Oracle
Oracle Public Sector Financials International
-
CVE-2026-46821
HIGH
CVSS 7.7
Unauthorized data access in Oracle E-Business Suite's Financials Common Modules (versions 12.2.3 through 12.2.15) allows low-privileged remote attackers to read sensitive data via HTTP, with a scope change that extends impact beyond the vulnerable component to other Oracle products. The flaw carries a CVSS 3.1 base score of 7.7 reflecting high confidentiality impact, but no public exploit has been identified at time of analysis and the issue is not currently listed in CISA KEV.
Authentication Bypass
Oracle
Oracle Financials Common Modules
-
CVE-2026-46820
HIGH
CVSS 8.5
Cross-product data exposure in Oracle Financials Common Modules (E-Business Suite versions 12.2.3 through 12.2.15) allows a low-privileged authenticated attacker to access or modify sensitive financial data over HTTP. The scope-changed nature of the flaw means exploitation impacts additional Oracle products beyond Financials Common Modules itself. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Authentication Bypass
Oracle
Oracle Financials Common Modules
-
CVE-2026-46818
HIGH
CVSS 7.4
Unauthorized data modification and disclosure in Oracle E-Business Suite (Oracle Payments component, File Transmission) versions 12.2.3 through 12.2.15 allows unauthenticated remote attackers over HTTPS to read, alter, create, or delete all Oracle Payments-accessible data. The flaw carries a CVSS 3.1 base score of 7.4 with high confidentiality and integrity impact but no availability impact, and is rated high attack complexity. No public exploit identified at time of analysis, and it is not currently listed in CISA KEV.
Authentication Bypass
Oracle
Oracle Payments
-
CVE-2026-46439
HIGH
CVSS 7.8
Server-side template injection in the compliance-trestle `trestle author jinja` command enables arbitrary command execution when operators process attacker-controlled OSCAL data (SSP documents or Lookup Tables). Because the renderer recursively re-evaluates already-rendered output through a non-sandboxed Jinja2 Environment, malicious Jinja expressions placed in data fields like a system title are executed in a second pass even when the template itself is trusted and static. A proof-of-concept is published in the GHSA advisory; no public exploit identified at time of analysis as actively used in the wild, and the issue is not on CISA KEV.
RCE
Python
Code Injection
-
CVE-2026-46345
HIGH
CVSS 8.4
Arbitrary file write in compliance-trestle's `trestle author jinja` command allows a local user supplying a crafted `-o/--output` argument to write files anywhere the invoking user can write, due to missing validation of `../`, `..\`, and absolute paths. Affected versions are <= 3.12.1 and >= 4.0.0, < 4.0.3, with fixes in 3.12.2 and 4.0.3. No public exploit identified at time of analysis, though the GitHub Security Advisory (GHSA-4q5v-7g7x-j79w) includes a full reproducer; CVSS 8.4 reflects high impact on confidentiality, integrity, and availability.
RCE
Python
Path Traversal
Microsoft
-
CVE-2026-45296
HIGH
CVSS 7.7
Cross-tenant data exposure in OpenReplay self-hosted session replay suite (versions prior to 1.26.0) allows an attacker holding any valid API key for their own tenant to enumerate sessions and retrieve sensitive session event data belonging to other tenants. The flaw stems from app_apikey routes in the Python API that validate the API key and the existence of a projectKey independently, but never confirm the two belong to the same tenant. No public exploit identified at time of analysis, though the trivial nature of the abuse (substituting a browser-visible projectKey) makes weaponization straightforward.
Authentication Bypass
Python
-
CVE-2026-45044
HIGH
CVSS 8.8
Unauthenticated denial of service and information disclosure in RustFS distributed object storage prior to version 1.0.0-beta.2 allows remote attackers to repeatedly invoke profiling endpoints that the admin router whitelists from authentication. Each request triggers a fixed 60-second CPU profiling operation and leaks the server's absolute filesystem path in the response. CVSS 4.0 scores this 8.8 (High) driven by high availability impact; no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Authentication Bypass
Denial Of Service
Information Disclosure
-
CVE-2026-45042
HIGH
CVSS 7.1
Improper authorization in RustFS prior to 1.0.0-beta.2 allows authenticated users to perform unauthorized cross-bucket object copies via the S3-compatible UploadPartCopy operation, bypassing destination-bucket policy constraints on permitted copy sources. The Rust-based distributed object storage system validates GetObject on the source and PutObject on the destination independently but never checks whether the destination bucket actually permits the specified source, enabling lateral data movement between buckets. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Authentication Bypass
-
CVE-2026-45041
HIGH
CVSS 8.7
License-enforcement bypass in RustFS distributed object storage (versions prior to 1.0.0-beta.2) stems from a hardcoded 2048-bit RSA private key (TEST_PRIVATE_KEY) shipped in crates/appauth/src/token.rs and used in production by parse_license() to verify license tokens. Any attacker who can read the public repository or extract the key from a compiled binary can mint arbitrary license tokens with any subject and expiration, defeating the license feature entirely. No public exploit identified at time of analysis, though the key material is trivially recoverable from the open-source code.
Information Disclosure
Rustfs
-
CVE-2026-44604
HIGH
CVSS 7.0
Command injection in the rpmuncompress utility of RPM allows local attackers to execute arbitrary commands when a victim extracts a maliciously crafted ZIP, 7z, or GEM archive whose top-level folder name contains shell metacharacters. The flaw affects Red Hat Enterprise Linux 6 through 10 and downstream products including OpenShift Container Platform 4, Satellite 6, Red Hat Hardened Images, and Quarkus Native Builder. No public exploit identified at time of analysis, and the issue requires user interaction with an attacker-supplied archive, but successful exploitation yields full code execution under the extracting user's identity.
Command Injection
-
CVE-2026-44466
HIGH
CVSS 8.6
Command injection in Zed code editor versions prior to 0.229.0 allows bypass of the terminal tool's permission allowlist through bash arithmetic expansion syntax $((...)) nested inside permitted commands like echo. Because Zed is increasingly used with AI agent workflows that execute shell commands on behalf of the user, the bypass effectively neutralizes the safety boundary intended to gate dangerous operations. No public exploit identified at time of analysis, but the GitHub Security Advisory GHSA-c99f-97vf-4h5h provides sufficient detail for a working PoC to be reconstructed.
Command Injection
-
CVE-2026-44465
HIGH
CVSS 8.6
Remote code execution in Zed code editor versions prior to 0.227.1 occurs when a user opens a folder containing a malicious .git/config file that abuses the core.fsmonitor Git configuration option. The flaw triggers even in untrusted mode, defeating the safety boundary users expect when opening unknown repositories, and no public exploit has been identified at time of analysis though the advisory is published by the vendor.
RCE
Command Injection
-
CVE-2026-44463
HIGH
CVSS 8.6
Arbitrary code execution in the Zed code editor (versions prior to 0.229.0) is possible by abusing its terminal tool permission system, which fails to account for environment-variable prefixes on allowlisted commands. An attacker who can influence what the agent runs (for example via a malicious prompt or repository content) can prepend assignments such as PAGER=/path/to/payload to a permitted command and hijack execution. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
RCE
-
CVE-2026-44461
HIGH
CVSS 8.6
Remote command execution in Zed code editor versions prior to 0.227.1 occurs when opening SSH or WSL remote terminals because environment variable keys are passed into a shell command string without quoting or validation. An attacker who can influence project terminal settings (for example, through a shared or malicious project) can embed shell expansions such as $(...) into env var keys, achieving arbitrary command execution on the remote host as the victim user when they open a terminal. No public exploit identified at time of analysis, but the issue is fixed in Zed 0.227.1.
Command Injection
-
CVE-2026-44358
HIGH
CVSS 8.2
Untrusted search path in Espressif's shared-github-dangerjs GitHub Action prior to 1.0.1 allows a fork pull request, when processed by a pull_request_target workflow, to substitute attacker-controlled binaries and Node.js modules for the action's own code. Exploitation yields code execution inside the action container with access to repository secrets and write-scoped GITHUB_TOKEN, with no public exploit identified at time of analysis.
Information Disclosure
Node.js
-
CVE-2026-42398
HIGH
CVSS 7.7
Server-side request forgery in Elastic Kibana allows authenticated users holding connector management privileges to bypass operator-configured egress allowlists by crafting a Webhook connector with an arbitrary target. The flaw enables Kibana to issue outbound HTTP requests to internal or otherwise restricted destinations, exposing sensitive data accessible from the Kibana host. No public exploit identified at time of analysis, and the vulnerability is not present on the CISA KEV list.
SSRF
Elastic
Kibana
-
CVE-2026-37266
HIGH
CVSS 8.0
Remote code execution in Responsive FileManager 9.14.0 enables authenticated attackers to run arbitrary code on the underlying server by abusing the force_download.php component. The CWE-98 classification points to improper control of PHP file inclusion, and while no public exploit is identified at time of analysis, the high CVSS of 8.0 reflects full confidentiality, integrity, and availability impact once a target user interacts with the attacker-supplied input.
PHP
RCE
LFI
-
CVE-2026-35676
HIGH
CVSS 8.8
Unauthenticated account takeover in phpMyFAQ before 4.1.3 allows remote attackers to forcibly reset any user's password by sending a PUT request to the /api/index.php/user/password/update endpoint with a valid username and email pair. The endpoint also leaks valid credentials through response code differentials (200 vs 409), enabling username/email enumeration before the reset. No public exploit identified at time of analysis, though a detailed PoC is published in the GHSA advisory.
PHP
Information Disclosure
-
CVE-2026-35675
HIGH
CVSS 8.8
Authentication bypass in phpMyFAQ before 4.1.3 lets any unauthenticated remote attacker reset arbitrary user passwords - including SuperAdmin - by sending a PUT request to /api/user/password/update with only a valid username/email pair, with no token, rate limit, or out-of-band confirmation. The vendor-issued GHSA-w9xh-5f39-vq89 advisory and VulnCheck disclosure document the flaw, and publicly available exploit code exists in the form of a PoC curl invocation; no CISA KEV listing or EPSS score is provided in the input.
Authentication Bypass
-
CVE-2026-35672
HIGH
CVSS 8.7
Authentication bypass in phpMyFAQ versions prior to 4.1.3 lets remote unauthenticated attackers create and modify FAQ entries, categories, and questions through the REST API v4.0 by submitting an empty x-pmf-token header that matches the default empty api.apiClientToken value. The flaw stems from strict string comparison logic that cannot distinguish an unconfigured token from an attacker-supplied empty one, exposing every default installation. No public exploit identified at time of analysis, but the GHSA advisory includes a detailed proof-of-concept walkthrough.
Authentication Bypass
-
CVE-2026-35671
HIGH
CVSS 8.7
Privilege escalation in phpMyFAQ before 4.1.3 allows any authenticated low-privilege administrator to take over SuperAdmin (userId=1) or any other account by manipulating the userId parameter in the /admin/api/user/overwrite-password PUT request. The flaw is an insecure direct object reference (IDOR) in the Admin API where authorization checks confirm only that the caller holds the generic USER_EDIT permission, never that the caller is authorized to manage the targeted account. No public exploit identified at time of analysis, but the GHSA advisory from the vendor (thorsten) publicly documents the exact vulnerable code path, making weaponization trivial.
Privilege Escalation
-
CVE-2026-35277
HIGH
CVSS 8.1
Unauthorized data access and modification in Oracle REST Data Services (ORDS) versions 24.2.0 through 26.1.0 allows low-privileged remote attackers to read, create, modify, or delete any data accessible via the service. The flaw is network-reachable over HTTPS with low attack complexity (CVSS 8.1) and was disclosed by Oracle in the May 2026 Critical Patch Update. No public exploit has been identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Authentication Bypass
Oracle
Oracle Rest Data Services
-
CVE-2026-35266
HIGH
CVSS 7.9
Cross-product compromise in Oracle REST Data Services (ORDS) versions 24.2.0 through 26.1.0 allows a low-privileged remote attacker who can lure an authenticated user into interacting with a crafted request to gain high-impact read and write access to ORDS-accessible data and cause partial denial of service. Because the CVSS scope is Changed (S:C), successful exploitation may also impact downstream Oracle components beyond ORDS itself. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the 7.9 base score combined with scope change warrants prompt patching.
Authentication Bypass
Denial Of Service
Oracle
Oracle Rest Data Services
-
CVE-2026-34126
HIGH
CVSS 7.3
Cleartext Bluetooth transmission in TP-Link Tapo L535E, P300, and D100C devices allows adjacent attackers to intercept and manipulate initial setup data, enabling potential unauthorized device control during onboarding. The flaw stems from missing encryption on the Bluetooth pairing channel used only during initialization, and TP-Link has released patched firmware versions for all affected models. No public exploit identified at time of analysis, but the low complexity and absence of authentication make this a meaningful risk for users provisioning devices in dense urban or office environments.
Authentication Bypass
TP-Link
Tapo L535E V1 0 V3 0
Tapo P300 V1 0
Tapo D100C V1 0
-
CVE-2026-33590
HIGH
CVSS 8.5
Privilege escalation in Portainer Community Edition stems from permissive default endpoint security settings that grant non-admin users with endpoint access the ability to create containers with bind mounts, privileged mode, host namespaces, device mappings, sysctl settings, and Linux capabilities. An authenticated low-privilege user can leverage these defaults to read arbitrary host files or break out of the container boundary to achieve root-equivalent code execution on the Docker host. Publicly available exploit code exists per CVSS v4.0 threat metrics (E:P), but the issue is not listed in CISA KEV.
Privilege Escalation
RCE
Portainer Community Edition
-
CVE-2026-32997
HIGH
CVSS 8.6
Arbitrary file write in Veeam Backup & Replication 13 (≤13.0.1) on Linux-based deployments allows an authenticated Backup Administrator to write files anywhere on the server filesystem, enabling code execution and full host compromise. CVSS 4.0 scores this 8.6 (High) due to network-reachable exploitation with high impact across confidentiality, integrity, and availability, though high privileges are required. No public exploit identified at time of analysis.
Information Disclosure
Backup And Replication
-
CVE-2026-32996
HIGH
CVSS 7.3
Local privilege escalation in Veeam Agent for Microsoft Windows enables a low-privileged authenticated user to escalate to higher privileges on the host, with the CWE-532 mapping indicating sensitive information is exposed via log files that the attacker can read or abuse. CVSS 4.0 base score is 7.3 with high impact to confidentiality, integrity, and availability of the vulnerable component, and no public exploit identified at time of analysis. The flaw is tied to the broader Veeam Backup and Replication 13 ecosystem (≤13.0.1 per ENISA EUVD), making it relevant on any Windows endpoint where the Veeam Agent is deployed alongside or as part of that platform.
Privilege Escalation
Microsoft
Backup And Replication
-
CVE-2026-32995
HIGH
CVSS 7.5
Cross-room message disclosure in Rocket.Chat allows any authenticated DDP user to read arbitrary messages - including those in private channels, direct messages, and E2EE rooms - by invoking the autoTranslate.translateMessage Meteor method with a target message ID. The flaw stems from missing access control and identity checks in the server-side method handler, with an upstream fix merged in PR #40528. No public exploit identified at time of analysis, though the trivial DDP call pattern makes weaponization straightforward.
Authentication Bypass
-
CVE-2026-32847
HIGH
CVSS 8.7
{full_path:path} in new_ui/backend/main.py. Publicly available exploit code exists (referenced in HKUDS/DeepCode issue #126 and a VulnCheck advisory), making opportunistic exploitation realistic against exposed instances. No CISA KEV listing or EPSS data was provided, but the combination of no authentication, low complexity, and a single-request exploit places this at a high operational priority for any exposed deployment.
Path Traversal
-
CVE-2026-9804
HIGH
CVSS 7.7
Arbitrary file read in KubeVirt's virt-exportserver component allows authenticated namespace users to exfiltrate sensitive files from the exporter pod via symlink-based path traversal in the VMExport directory endpoint. The flaw, reported by Red Hat and impacting Red Hat OpenShift Virtualization 4, carries a CVSS 7.7 score driven by scope change and high confidentiality impact, though no public exploit identified at time of analysis.
Information Disclosure
Path Traversal
-
CVE-2026-9795
HIGH
CVSS 7.3
Privilege escalation in Keycloak's Fine-Grained Admin Permissions v2 (FGAPv2) allows an administrator with only limited client-management rights to attach arbitrary realm roles - including highly privileged ones - to a client's scope mappings, causing those roles to be injected into user authentication tokens that traverse the modified client. The flaw affects the Red Hat Build of Keycloak per the vendor advisory and has no public exploit identified at time of analysis, but the high-privilege admin pivot makes it operationally significant in multi-tenant identity deployments.
Privilege Escalation
-
CVE-2026-9789
HIGH
CVSS 8.5
Local privilege escalation in Acer NitroSense software versions prior to 3.01.3052 allows any authenticated local user to delete arbitrary files with SYSTEM authority by abusing a weakly-ACL'd Named Pipe exposed by the PSAdminAgent service. No public exploit has been identified at time of analysis, but the issue was disclosed by Acer themselves and a patched version is available.
Privilege Escalation
Path Traversal
-
CVE-2026-9227
HIGH
CVSS 8.8
Arbitrary file upload leading to remote code execution affects the GutenBee – Gutenberg Blocks WordPress plugin in all versions through 2.20.1, enabling authenticated users with Author role or higher to upload PHP files disguised with double extensions such as shell.json.php. The flaw stems from a permissive strpos() substring check in gutenbee_file_and_ext_json that allows attackers to bypass WordPress filetype validation and execute arbitrary PHP on the server. No public exploit is identified at time of analysis, and the issue is not listed in CISA KEV.
PHP
WordPress
RCE
File Upload
-
CVE-2026-9095
HIGH
CVSS 8.1
Authentication bypass in Casdoor (versions ≤2.362.0) allows remote attackers to replay captured SAML assertions to hijack any user account, including administrators, without credentials or MFA. The SAML service provider implementation lacks assertion ID caching, OneTimeUse condition enforcement, and any form of replay detection, making any intercepted assertion indefinitely reusable. No public exploit identified at time of analysis, but the vulnerability was disclosed via CERT/CC (VU#780781), indicating coordinated vendor notification.
Denial Of Service
Casdoor
-
CVE-2026-9038
HIGH
CVSS 8.6
Stack-based buffer overflow in the XCharge C6 charging controller's signal-processing logic enables an attacker with physical access to the charging interface to corrupt memory by sending oversized message fields, potentially gaining code execution with elevated privileges. Reported through CISA's ICS-CERT under advisory ICSA-26-148-08, the flaw carries a CVSS 4.0 score of 8.6 driven by high impact to confidentiality, integrity, and availability of both the vulnerable component and adjacent subsystems. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Buffer Overflow
Stack Overflow
C6
-
CVE-2026-9009
HIGH
CVSS 8.8
Remote code execution in the Crawlomatic Multipage Scraper Post Generator plugin for WordPress (versions up to and including 2.7.2) allows authenticated users with author-level privileges to execute arbitrary PHP code on the server by abusing the 'callback_raw' or 'callback' shortcode attributes processed by the filter_content function. The flaw stems from passing attacker-controlled input directly to call_user_func() guarded only by is_callable(), which still permits dangerous PHP built-ins like system, shell_exec, exec, passthru, and assert. No public exploit identified at time of analysis, but Wordfence has published a detailed advisory and the shortcode sink is trivially reachable for any author-level account.
PHP
WordPress
RCE
File Upload
-
CVE-2026-8915
HIGH
CVSS 8.8
Out-of-bounds write in Samsung's Escargot JavaScript engine allows attacker-supplied scripts to corrupt memory through the ArrayBuffer.prototype.transfer() built-in, with high confidentiality, integrity, and availability impact (CVSS 8.8). The flaw stems from a missing length-bounds check when transferring an ArrayBuffer to a new byte length, enabling writes past the allocated buffer that can lead to remote code execution if a victim runs the malicious script. No public exploit has been identified at time of analysis, and no EPSS or CISA KEV data was provided.
Buffer Overflow
Memory Corruption
Samsung
-
CVE-2026-8697
HIGH
CVSS 8.7
Credential brute-forcing against TP-Link Archer C64 v1 routers is possible via an undocumented debug SSH service that shares credentials with the web admin interface but enforces no authentication rate-limiting. Adjacent attackers (same Wi-Fi or LAN segment) can iterate password guesses without lockout to recover the administrator password and take full control of the router. No public exploit identified at time of analysis; CVSS 4.0 base score is 8.7 (High) and a vendor patch is available.
Information Disclosure
-
CVE-2026-7862
HIGH
CVSS 8.6
Unauthenticated refund abuse in the Eupago Gateway for WooCommerce WordPress plugin before 4.7.2 lets remote attackers trigger refunds on arbitrary WooCommerce orders using the merchant's own payment gateway credentials, and for certain payment methods divert the refunded funds to an attacker-controlled bank account. The CVSS 8.6 score reflects the network-reachable, no-auth, no-interaction attack path against a financial workflow; publicly available exploit code exists per WPScan, though there is no public exploit identified at time of analysis confirming active exploitation in CISA KEV.
WordPress
Authentication Bypass
-
CVE-2026-7802
HIGH
CVSS 8.8
Privilege escalation in the Frontend Admin by DynamiApps WordPress plugin (versions up to and including 3.29.2) allows authenticated subscriber-level users to overwrite arbitrary user profile fields - including administrator passwords and email addresses - by supplying a chosen user_id parameter to a vulnerable Edit-User form. This authorization-bypass flaw (CWE-862) enables full administrator account takeover through direct password replacement or email-redirect password reset, and no public exploit identified at time of analysis. The vulnerability requires a specific misconfiguration where the form's Roles setting is left empty, which limits exploitable installs but is a common default state.
WordPress
Authentication Bypass
-
CVE-2026-7797
HIGH
CVSS 7.5
Time-based blind SQL injection in the Simply Schedule Appointments WordPress plugin (versions up to and including 1.6.11.8) allows unauthenticated remote attackers to extract sensitive database contents through the 'append_where_sql' parameter on the /appointments/bulk REST endpoint. The endpoint's permission check accepts a public nonce embedded in the booking widget's frontend JavaScript, and a PUT request with a urlencoded body bypasses the plugin's blocklist by preventing PHP from populating the relevant superglobals. No public exploit identified at time of analysis, though Wordfence has documented the technique in detail.
WordPress
SQLi
-
CVE-2026-7634
HIGH
CVSS 7.2
Stored cross-site scripting in the SlimStat Analytics WordPress plugin (versions through 5.4.11) allows unauthenticated attackers to inject arbitrary JavaScript via the User-Agent request header, which is persisted unsanitized and later rendered inside the admin Browsers report tooltip. Exploitation requires the non-default 'show_complete_user_agent_tooltip' setting to be enabled by an administrator, after which any admin viewing the affected report executes the attacker's script. No public exploit identified at time of analysis and no EPSS or CISA KEV signal is provided in the supplied data.
WordPress
XSS
-
CVE-2026-7052
HIGH
CVSS 7.2
Stored cross-site scripting in the HT Contact Form - Drag & Drop Form Builder for WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote attackers to inject persistent JavaScript via the 'file_upload' parameter, which gets rendered via dangerouslySetInnerHTML in the admin entry viewer. The injected payload executes in the browser context of any administrator who opens the affected submission, enabling session theft, privilege abuse, or arbitrary admin actions. No public exploit identified at time of analysis, and the issue requires the plugin's 'Store Submissions' setting to be enabled for the unsanitized values to persist.
WordPress
XSS
-
CVE-2026-6720
HIGH
CVSS 7.2
Credential disclosure in Tigera Calico's calicoctl CLI exposes cluster-access secrets through verbose logging output. When operators run calicoctl with --log-level=info or --log-level=debug, the tool serializes its entire connection-configuration struct (including bearer tokens, etcd passwords, and inline PEM client certificates/keys) to stderr in a single log line, making them harvestable by anyone with access to CI logs, terminal recordings, or support transcripts. The issue is patched upstream but no public exploit is identified at time of analysis; default panic-level logging means standard deployments are not exposed.
Information Disclosure
Kubernetes
Calico
Calico Enterprise
Calico Cloud
-
CVE-2026-6455
HIGH
CVSS 8.1
Arbitrary file deletion in the WP Contact Form 7 DB Handler WordPress plugin (versions up to and including 3.0) can be achieved by chaining CSRF, UNION-based SQL injection, and PHP object deserialization. A remote unauthenticated attacker who lures a logged-in administrator to a malicious page can delete arbitrary server files, including wp-config.php, which typically forces the site into a re-installation state and enables full site takeover. No public exploit identified at time of analysis, though Wordfence's detailed write-up effectively documents the exploit chain.
PHP
WordPress
Path Traversal
SQLi
Deserialization
-
CVE-2026-6226
HIGH
CVSS 8.8
Unauthenticated privilege escalation in the Frontend Admin by DynamiApps WordPress plugin (versions up to and including 3.29.2) allows remote attackers to create administrator accounts by submitting a crafted form payload. The flaw stems from the plugin trusting an attacker-supplied form definition passed via $_POST['_acf_form'] as an array, which bypasses the legitimate server-side form lookup and allows the role field's allowed values to be spoofed. No public exploit identified at time of analysis, but the vulnerability is reported by Wordfence and is straightforwardly weaponizable given the documented logic flaw.
WordPress
Privilege Escalation
-
CVE-2026-4944
HIGH
CVSS 8.8
Remote code execution in vLLM 0.14.1 occurs because `trust_remote_code=True` is hardcoded inside the NemotronVL and KimiK25 model loaders, silently overriding the operator's explicit `--trust-remote-code=False` safety flag. Any deployment that loads a malicious or compromised HuggingFace repository for these model architectures will execute attacker-controlled Python in the inference process, despite UI:R requiring an operator to initiate the model load. No public exploit is identified at time of analysis, but the issue is an incomplete fix for CVE-2025-66448 and CVE-2026-22807, indicating the regression pattern is already well understood.
RCE
Path Traversal
-
CVE-2026-2374
HIGH
CVSS 7.2
Stored cross-site scripting in the Login No Captcha reCAPTCHA WordPress plugin (versions up to and including 1.8.0) allows unauthenticated remote attackers to inject arbitrary JavaScript that executes in an administrator's browser session. The flaw, reported by Wordfence, stems from unsanitized handling of the PHP_SELF superglobal during failed logins via non-standard endpoints such as xmlrpc.php, with no public exploit identified at time of analysis and no CISA KEV listing.
PHP
WordPress
XSS
-
CVE-2025-48977
HIGH
CVSS 8.5
Path traversal in Apache Ignite 2.0.0 through 2.17.0 lets authenticated REST API users read arbitrary files on the server by abusing the 'cmd=log' command with a crafted log path parameter. The flaw allows any low-privileged API user to escape the intended log directory and access sensitive files such as configuration, credentials, or keystores, with no public exploit identified at time of analysis.
Apache
Path Traversal
-
CVE-2026-49130
MEDIUM
CVSS 6.9
CRLF injection in Music Player Daemon (MPD) before version 0.24.11 enables network-accessible, unauthenticated attackers to embed raw CR/LF bytes into URI fields parsed from malicious XSPF playlists, injecting forged key-value lines into MPD text protocol responses - including playlistinfo, currentsong, and listplaylist outputs - as well as the persistent state file. The root mechanism is Expat's decoding of XML numeric character references (e.g., ) before invoking the character data callback in xspf_char_data, bypassing any empty-string checks that previously served as the only guard. No public exploit code or CISA KEV listing exists at time of analysis, but the no-authentication network vector means any MPD instance that processes externally supplied playlists is exposed; the fix also extended to ASX, PLS, and RSS playlist plugins, indicating the affected surface was broader than the CVE title implies.
Code Injection
Mpd
-
CVE-2026-49129
MEDIUM
CVSS 6.9
Server-side request forgery in Music Player Daemon (MPD) before 0.24.11 allows unauthenticated remote attackers to bypass HTTP/HTTPS scheme restrictions by exploiting the CurlInputPlugin's failure to set CURLOPT_REDIR_PROTOCOLS_STR alongside CURLOPT_FOLLOWLOCATION in libcurl. An attacker who can submit URLs to MPD via commands such as add, readcomments, albumart, readpicture, or load can cause MPD to follow redirects to non-HTTP protocols including gopher, ftp, sftp, ldap, dict, rtmp, and rtsp - enabling interaction with internal or restricted network services. No public exploit has been identified at time of analysis and this vulnerability is not listed in CISA KEV, though the CVSS 4.0 score of 6.9 with a fully unauthenticated network attack vector warrants prompt patching on any externally accessible MPD deployment.
SSRF
Mpd
-
CVE-2026-49095
MEDIUM
CVSS 6.5
Privilege escalation in Elastic Kibana's Fleet agent policy management feature allows authenticated Fleet administrators to inject unvalidated values into a configuration override mechanism, causing Elastic Agents to be provisioned with API keys carrying elevated Elasticsearch privileges. Successful exploitation yields unauthorized read/write access to sensitive Elasticsearch security indices beyond the Fleet role's intended scope. No public exploit identified at time of analysis, and CISA KEV does not list this issue.
Privilege Escalation
Elastic
-
CVE-2026-49094
MEDIUM
CVSS 6.5
Denial of service in Kibana's analytics collections management endpoint allows any authenticated user with viewer-level access to render the service completely unavailable. By submitting a request containing an oversized input value, the attacker causes Kibana to consume excessive CPU and memory, crashing the service for all users and requiring manual intervention to restore. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV, but the low privilege bar - viewer access only - significantly elevates real-world risk in multi-tenant or SaaS Elastic deployments.
Denial Of Service
Elastic
Kibana
-
CVE-2026-49093
MEDIUM
CVSS 6.3
Server-Side Request Forgery in Kibana allows an authenticated user holding connector management privileges to bypass the operator-configured connector allowlist, forcing the Kibana server to issue outbound HTTP requests to destinations that egress controls were explicitly designed to block. The CVSS Changed Scope (S:C) combined with high confidentiality impact (C:H) means successful exploitation extends beyond Kibana itself, potentially exposing sensitive internal network resources such as cloud metadata services or internal APIs reachable from the Kibana host. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog at time of analysis.
SSRF
Elastic
Kibana
-
CVE-2026-48735
MEDIUM
CVSS 6.9
Memory exhaustion in pypdf's XMP metadata parser allows denial of service via specially crafted PDF files containing oversized or element-dense XMP blocks, affecting all versions prior to 6.12.1. The vulnerability stems from an absence of input limits in the XML-based XMP parsing subsystem (CWE-770), meaning processing a malicious PDF can consume unbounded system memory. No public exploit code has been identified at time of analysis, and no confirmed active exploitation exists; however, the patch diff is publicly visible on GitHub, making trivial exploit construction feasible.
Denial Of Service
Python
-
CVE-2026-48525
MEDIUM
CVSS 5.3
Uncontrolled resource consumption in PyJWT 2.8.0-2.12.1 exposes any service that verifies detached JWS tokens to unauthenticated denial-of-service. When the unencoded-payload extension (b64=false, RFC 7797) is in use, PyJWT unnecessarily Base64URL-decodes the compact-serialization payload segment before discarding it in favor of the caller-supplied detached payload - turning that segment into an attacker-controlled amplifier for CPU and memory exhaustion regardless of signature validity. No public exploit has been identified at time of analysis, but the CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms fully unauthenticated remote exploitation against any affected endpoint using this feature.
Denial Of Service
Python
-
CVE-2026-48523
MEDIUM
CVSS 5.4
Algorithm allow-list bypass in PyJWT 2.9.0-2.12.1 permits an attacker who controls a registered JWK/JWKS private key to circumvent caller-enforced algorithm restrictions during JWT signature verification. The library correctly checks the token header's alg claim against the caller-supplied allow-list, but then performs the actual cryptographic verification using the algorithm bound to the PyJWK object rather than the header-declared algorithm - creating a exploitable mismatch. Specifically, the documented PyJWKClient.get_signing_key_from_jwt() flow is affected, meaning applications relying on this pattern for algorithm-restricted JWT validation may accept tokens signed with algorithms they explicitly prohibited. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV.
Authentication Bypass
Python
Jwt Attack
-
CVE-2026-48522
MEDIUM
CVSS 4.2
PyJWKClient in PyJWT prior to 2.13.0 passes attacker-influenced URIs directly to Python's urllib.request.urlopen() without restricting URI schemes, enabling Server-Side Request Forgery (SSRF) across file://, FTP, and data-URI schemes against applications that accept untrusted jku values. Affected deployments include any Python application using PyJWKClient where the jku URL originates from a JWT header, OAuth flow parameter, or externally influenced configuration. No public exploit exists and no CISA KEV listing is present; real-world exploitation is constrained by a CVSS-confirmed high attack complexity (AC:H) and required user interaction (UI:R), making opportunistic mass exploitation unlikely.
Python
SSRF
-
CVE-2026-48156
MEDIUM
CVSS 5.1
Denial-of-service via algorithmic complexity in pypdf before 6.12.0 allows an attacker who can supply a crafted PDF file to cause excessive processing time during cross-reference stream parsing. The vulnerability is triggered by crafting a PDF with /W [0 0 0] field values in a cross-reference stream combined with a large /Size value, which causes the library to perform unbounded iteration over zero-byte entries. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog; however, any application that processes untrusted PDF input using pypdf is exposed.
Python
Information Disclosure
-
CVE-2026-48155
MEDIUM
CVSS 4.8
Memory exhaustion in pypdf prior to 6.12.0 allows an attacker who supplies a crafted PDF to cause large memory consumption in any application that processes it using layout mode text extraction. The vulnerability is triggered by PDFs containing text positioning operators with abnormally large x- or y-coordinate offsets, causing the library to allocate unbounded whitespace and newline characters during rendering. No confirmed active exploitation exists (not in CISA KEV), and SSVC rates this as non-automatable with partial technical impact, placing it in a lower operational priority tier despite the straightforward exploitation mechanic.
Denial Of Service
Python
-
CVE-2026-47718
MEDIUM
Authentication bypass in FUXA 1.3.0-2773 renders the `secureEnabled=true` configuration ineffective, exposing project topology, alarm configurations, and scheduler data to unauthenticated or invalid-token HTTP requests. The flaw originates in `server/api/jwt-helper.js`, where `verifyToken()` silently converts missing or malformed JWT tokens into a guest context rather than rejecting the request - and downstream route handlers accept that guest context without further authorization checks. Publicly available exploit code exists (documented reproduction steps in GitHub advisory GHSA-r9g5-7q8j-958c), and a vendor-confirmed fix was released in v1.3.1.
Authentication Bypass
Information Disclosure
-
CVE-2026-47676
MEDIUM
CVSS 5.3
Path prefix stripping in Hono's app.mount() API exposes mounted sub-applications to incorrect routing due to a raw-vs-decoded URL path inconsistency, potentially allowing unauthenticated remote attackers to reach unintended endpoints and disclose protected information. All Hono versions prior to 4.12.21 are affected across every supported JavaScript runtime. No public exploit or CISA KEV listing exists at time of analysis; however, the CVSS vector AV:N/AC:L/PR:N/UI:N and the 'Information Disclosure / Request Smuggling' classification make this a meaningful priority for any deployment that relies on mount-prefix path logic for access segregation.
Information Disclosure
Request Smuggling
Hono
-
CVE-2026-47675
MEDIUM
CVSS 4.3
HTTP response header injection in Hono's cookie serialize() function allows unauthenticated remote attackers to inject arbitrary Set-Cookie attributes when an application passes user-controlled input into the sameSite or priority cookie options. All Hono releases prior to 4.12.21 are affected across every supported JavaScript runtime. No public exploit code exists at time of analysis, and the vulnerability is not listed in CISA KEV, though the low attack complexity and network-accessible vector make it exploitable wherever the affected code path is reachable by user-supplied data.
Information Disclosure
Hono
-
CVE-2026-47674
MEDIUM
CVSS 5.3
IP restriction bypass in Hono's ip-restriction middleware (hono/ip-restriction) prior to version 4.12.21 allows unauthenticated remote attackers to circumvent configured deny and allow rules by submitting non-canonical IPv6 representations of restricted addresses. String equality comparison applied after only partial normalization means that compressed, explicit-zero, or hex-notation IPv4-mapped IPv6 forms of a listed address silently fail to match the normalized rule entry, causing enforcement to be skipped entirely. No public exploit has been identified at time of analysis, but the bypass requires only trivial reformatting of a standard IPv6 address, making it practically low-effort for any attacker aware of the flaw.
Information Disclosure
Canonical
Hono
-
CVE-2026-47673
MEDIUM
CVSS 4.8
Hono's jwt and jwk middleware components fail to enforce the Bearer scheme in the Authorization header, allowing any two-part header value - such as 'Basic <token>' or 'Token <token>' - to pass JWT verification identically to a correctly formed Bearer request. All Hono releases prior to 4.12.21 on any supported JavaScript runtime are affected when these middlewares protect routes. No public exploit identified at time of analysis, and this is not listed in CISA KEV; real-world exploitation requires the attacker to already possess a valid, properly signed JWT.
Authentication Bypass
Hono
-
CVE-2026-47335
MEDIUM
CVSS 5.5
Kernel panic via NULL pointer dereference in Ubuntu Linux 6.8's AppArmor notification handler allows a locally authenticated, unprivileged user to crash the system. The flaw resides in Ubuntu-specific SAUCE patches - out-of-tree modifications maintained by Canonical - meaning the vulnerable code path does not exist in upstream mainline kernels. With a CVSS score of 5.5 and an availability-only impact, the practical consequence is a local denial-of-service: any low-privilege user with shell access can force a kernel panic. No active exploitation has been confirmed by CISA KEV and no public exploit code has been identified at time of analysis.
Denial Of Service
Linux
Null Pointer Dereference
Ubuntu
Ubuntu Linux
-
CVE-2026-47334
MEDIUM
CVSS 5.5
Kernel availability loss in Ubuntu Linux 6.8, 6.17, and 7.0 can be triggered by any unprivileged local user via a defect in Ubuntu-specific AppArmor SAUCE patches, where notification handling code incorrectly sleeps while holding a spinlock. Violating this kernel locking invariant results in kernel panic or deadlock, causing a full system crash or hang. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog, but the low-complexity, low-privilege trigger conditions make it a realistic denial-of-service risk on any multi-user Ubuntu system running the affected kernel versions.
Information Disclosure
Linux
Ubuntu
Ubuntu Linux
-
CVE-2026-47332
MEDIUM
CVSS 5.5
Out-of-bounds read in Ubuntu Linux kernels 6.8, 6.17, and 7.0 exposes adjacent slab allocator memory to any local low-privileged user. The flaw originates in Canonical's Ubuntu-specific AppArmor SAUCE patches, which incorrectly validate the size of an internal structure during notification handling, enabling controlled reads past the intended memory boundary. No public exploit identified at time of analysis, and exploitation is strictly local; however, C:H in the CVSS vector confirms that successful exploitation can yield high-sensitivity kernel or cross-process data from slab neighbors.
Buffer Overflow
Information Disclosure
Ubuntu
Ubuntu Linux
-
CVE-2026-47328
MEDIUM
CVSS 6.1
Ubuntu Linux kernels 6.8, 6.17, and 7.0 ship Ubuntu-specific AppArmor SAUCE patches that incorrectly call kfree() on a pointer never allocated via kmalloc(), while simultaneously leaking the legitimately allocated memory. Any unprivileged local user can trigger this kernel memory management flaw, corrupting slab allocator metadata and driving the system toward resource exhaustion or instability. No public exploit code exists and no CISA KEV listing is present at time of analysis; however, CVSS rates availability impact as High given the potential for kernel-level denial of service.
Denial Of Service
Ubuntu
Ubuntu Linux
-
CVE-2026-47326
MEDIUM
CVSS 5.5
Memory exhaustion via AppArmor notification handling affects Ubuntu Linux kernel versions carrying Ubuntu-specific SAUCE patches (6.8, 6.17, 7.0). An unprivileged local user can trigger a memory leak by eliciting large responses to AppArmor userspace notifications, repeatedly consuming kernel memory without release. No active exploitation confirmed (not in CISA KEV) and no public exploit code identified, but the low-privilege local trigger lowers the bar for insider or co-tenant abuse in multi-user and container environments.
Denial Of Service
Ubuntu
Ubuntu Linux
-
CVE-2026-47144
MEDIUM
CVSS 5.5
Path traversal in the `shame next` subcommand of shamefile (pip/npm/Rust) allows an attacker who controls a `shamefile.yaml` to read one line at a time from any file accessible to the user running the command, including files outside the repository. Affected versions are 0.1.6 and earlier across all three package ecosystems; the fix in 0.1.7 eliminates disk reads entirely by rendering snippets from the registry's cached `content` field. No public exploit identified at time of analysis, and no CISA KEV listing, but the patch commit fully documents the vulnerable code path.
Path Traversal
-
CVE-2026-47136
MEDIUM
CVSS 6.9
Unauthenticated information disclosure in RustFS exposes parsed license metadata - including license subject and expiration timestamp - via the console endpoint GET /rustfs/console/license to any network client that can reach the console listener, with no credentials required. All RustFS releases prior to 1.0.0-beta.2 are affected. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis, and the CVSS 4.0 confidentiality impact is rated Low given the non-sensitive nature of the disclosed data.
Information Disclosure
Rustfs
-
CVE-2026-47128
MEDIUM
CVSS 6.1
Sandbox escape in nono-cli allows a sandboxed process to fully break out of Landlock/seccomp confinement by communicating over the unmediated per-user systemd D-Bus Unix domain socket. Versions prior to 0.55.0 of the Rust CLI crate are affected, specifically when using bundled profiles such as 'claude-code' that permit bash execution. An attacker - or a prompt-injected AI coding agent - can invoke systemd-run --user from within the sandbox to spawn an unsandboxed sibling process capable of writing anywhere the launching user can write, executing arbitrary commands, and establishing network connections. A working proof-of-concept reproducer is publicly available in the GitHub Security Advisory GHSA-27vp-2mmc-vmh3; no CISA KEV listing exists at time of analysis.
Authentication Bypass
Privilege Escalation
-
CVE-2026-46843
MEDIUM
CVSS 5.3
Partial denial-of-service in Oracle REST Data Services (ORDS) versions 24.2.0 through 26.1.0 allows unauthenticated remote attackers to degrade availability of the Core component via HTTPS. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms the vulnerability is trivially reachable with no authentication, no user interaction, and no special conditions, making automated scanning and opportunistic exploitation straightforward despite the limited availability-only impact. No public exploit code and no CISA KEV listing have been identified at time of analysis, and Oracle disclosed this through its May 2026 Critical Patch Update.
Denial Of Service
Oracle
Oracle Rest Data Services
-
CVE-2026-46842
MEDIUM
CVSS 5.3
Unauthenticated network-based data integrity compromise in Oracle REST Data Services (ORDS) versions 24.2.0 through 26.1.0 allows remote attackers to perform unauthorized insert, update, or delete operations against accessible ORDS data via HTTPS. The vulnerability resides in the Core component and is classified as an Authentication Bypass, meaning the access control enforcement in ORDS's request pipeline can be circumvented without credentials. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, though the CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates the exploit path is straightforward for any network-adjacent attacker.
Authentication Bypass
Oracle
Oracle Rest Data Services
-
CVE-2026-46841
MEDIUM
CVSS 5.3
Unauthorized read access in Oracle REST Data Services (ORDS) versions 24.2.0 through 26.1.0 allows unauthenticated remote attackers to bypass authentication controls via HTTPS and retrieve a subset of accessible data. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms no special conditions are needed - any network-reachable instance is potentially exploitable without credentials. No public exploit code or CISA KEV listing has been identified at time of analysis, and EPSS data was not available in the provided intelligence, limiting exploitation urgency assessment.
Authentication Bypass
Oracle
Oracle Rest Data Services
-
CVE-2026-46830
MEDIUM
CVSS 5.3
Unauthorized read access in Oracle REST Data Services (ORDS) versions 24.2.0 through 26.1.0 is achievable by unauthenticated remote attackers via the Mongoapi component over HTTPS. The vulnerability is tagged as an Authentication Bypass, indicating the Mongoapi endpoint fails to enforce access controls, exposing a subset of data accessible through that interface. No public exploit code and no CISA KEV listing exist at time of analysis, but the CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms low-complexity, zero-authentication exploitation is feasible at scale.
Authentication Bypass
Oracle
Oracle Rest Data Services
-
CVE-2026-46685
MEDIUM
CVSS 6.0
CORS origin reflection in RustFS's S3 listener exposes stored object data to cross-origin theft via browser-credentialed requests against all versions prior to 1.0.0-beta.2. When the RUSTFS_CORS_ALLOWED_ORIGINS environment variable is unset - the default state - the ConditionalCorsLayer middleware reflects any incoming Origin header verbatim as Access-Control-Allow-Origin while simultaneously asserting Access-Control-Allow-Credentials: true and Access-Control-Allow-Headers: *, including on preflight and error responses, nullifying the browser's same-origin policy protections. An unauthenticated attacker (PR:N) who lures a victim with ambient RustFS credentials to a malicious web page can exfiltrate object storage contents; no confirmed active exploitation (CISA KEV) and no public exploit identified at time of analysis. The fix is vendor-released in 1.0.0-beta.2.
Authentication Bypass
-
CVE-2026-46526
MEDIUM
CVSS 5.0
SSRF protection in Local Deep Research prior to version 1.6.10 can be bypassed by authenticated users through a URL parser differential between Python's urlparse and the requests/urllib3 library. By supplying a crafted URL such as http://127.0.0.1:6666\@1.1.1.1, an attacker causes urlparse to extract the public host 1.1.1.1 (passing the SSRF check) while requests actually connects to the internal address 127.0.0.1. No public exploitation has been confirmed in CISA KEV at time of analysis, but a working proof-of-concept was included in the GHSA advisory. The CVSS 5.0 score reflects the authentication barrier (PR:L) and limited confidentiality impact (C:L), though the changed scope (S:C) signals the server itself is used to pivot to otherwise-unreachable internal resources.
SSRF
Local Deep Research
-
CVE-2026-46380
MEDIUM
CVSS 6.7
Server-Side Request Forgery in compliance-trestle's HTTPSFetcher._do_fetch() allows a local low-privileged attacker to redirect outbound HTTP requests to internal services or cloud metadata endpoints such as 169.254.169.254 - enabling credential theft from AWS, GCP, or Azure instance metadata. Affected are all pip releases of compliance-trestle before 3.12.2 and versions 4.0.0 through 4.0.2. A public proof-of-concept (poc_ssrf_and_path_traversal.py) with 13 verified exploit vectors is attached to the GitHub Security Advisory GHSA-w76h-q7c6-jpjp; no public exploit identified at time of analysis as confirmed active exploitation (CISA KEV) and no EPSS score was provided in the input data.
Path Traversal
SSRF
-
CVE-2026-45774
MEDIUM
Arbitrary file read in IBM's compliance-trestle Python library allows any file accessible to the running process to be extracted by supplying a malicious OSCAL profile YAML with path traversal sequences in the imports[].href field. Three confirmed attack vectors exist: via the trestle:// URI scheme, via relative href paths, and via back_matter rlinks - all exploiting the same root cause in LocalFetcher. Publicly available exploit code (PoC) exists demonstrating extraction of /etc/passwd, cloud credential files, and SSH private keys; no CISA KEV listing is confirmed at time of analysis.
Python
Path Traversal
IBM
-
CVE-2026-45755
MEDIUM
Unauthenticated webhook event injection in Symfony's Mailtrap Mailer bridge (symfony/mailtrap-mailer) allows any remote attacker who knows the webhook endpoint URL to POST arbitrary forged event payloads - delivery, bounce, open, click, or spam - regardless of whether a signing secret is configured. The root cause is that `MailtrapRequestParser::doParse()` accepts the configured secret as a parameter but never reads it, leaving the `X-Mt-Signature` HMAC header completely unchecked. Successful exploitation enables suppression-list poisoning, delivery-metrics fraud, and manipulation of application logic that reacts to email events. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; the vendor patch is available in versions 7.4.12 and 8.0.12.
Authentication Bypass
-
CVE-2026-45754
MEDIUM
Unauthenticated webhook event injection in Symfony's Mailjet Mailer and LOX24 SMS Notifier bridges allows remote attackers to POST arbitrary forged payloads to an application's webhook endpoint, even when a webhook secret is configured. The root cause is that both `MailjetRequestParser::doParse()` and `Lox24RequestParser::doParse()` accept a secret parameter but silently discard it, returning the payload unconditionally. Attackers who can discover the webhook URL can fabricate bounce, spam, open, click, or delivery events, leading to suppression-list corruption and delivery-metrics fraud. No public exploit has been identified at time of analysis and this vulnerability is not listed in CISA KEV.
Authentication Bypass
-
CVE-2026-45307
MEDIUM
CVSS 6.1
Open redirect in Speakr's post-login redirect handler allows unauthenticated remote attackers to silently redirect authenticated users to attacker-controlled hosts via scheme-relative URLs such as '////evil.com'. The flaw stems from a logic split between the validation function - which normalizes the redirect target using urljoin() before checking safety - and the controller, which passes the raw, un-normalized target to redirect(), emitting it verbatim in the HTTP Location header. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, but the low attack complexity and phishing utility make this a credible risk for self-hosted deployments.
Open Redirect
-
CVE-2026-45297
MEDIUM
CVSS 5.3
Cross-tenant Insecure Direct Object Reference (IDOR) in OpenReplay Enterprise Edition allows any authenticated user from one tenant to read, update, or delete feature-flag and assist-stats data belonging to another tenant. The vulnerability exists because ProjectAuthorizer skips its tenant-scoped authorization check when the route parameter does not exactly match the camelCase string 'projectId', and EE feature-flag queries filter only on project_id without enforcing tenant_id isolation. Affecting all EE multi-tenant deployments prior to 1.26.0, no public exploit code has been identified at time of analysis, though the sequential integer ID scheme makes enumeration trivially feasible for any authenticated attacker.
Authentication Bypass
Openreplay
-
CVE-2026-45040
MEDIUM
CVSS 5.3
RustFS distributed object storage (all versions prior to 1.0.0-beta.2) leaks sensitive credentials - including SessionTokens (JWT), SecretAccessKeys, and full JWT claim payloads - in plaintext to server logs when debug-level logging is active. Any authenticated party with read access to those log files can harvest live credentials for lateral movement or unauthorized storage access. No public exploit identified at time of analysis, but the impact of credential exposure is high if debug logging is inadvertently enabled in production. A vendor-released patch is available in 1.0.0-beta.2.
Information Disclosure
Rustfs
-
CVE-2026-44462
MEDIUM
CVSS 6.4
{var@P} prompt-string operator. Zed's terminal tool system enforces command-prefix allowlists to control what commands can be executed; the bypass exploits an incomplete input validation list (CWE-184) to chain expansions that resolve to arbitrary shell commands while appearing to match an approved prefix. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV, though the RCE-tagged nature and CVSS High confidentiality impact make it a meaningful concern for users relying on Zed's agentic terminal tool permissions.
RCE
-
CVE-2026-44394
MEDIUM
CVSS 6.0
OpenStack Keystone's federated token rescoping mechanism allows authenticated federated users to indefinitely extend their session beyond operator-configured token lifetime policies by repeatedly calling POST /v3/auth/tokens before each token expires. The root cause is that handle_scoped_token() in the mapped authentication plugin omits the expires_at field from its response, causing the token provider to silently issue a fresh default-TTL token instead of inheriting the original token's expiry. This effectively renders token lifetime enforcement inoperative for all SAML2 and OpenID Connect-backed federated deployments running Keystone versions prior to 29.0.2. No public exploit code exists and this is not listed in CISA KEV, but the technique is trivially repeatable by any valid federated user.
Authentication Bypass
Keystone
-
CVE-2026-43000
MEDIUM
CVSS 6.0
Privilege escalation in OpenStack Keystone before 29.0.2 allows an authenticated attacker holding only the member role on a project to gain full admin access by chaining an application credential impersonation vulnerability with a logic flaw in Keystone trust delegation. When an attacker uses impersonated credentials to carry a victim admin's identity, Keystone's trust creation logic incorrectly validates delegated roles against the victim's actual database role assignments rather than the roles encoded in the requesting token - permitting the attacker to create a trust that confers the victim's admin role. The resulting trust persists independently and can be used to mint additional trusts and application credentials for sustained access, with all activity attributed to the victim's identity. No public exploit code has been identified at time of analysis, and this CVE is not listed in CISA KEV.
Authentication Bypass
Keystone
-
CVE-2026-42999
MEDIUM
CVSS 6.0
RBAC authorization bypass in OpenStack Keystone allows any authenticated low-privilege user to inject arbitrary policy target attributes into the policy enforcement context, overwriting database-verified identity data and impersonating other users or projects. Affected deployments span Rocky (14.0.0) through all versions prior to 29.0.2, a roughly eight-year window introduced by commit 5ea59f52. No public exploit code or CISA KEV listing exists at time of analysis, but the network-exploitable, changed-scope nature of the flaw makes it a meaningful risk in multi-tenant OpenStack environments.
Authentication Bypass
Python
Keystone
-
CVE-2026-42998
MEDIUM
CVSS 6.0
User impersonation in OpenStack Keystone before 29.0.2 allows an authenticated attacker to obtain a valid Keystone token attributed to an arbitrary victim user by exploiting a missing ownership check in the application credential authentication plugin. The attacker supplies their own application credential ID and secret while embedding a different user's name and domain in the request body, and Keystone issues a project-scoped token carrying the intersection of the attacker's application credential roles and the victim's project roles. This enables audit log evasion, exposure of the victim's credentials, and unauthorized action within shared OpenStack projects. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
Authentication Bypass
Keystone
-
CVE-2026-42401
MEDIUM
CVSS 4.1
Stored HTML injection in Kibana allows a low-privileged authenticated user with write access to an Elasticsearch index to persist crafted markup that is insufficiently sanitized when rendered in an affected Kibana view. When a second user opens the compromised view, their browser processes the unsanitized content, enabling unauthorized manipulation of the Kibana UI and issuing outbound network requests from the victim's browser session. No public exploit identified at time of analysis, no CISA KEV listing, and EPSS data was not provided in source intelligence.
XSS
Elastic
Kibana
-
CVE-2026-42400
MEDIUM
CVSS 6.5
Denial of service in Kibana allows any authenticated user to crash or render unresponsive a Kibana instance by sending a specially crafted compressed HTTP request payload. The root cause is an architectural ordering flaw: compressed payloads are decompressed and processed before authorization checks are applied, enabling resource exhaustion (CWE-400, CAPEC-130 Excessive Allocation) at minimal privilege cost. No public exploit identified at time of analysis and no CISA KEV listing, but the low attack complexity and broad authentication base (any valid Kibana login) make this a meaningful availability risk for multi-tenant or internet-exposed deployments.
Denial Of Service
Elastic
Kibana
-
CVE-2026-42399
MEDIUM
CVSS 6.5
Denial of service in Elastic Kibana allows an authenticated low-privileged user to crash the Kibana service and deny access to all users by submitting a maliciously crafted Timelion visualization expression. The Timelion expression parser fails to bound the depth of chained function call processing, causing the resulting data structure to grow exponentially and exhaust available server memory. No public exploit has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog; however, the low attack complexity and minimal privilege requirements make it an accessible attack surface for any credentialed Kibana user.
Denial Of Service
Elastic
Kibana
-
CVE-2026-42250
MEDIUM
CVSS 5.1
Out-of-bounds write in bzip2's bzip2recover utility allows a local attacker to supply a specially crafted file that triggers an off-by-one error, corrupting a global buffer and crashing the process. Per the CVSS 4.0 vector (AV:L/AC:L/AT:N/PR:N/UI:N), the attack requires no privileges and no user interaction beyond the utility being invoked against a malicious file. Impact is strictly denial of service against the bzip2recover process - no confidentiality or integrity exposure - and the CVSS 4.0 score of 5.1 (Medium) reflects this constrained scope. No public exploit or active exploitation has been identified at time of analysis.
Buffer Overflow
Denial Of Service
Memory Corruption
-
CVE-2026-41185
MEDIUM
CVSS 6.0
Credential exposure in Tigera Calico's Azure IPAM integration causes ServiceAccount tokens, client keys, and certificate authority data to be written in plaintext to a node-local log file on every pod scheduling and termination event. Affected deployments include Calico, Calico Enterprise, and Calico Cloud when the Azure IPAM plugin is in use with token-based Kubernetes authentication. Any low-privileged principal able to read /var/log/calico/cni/cni.log on an affected node can extract these credentials and leverage them for cluster-wide Calico networking administration. No public exploit code has been identified at time of analysis and CISA KEV listing is absent, but the sensitive nature of the exposed material - full Kubernetes auth credentials - makes this a meaningful lateral movement and privilege escalation risk within affected Azure-hosted Kubernetes clusters.
Information Disclosure
Kubernetes
Microsoft
-
CVE-2026-41184
MEDIUM
CVSS 6.0
Calico's install-cni init container leaks live Kubernetes ServiceAccount bearer tokens into pod logs when Canal/Flannel-Calico deployments use the __SERVICEACCOUNT_TOKEN__ placeholder, making the credential readable by any authenticated user with pods/log permission in the calico-node namespace. The exposed token carries patch privileges on pods/status, creating a lateral movement path via annotation-based attacks against cluster workloads. This is a confirmed regression of TTA-2018-001 reported by Tigera; no public exploit has been identified at time of analysis, though upstream patches are available via GitHub.
Information Disclosure
Kubernetes
-
CVE-2026-41178
MEDIUM
CVSS 5.3
CPU and log amplification in opentelemetry-go's baggage parser allows remote unauthenticated attackers to trigger denial-of-service by submitting oversized or malformed W3C baggage headers to any instrumented Go service. PR #7880 inadvertently removed the upfront raw-length check and per-member size guard from `baggage.Parse`, meaning the parser now fully tokenizes and percent-decodes every member of an arbitrarily large input rather than rejecting it early. A publicly available proof-of-concept exists (GHSA-5wrp-cwcj-q835); the vulnerability is not yet listed in CISA KEV, and impact is bounded to availability with no confirmed confidentiality or integrity consequence.
Authentication Bypass
-
CVE-2026-41160
MEDIUM
CVSS 4.3
{id}/pin endpoint, where the server returns a 403 Forbidden response but the targeted record is already persistently modified. A publicly available exploit exists; this vulnerability is not confirmed actively exploited per CISA KEV, and impact is constrained to unauthorized data integrity modification without confidentiality or availability consequences.
PHP
Authentication Bypass
-
CVE-2026-41141
MEDIUM
CVSS 6.5
EspoCRM's POST /api/v1/EmailTemplate/:id/prepare endpoint exposes an IDOR-class ACL bypass (CWE-639) allowing authenticated low-privileged users to exfiltrate all field values from arbitrary Contact, Lead, Account, or User records prior to version 9.3.5. By supplying a target entity's email address as an attacker-controlled lookup key, the endpoint resolves and returns the full record without enforcing read:own or read:team ACL restrictions. A publicly available proof-of-concept exists; no public exploit identified at time of analysis as confirmed actively exploited (CISA KEV listing absent), but the low attack complexity and public POC meaningfully elevate real-world risk.
Authentication Bypass
-
CVE-2026-33464
MEDIUM
CVSS 6.5
Denial of service in Kibana allows any authenticated low-privileged user to render the Kibana service unresponsive for all users by submitting an oversized, specially crafted payload to an internal API endpoint. The CVSS vector (AV:N/AC:L/PR:L/UI:N/A:H) confirms straightforward network exploitation requiring only valid low-privileged credentials with no user interaction - a low barrier for any insider or compromised account. No public exploit code and no CISA KEV listing have been identified at time of analysis, though the low complexity and authenticated-but-low-privilege condition makes this a realistic risk in shared Kibana deployments.
Denial Of Service
Elastic
Kibana
-
CVE-2026-33463
MEDIUM
CVSS 5.3
Expired access tokens in Kibana remain exploitable due to a logic error in expiration timestamp validation (CWE-672), allowing an unauthenticated actor who possesses an expired token to retrieve content it was originally scoped to access. The flaw affects all tracked Kibana versions per the NVD CPE wildcard, and Elastic has issued a security advisory (ESA-2026-33) with patch versions. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog at time of analysis. The CVSS 5.3 Medium score reflects constrained confidentiality impact with no integrity or availability consequence.
Information Disclosure
Elastic
Kibana
-
CVE-2026-33462
MEDIUM
CVSS 4.6
Dashboard management path traversal in Elastic Kibana allows a low-privileged authenticated attacker to redirect administrative delete operations to unintended internal endpoints, potentially causing unauthorized deletion of user accounts or other Kibana-managed resources. Elastic's advisory ESA-2026-30 identifies fixes in versions 8.19.16 and 9.3.5, confirming the issue spans both active release branches. No public exploit code or CISA KEV listing has been identified at time of analysis, but the integrity impact of silent account deletion warrants prioritized patching in multi-tenant deployments.
Path Traversal
Elastic
Kibana
-
CVE-2026-22872
MEDIUM
Privilege escalation in Capsule (the Kubernetes multi-tenancy operator) allows authenticated tenant owners to create cluster-scoped resources - including ClusterRole and ValidatingWebhookConfiguration - by embedding them in TenantResource RawItems, bypassing tenant isolation enforced by the platform. The Capsule Controller's default cluster-admin ClusterRoleBinding means it creates whatever resource it is instructed to process, and its attempt to namespace-scope the resource via obj.SetNamespace() is silently ignored by the Kubernetes API for cluster-scoped kinds. A working proof-of-concept is publicly documented in the GHSA advisory; no CISA KEV listing has been issued at time of analysis.
Privilege Escalation
Denial Of Service
Information Disclosure
Kubernetes
-
CVE-2026-9818
MEDIUM
CVSS 4.7
Roundcube Webmail's HTML sanitizer fails to block loopback, localhost, RFC1918, link-local, and ULA addresses when rendering HTML email, even when the user has disabled remote content loading. An unauthenticated remote attacker (PR:N per CVSS) can send a crafted HTML email that - upon the victim previewing it - causes their browser to issue HTTP requests to internal or private-network services, enabling blind probing or interaction with local infrastructure. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog at time of analysis, though the changed scope (S:C in CVSS) reflects that impact extends to resources beyond Roundcube itself.
Information Disclosure
-
CVE-2026-9813
MEDIUM
CVSS 6.2
Server-side request forgery in FlowIntel up to version 3.3.0 allows a low-privileged authenticated user to coerce the application server into issuing HTTP HEAD requests to attacker-specified destinations-including loopback addresses, RFC 1918 private ranges, link-local cloud metadata endpoints, and other restricted network resources-via the external reference URL probe feature in app/case/task.py. The root cause is absent URL scheme filtering and missing resolved-IP validation before the outbound request is dispatched. No public exploit has been identified at time of analysis and the CVE is not listed in CISA KEV, though the upstream fix commit confirms the flaw's existence and scope.
SSRF
-
CVE-2026-9807
MEDIUM
CVSS 4.3
Incorrect authorization enforcement in GitLab CE/EE permits a blocked Project Access Token to continue reading private project resources despite administrative revocation. Affected are all GitLab CE/EE instances running versions 18.9 through 18.10.6, 18.11 through 18.11.3, and 19.0.0 - patched versions 18.10.7, 18.11.4, and 19.0.1 were released 2026-05-27. A publicly available exploit exists via HackerOne report #3554993, though no confirmed active exploitation (CISA KEV) has been identified at time of analysis.
Authentication Bypass
Gitlab
-
CVE-2026-9806
MEDIUM
CVSS 6.3
Stored XSS in MISP CTI Transmute's notification bell dropdown allows an attacker who can control convert names to inject arbitrary JavaScript that executes in authenticated users' browsers upon opening the notification panel. The vulnerability, tracked as EUVD-2026-32728 and reported by CIRCL, stems from innerHTML-based rendering of user-controlled notification content in base.html and affects all versions prior to upstream commit cf42409 - critically, only on the development branch, not production releases. No public exploit has been identified at time of analysis; the CVSS 4.0 score of 6.3 with AT:P reflects that exploitation requires the attacker to first influence a convert name surfaced in a notification.
XSS
Cti Transmute
-
CVE-2026-9803
MEDIUM
CVSS 5.3
Keycloak's ClientRegistrationAuth component can be crashed by a remote unauthenticated attacker through a specially crafted POST request bearing a malformed 'Authorization: Bearer' header, triggering an unhandled ArrayIndexOutOfBoundsException and returning HTTP 500 to all subsequent callers of the affected endpoint. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms zero prerequisites for exploitation beyond network reachability, making any publicly exposed Keycloak client registration endpoint a viable target. No public exploit has been identified at time of analysis and no EPSS data was supplied, but the trivial attack mechanics mean no specialized tooling is required to reproduce the denial of service.
Buffer Overflow
Denial Of Service
Information Disclosure
-
CVE-2026-9802
MEDIUM
CVSS 6.8
Refresh token replay in Keycloak allows a remote attacker who has previously captured a user's refresh token to reuse that token after it has been revoked, bypassing session expiration controls. The vulnerability surfaces specifically when revokeRefreshToken=true is configured alongside persistent session storage, and is triggered by a server restart that resets the internal timing mechanisms responsible for enforcing token revocation. Successful exploitation can yield full account takeover, information disclosure, or privilege escalation; no public exploit identified at time of analysis and the CVE does not appear in CISA KEV.
Authentication Bypass
Privilege Escalation
Information Disclosure
-
CVE-2026-9801
MEDIUM
CVSS 4.9
Denial of service in Keycloak's LDAP federation layer allows an authenticated realm administrator - or an attacker who has compromised an upstream LDAP server - to crash the entire Keycloak JVM by inducing an OutOfMemoryError through a malformed LDAP password policy response. Because Keycloak typically serves multiple realms from a single JVM process, a successful attack denies service to all realms on the affected node, not just the targeted one. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
Denial Of Service
Java
-
CVE-2026-9798
MEDIUM
CVSS 4.3
Keycloak's Client-Initiated Backchannel Authentication (CIBA) flow fails to enforce brute-force account lockouts, allowing an attacker with valid OAuth client credentials to continue initiating authentication requests and obtain tokens for a user account that should be temporarily locked. This undermines the core account-protection mechanism designed to throttle credential-stuffing and password-guessing campaigns. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, though its CVSS score of 4.3 understates the strategic value of bypassing a lockout policy in an identity provider.
Authentication Bypass
-
CVE-2026-9796
MEDIUM
CVSS 6.5
Privilege escalation in Red Hat Build of Keycloak allows an authenticated administrator holding the manage-clients role to exploit a Time-of-check to time-of-use (TOCTOU) race condition in name-based admin role checks, elevating their privileges to realm-admin for all users within the realm. The resulting composite role relationship is persistent - it survives both manual revocation of the attacker's original permissions and system reboots, making remediation non-trivial post-exploitation. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.
Privilege Escalation
-
CVE-2026-9794
MEDIUM
CVSS 5.3
Information disclosure in Red Hat Build of Keycloak exposes client protocol type to unauthenticated remote attackers via error message enumeration. By submitting specially crafted SOAP requests targeting the SAML ECP (Enhanced Client or Proxy) endpoint with varying client IDs, an attacker can observe distinct faultstring values in server responses and map which clients use which protocol types. No authentication, user interaction, or elevated privileges are required, and the CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms exploitation is straightforward against any exposed instance. No public exploit code has been identified and this CVE is not listed in the CISA KEV catalog at time of analysis.
Information Disclosure
-
CVE-2026-9793
MEDIUM
CVSS 5.9
Signature policy bypass in Red Hat Build of Keycloak's JWE request object handling allows unauthenticated remote attackers to inject unauthorized claims into the OpenID Connect authorization flow. When a JWE-encrypted request object is submitted and its decrypted content is raw JSON, Keycloak improperly skips signature verification, violating both OIDC Core and Financial-grade API (FAPI) signing requirements. No public exploit code exists at time of analysis, but the integrity-only impact (CVSS I:H) is directly relevant to authorization trust boundaries, making this high-priority for FAPI-compliant or financial-sector Keycloak deployments.
Authentication Bypass
Jwt Attack
-
CVE-2026-9792
MEDIUM
CVSS 6.5
Policy enforcement bypass in Red Hat Build of Keycloak's Client Policies framework allows unauthenticated remote attackers to obtain OAuth2 tokens via the Resource Owner Password Credentials (ROPC) grant even when an explicit `reject-ropc-grant` executor is configured to block it. The bypass is triggered specifically when certain condition providers - client-type, client-roles, client-attributes, or client-scopes - are used within the same policy, causing silent executor skipping rather than a fail-closed enforcement error. Successful exploitation results in unauthorized token issuance and potential information disclosure. No public exploit code and no CISA KEV listing have been identified at time of analysis.
Authentication Bypass
Information Disclosure
-
CVE-2026-9791
MEDIUM
CVSS 4.3
Incorrect authorization enforcement in Red Hat Build of Keycloak allows an authenticated user with existing organization membership to retrieve organization metadata through the account API or via OIDC token requests using the 'organization' scope, even when an administrator has explicitly disabled the Organizations feature. The flaw (CWE-863) means the feature-disabled state is not enforced at the data-access layer, so tokens and API responses continue to carry organization claims. This can cause downstream resource servers that consume those tokens to make incorrect authorization decisions - for example, granting access based on organizational membership that should no longer be recognized. No public exploit code exists and this vulnerability is not listed in CISA KEV at time of analysis.
Authentication Bypass
-
CVE-2026-9673
MEDIUM
CVSS 5.5
CSV Injection protection bypass in json-2-csv (npm) allows formula injection to survive the preventCsvInjection sanitization option when injection characters are preceded by leading spaces. Versions 3.15.0 through 5.5.10 are affected. An attacker who can supply JSON input values with space-prefixed formula strings (e.g., ' =SUM(A1:A10)') causes the resulting CSV to carry live spreadsheet formulas, which execute when a recipient opens the file in Excel, Google Sheets, or LibreOffice. Publicly available exploit code exists (Snyk/Gist POC); no confirmed active exploitation (not in CISA KEV).
Authentication Bypass
-
CVE-2026-9646
MEDIUM
CVSS 6.1
Reflected cross-site scripting in ScadaBR's URL handling allows unauthenticated remote attackers to inject and execute arbitrary JavaScript in a victim's browser session when the victim clicks a crafted link targeting the ScadaBR web interface. The vulnerability carries a CVSS 6.1 score with Scope:Changed, meaning injected scripts execute in a security context that can affect resources beyond the originating ScadaBR page - particularly significant given ScadaBR's role as a web-based SCADA platform managing industrial control systems. No public exploit code has been identified and it is not listed in the CISA KEV catalog at time of analysis, but the ICS/OT deployment context amplifies the potential operational impact of credential theft or session hijacking.
XSS
-
CVE-2026-9644
MEDIUM
CVSS 6.4
Stored Cross-Site Scripting in the LiveSmart Video Chat WordPress plugin (all versions through 1.2) allows authenticated contributors to inject persistent malicious scripts via the 'livesmart_widget' shortcode attribute, which execute in any visitor's browser upon page load. The CVSS Scope:Changed rating confirms cross-user impact - a contributor's injected payload can hijack administrator sessions, exfiltrate cookies, or perform unauthorized actions on behalf of higher-privileged victims. No public exploit code and no CISA KEV confirmation exist at time of analysis, but the low privilege bar (contributor-level) meaningfully widens the realistic attacker pool on multi-author WordPress deployments.
WordPress
XSS
-
CVE-2026-9618
MEDIUM
CVSS 4.3
Stripe payment processing can be permanently disabled on any WooCommerce store running the PeachPay plugin through version 1.120.46 by an unauthenticated attacker who successfully social-engineers a logged-in site administrator. The vulnerability stems from missing nonce validation on the peachpay_stripe_handle_admin_actions function, allowing a forged cross-site request to irreversibly wipe all Stripe credentials - publishable keys, secret keys, webhook secrets, and Apple Pay configuration - from the WordPress database. No public exploit code or CISA KEV listing has been identified at time of analysis, but the CVSS vector (AV:N/AC:L/PR:N/UI:R) confirms the attack is network-exploitable at low complexity requiring only one user-interaction step.
WordPress
CSRF
Apple
-
CVE-2026-9241
MEDIUM
CVSS 4.3
Authorization bypass in FOX - Currency Switcher Professional for WooCommerce (all versions through 1.4.6) allows authenticated attackers with Subscriber-level access to impersonate higher-privileged roles - such as wholesale customers or administrators - to obtain discounted or otherwise role-restricted product pricing. The flaw stems from the plugin's fixed user-role pricing engine blindly trusting a client-supplied HTTP request parameter over the server-side session object when resolving a user's role for price calculation. No public exploit is identified at time of analysis, and real-world impact is bounded by a non-default configuration requirement, keeping the CVSS base score at 4.3.
PHP
WordPress
Authentication Bypass
-
CVE-2026-9228
MEDIUM
CVSS 4.3
Insecure Direct Object Reference in the Timetable and Event Schedule by MotoPress WordPress plugin (all versions through 2.4.16) allows authenticated contributors to bypass object-level authorization and read non-public content belonging to other users. The vulnerability exists in the action_get_event_data AJAX action, which accepts a user-controlled timeslot key with no ownership or visibility validation, exposing full WP_Post data - including post_content, post_excerpt, post_status, and post_author - for draft, pending, and private mp-event posts. No public exploit code has been identified at time of analysis, and this CVE does not appear in the CISA KEV catalog.
WordPress
Authentication Bypass
-
CVE-2026-9015
MEDIUM
CVSS 4.3
Authorization bypass in the Equalize Digital Accessibility Checker WordPress plugin (all versions through 1.42.0) allows low-privileged authenticated users to corrupt accessibility audit integrity site-wide. Authenticated attackers holding subscriber-level accounts or higher can invoke AJAX endpoints in class-ajax.php to modify the ignore state, ignore reason, and ignore comment of any accessibility issue across the entire site, effectively hiding or dismissing audit findings they are not authorized to manage. The vulnerability is amplified by a mass-modification code path triggered when the largeBatch=true parameter is supplied, enabling bulk suppression of all findings sharing a common object identifier in a single request. No public exploit code or CISA KEV listing has been identified at time of analysis.
WordPress
Authentication Bypass
-
CVE-2026-8990
MEDIUM
CVSS 5.3
Authentication bypass in the Kidsview mobile application allows a person with physical access to a smartphone to gain full, unauthorized access to the device owner's account by interacting with the app's push notifications, entirely circumventing the normal login flow. Affected versions are those prior to 4.4.3, as confirmed by the vendor fix. No public exploit code has been identified at time of analysis, and there is no CISA KEV listing, but the attack requires no credentials and no user assistance - only physical device possession.
Authentication Bypass
-
CVE-2026-8689
MEDIUM
CVSS 4.3
Missing authorization on three AJAX handlers in the Visualizer: Tables and Charts Manager plugin for WordPress (by Themeisle) allows authenticated attackers with Subscriber-level access to create arbitrary chart posts and read or overwrite chart data owned by any site user, including administrators. The wp_ajax_visualizer-create-chart, wp_ajax_visualizer-edit-chart, and wp_ajax_visualizer-upload-data actions invoke renderChartPages() and uploadData() without any current_user_can() capability check; the nonce validation in uploadData() is further trivialized by the absence of an action argument, making it bypassable with any valid WordPress nonce. No public exploit has been identified at time of analysis, and a vendor-released patch is available in version 4.0.1.
WordPress
Authentication Bypass
-
CVE-2026-8682
MEDIUM
CVSS 4.3
Authorization bypass in the WordPress '3D Viewer - 3D Model Viewer - Augmented Reality - Virtual Try On' plugin (all versions through 2.0.1) permits any subscriber-level authenticated user to overwrite the plugin's entire settings store via an exposed REST API endpoint with no privilege validation. The flaw stems from CWE-862 (Missing Authorization) in the REST route handler at /wp-json/ar_try_on/v1/settings, allowing arbitrary data to be written directly to the ar_try_on_settings database option. No public exploit identified at time of analysis and this vulnerability is not listed in CISA KEV, but the low authentication bar (subscriber account) makes it accessible to a broad attacker pool on sites with open user registration.
WordPress
Authentication Bypass
-
CVE-2026-7660
MEDIUM
CVSS 6.1
Reflected Cross-Site Scripting in the Easy Updates Manager WordPress plugin (versions ≤ 9.0.20) allows unauthenticated remote attackers to inject arbitrary JavaScript via the unsanitized 'paged' parameter in the pagination() function of MPSUM_List_Table.php. Successful exploitation requires social engineering a logged-in WordPress administrator into clicking a crafted URL, after which the injected script executes in the admin's browser under the site's origin - enabling session hijacking, unauthorized admin actions, or credential theft. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.
WordPress
XSS
-
CVE-2026-7651
MEDIUM
CVSS 5.3
Insecure Direct Object Reference in WPEverest's User Registration & Membership WordPress plugin (all versions through 5.1.5) allows deletion of arbitrary media attachments by exploiting missing ownership validation on user-controlled attachment IDs. Authenticated users at subscriber level or above can permanently destroy any media file uploaded by any other user, including administrators, by submitting a crafted attachment ID to the plugin's frontend handler. No public exploit has been identified at time of analysis, and this is not listed in CISA KEV; however, the low barrier to exploitation - any registered site user qualifies - elevates practical risk on membership-driven WordPress sites.
WordPress
Authentication Bypass
-
CVE-2026-7621
MEDIUM
CVSS 4.3
Unauthorized access in the SMTP2GO for WordPress plugin (all versions through 1.16.0) allows authenticated attackers holding only subscriber-level accounts to either wipe all SMTP delivery log records from the WordPress database or export a full CSV of those logs - exposing recipient addresses, sender addresses, message subjects, and API response data. The flaw stems from missing authorization checks on administrative actions within the plugin's WordPress admin class (WordpressPluginAdmin.php), meaning low-privileged users can invoke privileged log-management operations without restriction. No public exploit code has been identified at time of analysis, and no CISA KEV listing exists, but the low privilege bar makes this accessible to any registered WordPress user.
WordPress
Authentication Bypass
-
CVE-2026-7552
MEDIUM
CVSS 5.3
Authorization bypass in the Geo Mashup WordPress plugin (all versions ≤ 1.13.19) exposes sensitive plugin configuration data to unauthenticated remote attackers, including Google Maps API keys and GeoNames service credentials. The flaw (CWE-862 Missing Authorization) exists at specific request-handling code paths in geo-mashup.php (lines 515, 528, and 1525), where the plugin returns configuration data without verifying requester authorization. No public exploit code or CISA KEV listing exists at time of analysis, but the CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms this is trivially exploitable with no authentication, no complexity, and no user interaction required against any affected installation.
WordPress
Authentication Bypass
Google
-
CVE-2026-7533
MEDIUM
CVSS 4.3
Cross-Site Request Forgery in Easy Digital Downloads WordPress plugin through version 3.6.7 enables payment account hijacking by exploiting the Square gateway's unprotected OAuth callback. The `handle_oauth_redirect()` function, registered on the `admin_init` hook, accepts attacker-supplied Square OAuth tokens via GET parameters with no nonce validation, allowing any unauthenticated attacker to overwrite stored Square payment credentials by tricking a logged-in administrator into clicking a crafted link. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the financial impact potential - silent redirection of all payment processing to an attacker-controlled Square account - meaningfully exceeds what the CVSS score of 4.3 conveys.
WordPress
CSRF
-
CVE-2026-7526
MEDIUM
CVSS 4.3
Sensitive information exposure in the PDF Embedder WordPress plugin (all versions through 4.9.3) allows authenticated attackers with contributor-level access or higher to extract configuration data via the enqueue_block_assets hook. The severity of impact is installation-dependent: on sites running the premium add-on with a saved license key, attackers can exfiltrate that license key; on Lite-only installations, exposed data is limited to non-sensitive viewer settings such as dimensions, toolbar preferences, and usage tracking. No public exploit identified at time of analysis, and this CVE does not appear in the CISA KEV catalog.
WordPress
Information Disclosure
-
CVE-2026-7048
MEDIUM
CVSS 6.5
Time-based blind SQL injection in the Photo Gallery by 10Web WordPress plugin (all versions through 1.8.40) allows authenticated attackers holding contributor-level access or above to exfiltrate sensitive database contents by embedding a crafted shortcode in a post or draft. The `order_by` parameter is passed unsanitized into existing SQL queries, and the injected payload executes when the shortcode is rendered - targeting WordPress databases containing credentials, user PII, and site configuration. No public exploit code or CISA KEV listing has been identified at time of analysis, though the high confidentiality impact and low attack complexity make this a meaningful risk on any site with non-administrative contributors.
WordPress
SQLi
-
CVE-2026-6937
MEDIUM
CVSS 5.3
Missing authorization on the bulk appointments REST API endpoint in Simply Schedule Appointments WordPress plugin (all versions up to and including 1.6.11.8) permits unauthenticated mass modification and disclosure of customer appointment data. The flaw is compounded by a static, user-independent nonce embedded in the HTML source of any page rendering the [ssa_booking] shortcode, meaning a single anonymous page visit yields a credential sufficient to target every appointment in the system. An attacker can overwrite customer PII, alter payment status, and hijack meeting URLs across all bookings, or enumerate full customer records via the bulk endpoint response - no account or session required. No public exploit code and no CISA KEV listing are identified at time of analysis.
WordPress
Authentication Bypass
-
CVE-2026-6427
MEDIUM
CVSS 6.4
Stored cross-site scripting in the a3 Lazy Load WordPress plugin (all versions through 2.7.6) allows authenticated Contributor-level users to inject persistent JavaScript into posts via a deliberately crafted <video> tag. Two compounding flaws drive the vulnerability: a regex bug in the _filter_videos() method that mishandles HTML attribute quoting, and unescaped output in the admin/views/form-data.php template. When any user - including a site administrator - views an affected post, the injected event-handler attributes (autofocus, onfocus) execute in the viewer's browser, enabling session hijacking or unauthorized privileged actions. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.
PHP
WordPress
XSS
-
CVE-2026-5737
MEDIUM
CVSS 6.5
Server-Side Request Forgery in Independent Analytics (WordPress plugin, all versions through 2.14.9) enables unauthenticated remote attackers to inject arbitrary referrer domains into the site's analytics database and subsequently trigger server-side HTTP requests to any host - including internal network services and cloud metadata endpoints. The exploit chain combines a bypassable signature check on the public /wp-json/iawp/search REST endpoint (static salt embedded in publicly-accessible JavaScript) with a scheduled favicon fetcher that issues raw cURL requests with zero SSRF mitigations. No public exploit is identified at time of analysis and the vulnerability is not listed in CISA KEV, but CVSS PR:N/AC:L indicates exploitation requires no authentication and minimal complexity, particularly threatening for WordPress deployments on cloud infrastructure.
WordPress
SSRF
-
CVE-2026-4888
MEDIUM
CVSS 4.3
Unauthorized email sending in the Everest Forms WordPress plugin (all versions up to and including 3.4.7) permits any authenticated attacker with Subscriber-level access or higher to dispatch test emails to arbitrary external addresses from the hosting server. The root cause is a missing capability check on the AJAX-exposed send_test_email() function (CWE-862), enabling low-privilege users to invoke a privileged server action without authorization. No public exploit has been identified at time of analysis and this CVE does not appear in the CISA KEV catalog, though the low barrier of entry (any registered user) elevates practical risk on sites with open registration.
WordPress
Authentication Bypass
-
CVE-2026-4377
MEDIUM
CVSS 6.0
Weak default credential generation in the D-Link DWR-X1820 router exposes administrative access to adjacent-network attackers who can derive the device password from its IMEI number. All devices running firmware prior to 1.00B16CP are affected when users have not changed the factory-set password - a common real-world condition for consumer-grade routers. An attacker with knowledge of the IMEI-to-password derivation algorithm and physical or logical access to the IMEI (e.g., from the device label) can authenticate to the router admin interface without prior credentials. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Information Disclosure
D-Link
-
CVE-2026-4334
MEDIUM
CVSS 6.4
Stored Cross-Site Scripting in the Shariff Wrapper WordPress plugin (all versions ≤ 4.6.20) allows authenticated Contributors to inject persistent JavaScript payloads via the 'headline' parameter of the [shariff] shortcode, which then execute in any visitor's browser upon page load. The Changed scope (S:C in CVSS) means the injected payload escapes the plugin's context and runs inside victim browsers across the full WordPress front-end, enabling session theft, credential harvesting, or drive-by redirection. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV, though the low attack complexity and persistent nature of stored XSS make it a meaningful risk on multi-author or open-registration WordPress installations.
WordPress
XSS
-
CVE-2026-3173
MEDIUM
CVSS 6.5
Insecure Direct Object Reference in the Meta Field Block WordPress plugin (all versions through 1.5.1) allows authenticated attackers with Contributor-level access to read arbitrary user meta, post meta, and term meta data from any object in the database by supplying unchecked object IDs and types via block attributes. The CVSS vector (AV:N/AC:L/PR:L/UI:N/C:H) confirms this is remotely exploitable with low privilege and no user interaction, with a full confidentiality impact on metadata. Risk is materially elevated on sites running WooCommerce or similar plugins that persist PII - names, billing addresses, phone numbers, emails - in meta fields. No public exploit code has been identified and the vulnerability is not listed in the CISA KEV catalog at time of analysis.
WordPress
Authentication Bypass
Information Disclosure
-
CVE-2026-48524
LOW
CVSS 3.7
Unconstrained outbound JWKS requests in PyJWT's PyJWKClient.get_signing_key() allow unauthenticated remote attackers to amplify HTTP traffic toward a downstream JWKS endpoint by submitting JWTs carrying arbitrary, unrecognized kid values. All PyJWT versions prior to 2.13.0 are affected when the PyJWKClient class is used for signature verification. The availability impact is low (CVSS A:L) and exploitation success is gated on the upstream JWKS provider exhibiting rate limiting or transient failures; no public exploit code exists and this CVE does not appear in CISA KEV.
Python
Information Disclosure
-
CVE-2026-47337
LOW
CVSS 3.3
NULL pointer dereference in Ubuntu Linux kernel SAUCE patches (versions 6.8, 6.17, and 7.0) allows an unprivileged local user to trigger a kernel oops, resulting in a denial of service. The flaw resides specifically in Ubuntu's out-of-tree SAUCE patches for AF_INET/AF_INET6 socket mediation - mainline Linux kernel builds are unaffected. No active exploitation is confirmed (not in CISA KEV), no public exploit has been identified at time of analysis, and the CVSS score of 3.3 (Low) accurately reflects the constrained impact: local access only, no confidentiality or integrity loss, and limited availability degradation.
Denial Of Service
Linux
Null Pointer Dereference
Ubuntu
-
CVE-2026-47336
LOW
CVSS 3.3
Uninitialized variable use in Ubuntu Linux 6.8's AppArmor AF_INET/AF_INET6 socket mediation code allows an authenticated local user to cause incorrect enforcement of fine-grained network socket access controls. The flaw resides in Ubuntu-specific SAUCE patches layered on top of the mainline Linux 6.8 kernel, meaning it is not present in upstream distributions. No public exploit code or active exploitation has been identified at time of analysis; Canonical has issued a fix via the Ubuntu Noble kernel repository.
Information Disclosure
Ubuntu
-
CVE-2026-47330
LOW
CVSS 3.3
Incorrect caching of AppArmor notification responses in Ubuntu Linux kernel versions 6.8, 7.17, and 7.0 stems from an uninitialized variable (CWE-457) in Ubuntu-specific AppArmor SAUCE patch code. An unprivileged local user can trigger this bug to corrupt the AppArmor notification response cache, producing a low-severity integrity impact. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog; the CVSS score of 3.3 (Low) reflects its constrained local-only, limited-impact nature.
Information Disclosure
Ubuntu
Ubuntu Linux
-
CVE-2026-47329
LOW
CVSS 3.3
Ubuntu Linux kernel SAUCE patches (versions 6.8, 6.17, and 7.0) improperly validate the size of the name field in AppArmor notification responses, allowing a local low-privileged user to trigger handling of crafted responses with potential limited integrity impact. The vulnerability carries a CVSS score of 3.3 (Low) with a local attack vector, restricted to integrity effects only and no confidentiality or availability consequences. No public exploit has been identified at time of analysis and this vulnerability is not listed in CISA KEV.
Information Disclosure
Ubuntu
Ubuntu Linux
-
CVE-2026-47327
LOW
CVSS 3.3
NULL pointer dereference in Ubuntu Linux kernel versions 6.8, 6.17, and 7.0 allows a local unprivileged user to crash the kernel via the AppArmor notification handling path. The flaw exists exclusively in Ubuntu-specific SAUCE patches layered on top of the upstream Linux kernel, meaning only Ubuntu kernels carrying these versions are affected - not upstream Linux or other distributions. No public exploit code or active exploitation has been identified at time of analysis; the impact is limited to a kernel oops (availability loss, CVSS A:L), with no confidentiality or integrity impact.
Denial Of Service
Linux
Null Pointer Dereference
Ubuntu
Ubuntu Linux
-
CVE-2026-46644
LOW
Symfony's polyfill-intl-idn library (versions 1.17.1–1.38.0) silently accepts malformed Punycode ACE labels — specifically `xn--` prefixed labels whose decoded payload is empty or contains only ASCII characters — which native PHP ext-intl correctly rejects. This divergence allows attackers to craft domain names such as `poc.xn--kc1zs4-.com` that the polyfill normalizes to `poc.kc1zs4.com`, causing hostname blacklist bypasses and inconsistent URL parsing in applications that rely on the polyfill for canonicalization or security-sensitive hostname comparisons. The flaw directly enables server-side request forgery (SSRF) in affected deployments, mirrors the pattern established by CVE-2024-12224, and no public exploit has been identified at time of analysis beyond the proof-of-concept inputs included in the vendor advisory.
SSRF
-
CVE-2026-46241
None
In the Linux kernel, the following vulnerability has been resolved:
spi: mpc52xx: fix use-after-free on registration failure
Make sure to disable and free the interrupts in case controller
registration fails to avoid a potential use-after-free and resource
leak.
This issue was flagged by Sashiko ...
Information Disclosure
Linux
-
CVE-2026-46240
None
In the Linux kernel, the following vulnerability has been resolved:
media: iris: Fix use-after-free in iris_release_internal_buffers()
The recent change in commit 1dabf00ee206 ("media: iris: gen1: Destroy
internal buffers after FW releases") introduced a regression where
session_release_buf() may ...
Information Disclosure
Linux
-
CVE-2026-46239
None
In the Linux kernel, the following vulnerability has been resolved:
media: i2c: ov5647: Fix runtime PM refcount leak in s_ctrl
Three control cases (AUTOGAIN, EXPOSURE_AUTO, ANALOGUE_GAIN) directly
return without calling pm_runtime_put(), causing runtime PM reference
count leaks.
Change these case...
Information Disclosure
Linux
-
CVE-2026-46238
None
In the Linux kernel, the following vulnerability has been resolved:
batman-adv: stop caching unowned originator pointers in BAT IV
BAT IV keeps the last-hop neighbor address in each neigh_node, but some
paths also cache an originator pointer derived from a temporary lookup.
That pointer is not own...
Information Disclosure
Linux
-
CVE-2026-46237
None
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu/vcn3: Avoid overflow on msg bound check
As pointed out by SDL, the previous condition may be vulnerable to
overflow.
(cherry picked from commit db00257ac9e4a51eb2515aaea161a019f7125e10)
Buffer Overflow
Linux
-
CVE-2026-46236
None
In the Linux kernel, the following vulnerability has been resolved:
media: rc: xbox_remote: heed DMA restrictions
The buffer for IO must not be part of the device structure
because that violates the DMA coherency rules.
Information Disclosure
Linux
-
CVE-2026-46235
None
In the Linux kernel, the following vulnerability has been resolved:
media: saa7164: add ioremap return checks and cleanups
Add checks for ioremap return values in saa7164_dev_setup(). If
ioremap for BAR0 or BAR2 fails, release the already allocated PCI
memory regions, remove the device from the gl...
Denial Of Service
Linux
-
CVE-2026-46234
None
In the Linux kernel, the following vulnerability has been resolved:
vsock: fix buffer size clamping order
In vsock_update_buffer_size(), the buffer size was being clamped to the
maximum first, and then to the minimum. If a user sets a minimum buffer
size larger than the maximum, the minimum check ...
Information Disclosure
Linux
-
CVE-2026-46233
None
In the Linux kernel, the following vulnerability has been resolved:
batman-adv: bla: only purge non-released claims
When batadv_bla_purge_claims() goes through the list of claims, it is only
traversing the hash list with an rcu_read_lock(). Due to a potential
parallel batadv_claim_put(), it can ha...
Information Disclosure
Linux
-
CVE-2026-46232
None
In the Linux kernel, the following vulnerability has been resolved:
HID: playstation: Clamp num_touch_reports
A device would never lie about the number of touch reports would it?
If it does the loop in dualshock4_parse_report will read off the end of
the touch_reports array, up to about 2 KiB for...
Information Disclosure
Linux
-
CVE-2026-46231
None
In the Linux kernel, the following vulnerability has been resolved:
batman-adv: bla: put backbone reference on failed claim hash insert
When batadv_bla_add_claim() fails to insert a new claim into the hash, it
leaked a reference to the backbone_gw for which the claim was intended.
Call batadv_back...
Information Disclosure
Linux
-
CVE-2026-46230
None
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu/vcn3: Prevent OOB reads when parsing dec msg
Check bounds against the end of the BO whenever we access the msg.
Information Disclosure
Linux
-
CVE-2026-46229
None
In the Linux kernel, the following vulnerability has been resolved:
drm/amdkfd: Clear VRAM on allocation to prevent stale data exposure
KFD VRAM allocations set AMDGPU_GEM_CREATE_VRAM_WIPE_ON_RELEASE
but not AMDGPU_GEM_CREATE_VRAM_CLEARED, leaving freshly allocated
VRAM with stale data from prior ...
Information Disclosure
Linux
-
CVE-2026-46228
None
In the Linux kernel, the following vulnerability has been resolved:
spi: ch341: fix devres lifetime
USB drivers bind to USB interfaces and any device managed resources
should have their lifetime tied to the interface rather than parent USB
device. This avoids issues like memory leaks when drivers ...
Information Disclosure
Linux
-
CVE-2026-46227
None
In the Linux kernel, the following vulnerability has been resolved:
sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL
The SCTP_SENDALL path in sctp_sendmsg() iterates ep->asocs with
list_for_each_entry_safe(), which caches the next entry in @tmp before
the loop body runs. ...
Information Disclosure
Linux
-
CVE-2026-46226
None
In the Linux kernel, the following vulnerability has been resolved:
spi: fsl: fix controller deregistration
Make sure to deregister the controller before releasing underlying
resources like DMA during driver unbind.
Information Disclosure
Linux
-
CVE-2026-46225
None
In the Linux kernel, the following vulnerability has been resolved:
spi: rspi: fix controller deregistration
Make sure to deregister the controller before releasing underlying
resources like DMA during driver unbind.
Information Disclosure
Linux
-
CVE-2026-46224
None
In the Linux kernel, the following vulnerability has been resolved:
drm/xe: Fix bo leak in xe_dma_buf_init_obj() on allocation failure
When drm_gpuvm_resv_object_alloc() fails, the pre-allocated storage bo
is not freed. Add xe_bo_free(storage) before returning the error.
xe_dma_buf_init_obj() cal...
Information Disclosure
Linux
-
CVE-2026-46223
None
In the Linux kernel, the following vulnerability has been resolved:
cgroup: Defer css percpu_ref kill on rmdir until cgroup is depopulated
A chain of commits going back to v7.0 reworked rmdir to satisfy the
controller invariant that a subsystem's ->css_offline() must not run while
tasks are still ...
Information Disclosure
Linux
-
CVE-2026-46222
None
In the Linux kernel, the following vulnerability has been resolved:
media: rockchip: rkcif: Add missing MUST_CONNECT flag to pads
The pads missed checks for connected devices which may a null dereference
when the stream is enabled.
Unable to handle kernel NULL pointer dereference at virtual addre...
Denial Of Service
Linux
-
CVE-2026-46221
None
In the Linux kernel, the following vulnerability has been resolved:
EDAC/versalnet: Fix device name memory leak
The device name allocated via kzalloc() in init_one_mc() is assigned to
dev->init_name but never freed on the normal removal path. device_register()
copies init_name and then sets dev->...
Information Disclosure
Linux
-
CVE-2026-46220
None
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu/sdma4: replace BUG_ON with WARN_ON in fence emission
sdma_v4_0_ring_emit_fence() contains two BUG_ON(addr & 0x3) assertions
that verify fence writeback addresses are dword-aligned. These
assertions can be reached from ...
Denial Of Service
Linux
-
CVE-2026-46219
None
In the Linux kernel, the following vulnerability has been resolved:
spi: mpc52xx: fix use-after-free on unbind
The state machine work is scheduled by the interrupt handler and
therefore needs to be cancelled after disabling interrupts to avoid a
potential use-after-free.
Information Disclosure
Linux
-
CVE-2026-46218
None
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu: Add bounds checking to ib_{get,set}_value
The uvd/vce/vcn code accesses the IB at predefined offsets without
checking that the IB is large enough. Check the bounds here. The caller
is responsible for making sure it can...
RCE
Linux
-
CVE-2026-46217
None
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu/vcn4: Avoid overflow on msg bound check
As pointed out by SDL, the previous condition may be vulnerable to
overflow.
(cherry picked from commit 3c5367d950140d4ec7af830b2268a5a6fdaa3885)
Buffer Overflow
Linux
-
CVE-2026-46216
None
In the Linux kernel, the following vulnerability has been resolved:
drm/xe/hdcp: Add NULL check for media_gt in intel_hdcp_gsc_check_status()
When media GT is disabled via configfs, there is no allocation for
media_gt, which is kept as NULL. In such scenario,
intel_hdcp_gsc_check_status() results...
Information Disclosure
Linux
-
CVE-2026-46215
None
In the Linux kernel, the following vulnerability has been resolved:
drm: Set old handle to NULL before prime swap in change_handle
There was a potential race condition in change_handle. The ioctl
briefly had a single object with two idr entries; a concurrent
gem_close could delete the object and r...
Information Disclosure
Linux
-
CVE-2026-46214
None
In the Linux kernel, the following vulnerability has been resolved:
vsock/virtio: fix accept queue count leak on transport mismatch
virtio_transport_recv_listen() calls sk_acceptq_added() before
vsock_assign_transport(). If vsock_assign_transport() fails or
selects a different transport, the error...
Information Disclosure
Linux
-
CVE-2026-46213
None
In the Linux kernel, the following vulnerability has been resolved:
HID: appletb-kbd: fix UAF in inactivity-timer cleanup path
Commit 38224c472a03 ("HID: appletb-kbd: fix slab use-after-free bug in
appletb_kbd_probe") added timer_delete_sync(&kbd->inactivity_timer) to
both the probe close_hw error...
Information Disclosure
Linux
Apple
Microsoft
-
CVE-2026-46212
None
In the Linux kernel, the following vulnerability has been resolved:
batman-adv: bla: prevent use-after-free when deleting claims
When batadv_bla_del_backbone_claims() removes all claims for a backbone, it
does this by dropping the link entry in the hash list. This list entry
itself was one of the ...
Information Disclosure
Linux
-
CVE-2026-46211
None
In the Linux kernel, the following vulnerability has been resolved:
drm/msm/gem: fix error handling in msm_ioctl_gem_info_get_metadata()
msm_ioctl_gem_info_get_metadata() always returns 0 regardless of
errors. When copy_to_user() fails or the user buffer is too small,
the error code stored in ret ...
Denial Of Service
Linux
-
CVE-2026-46210
None
In the Linux kernel, the following vulnerability has been resolved:
media: iris: fix use-after-free of fmt_src during MBPF check
During concurrency testing, multiple instances can run in parallel, and
each instance uses its own inst->lock while the core->lock protects the
list of active instances....
Information Disclosure
Linux
-
CVE-2026-46209
None
In the Linux kernel, the following vulnerability has been resolved:
drm/gem: Fix inconsistent plane dimension calculation in drm_gem_fb_init_with_funcs()
drm_gem_fb_init_with_funcs() computes sub-sampled plane dimensions
using plain integer division:
unsigned int width = mode_cmd->width / (i ...
Buffer Overflow
Linux
-
CVE-2026-46208
None
In the Linux kernel, the following vulnerability has been resolved:
batman-adv: stop tp_meter sessions during mesh teardown
TP meter sessions remain linked on bat_priv->tp_list after the netlink
request has already finished. When the mesh interface is removed,
batadv_mesh_free() currently tears do...
Information Disclosure
Linux
-
CVE-2026-46207
None
In the Linux kernel, the following vulnerability has been resolved:
vsock/virtio: fix empty payload in tap skb for non-linear buffers
For non-linear skbs, virtio_transport_build_skb() goes through
virtio_transport_copy_nonlinear_skb() to copy the original payload
in the new skb to be delivered to ...
Information Disclosure
Linux
-
CVE-2026-46206
None
In the Linux kernel, the following vulnerability has been resolved:
batman-adv: reject new tp_meter sessions during teardown
Prevent tp_meter from starting new sender or receiver sessions after
mesh_state has left BATADV_MESH_ACTIVE.
Information Disclosure
Linux
-
CVE-2026-46205
None
In the Linux kernel, the following vulnerability has been resolved:
staging: media: atomisp: Disallow all private IOCTLs
Disallow all private IOCTLs. These aren't quite as safe as one could
assume of IOCTL handlers; disable them for now. Instead of removing the
code, return in the beginning of the...
Information Disclosure
Linux
-
CVE-2026-46204
None
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu/vcn4: Prevent OOB reads when parsing IB
Rewrite the IB parsing to use amdgpu_ib_get_value() which handles the
bounds checks.
Information Disclosure
Linux
-
CVE-2026-46203
None
In the Linux kernel, the following vulnerability has been resolved:
spi: cadence-quadspi: fix unclocked access on unbind
Make sure that the controller is runtime resumed before disabling it
during driver unbind to avoid an unclocked register access.
This issue was flagged by Sashiko when reviewin...
Information Disclosure
Linux
-
CVE-2026-46202
None
In the Linux kernel, the following vulnerability has been resolved:
HID: appletb-kbd: run inactivity autodim from workqueues
The autodim code in hid-appletb-kbd takes backlight_device->ops_lock
via backlight_device_set_brightness() -> mutex_lock() from two
different atomic contexts:
* appletb_in...
Information Disclosure
Linux
-
CVE-2026-46201
None
In the Linux kernel, the following vulnerability has been resolved:
drm/xe: Fix dma-buf attachment leak in xe_gem_prime_import()
When xe_dma_buf_init_obj() fails, the attachment from
dma_buf_dynamic_attach() is not detached. Add dma_buf_detach() before
returning the error. Note: we cannot use goto...
Information Disclosure
Linux
-
CVE-2026-46200
None
In the Linux kernel, the following vulnerability has been resolved:
spi: mpc52xx: fix controller deregistration
Make sure to deregister the controller before disabling and releasing
underlying resources like interrupts and gpios during driver unbind.
Information Disclosure
Linux
-
CVE-2026-46199
None
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu/vcn4: Prevent OOB reads when parsing dec msg
Check bounds against the end of the BO whenever we access the msg.
Information Disclosure
Linux
-
CVE-2026-46198
None
In the Linux kernel, the following vulnerability has been resolved:
batman-adv: fix integer overflow on buff_pos
Fixing an integer overflow present in batadv_iv_ogm_send_to_if. The size
check is done using the int type in batadv_iv_ogm_aggr_packet whereas the
buff_pos variable uses the s16 type. T...
Buffer Overflow
Linux
-
CVE-2026-46197
None
In the Linux kernel, the following vulnerability has been resolved:
drm/amdkfd: validate SVM ioctl nattr against buffer size
Validate nattr field against the buffer size, preventing
out-of-bounds buffer access via user-controlled attribute count.
(cherry picked from commit 5eca8bfdfa456c3304ca775...
Buffer Overflow
Linux
-
CVE-2026-46196
None
In the Linux kernel, the following vulnerability has been resolved:
tracepoint: balance regfunc() on func_add() failure in tracepoint_add_func()
When a tracepoint goes through the 0 -> 1 transition, tracepoint_add_func()
invokes the subsystem's ext->regfunc() before attempting to install the
new p...
Information Disclosure
Linux
-
CVE-2026-46195
None
In the Linux kernel, the following vulnerability has been resolved:
smb: client: validate dacloffset before building DACL pointers
parse_sec_desc(), build_sec_desc(), and the chown path in
id_mode_to_cifs_acl() all add the server-supplied dacloffset to pntsd
before proving a DACL header fits insid...
Information Disclosure
Linux
-
CVE-2026-46194
None
In the Linux kernel, the following vulnerability has been resolved:
f2fs: fix node_cnt race between extent node destroy and writeback
f2fs_destroy_extent_node() does not set FI_NO_EXTENT before clearing
extent nodes. When called from f2fs_drop_inode() with I_SYNC set,
concurrent kworker writeback ...
Information Disclosure
Linux
-
CVE-2026-46193
None
In the Linux kernel, the following vulnerability has been resolved:
xfrm: ah: account for ESN high bits in async callbacks
AH allocates its temporary auth/ICV layout differently when ESN is enabled:
the async ahash setup appends a 4-byte seqhi slot before the ICV or
auth_data area, but the async c...
Information Disclosure
Linux
-
CVE-2026-46192
None
In the Linux kernel, the following vulnerability has been resolved:
spi: microchip-core-qspi: don't attempt to transmit during emulated read-only dual/quad operations
The core will deal with reads by creating clock cycles itself, there's
no need to generate clock cycles by transmitting garbage dat...
Information Disclosure
Linux
-
CVE-2026-46191
None
In the Linux kernel, the following vulnerability has been resolved:
fbcon: Avoid OOB font access if console rotation fails
Clear the font buffer if the reallocation during console rotation fails
in fbcon_rotate_font(). The putcs implementations for the rotated buffer
will return early in this case...
Buffer Overflow
Linux
-
CVE-2026-46190
None
In the Linux kernel, the following vulnerability has been resolved:
mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show()
Sashiko noticed an out-of-bounds read [1].
In spi_nor_params_show(), the snor_f_names array is passed to
spi_nor_print_flags() using sizeof(snor_f_names).
Si...
Buffer Overflow
Linux
-
CVE-2026-46189
None
In the Linux kernel, the following vulnerability has been resolved:
RDMA/vmw_pvrdma: Fix double free on pvrdma_alloc_ucontext() error path
Sashiko points out that pvrdma_uar_free() is already called within
pvrdma_dealloc_ucontext(), so calling it before triggers a double free.
Information Disclosure
Linux
-
CVE-2026-46188
None
In the Linux kernel, the following vulnerability has been resolved:
octeon_ep_vf: add NULL check for napi_build_skb()
napi_build_skb() can return NULL on allocation failure. In
__octep_vf_oq_process_rx(), the result is used directly without a NULL
check in both the single-buffer and multi-fragment...
Denial Of Service
Linux
-
CVE-2026-46187
None
In the Linux kernel, the following vulnerability has been resolved:
wifi: rsi: fix kthread lifetime race between self-exit and external-stop
RSI driver use both self-exit(kthread_complete_and_exit) and external-stop
(kthread_stop) when killing a kthread. Generally, kthread_stop() is called
first, ...
Information Disclosure
Linux
-
CVE-2026-46186
None
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: virtio_bt: validate rx pkt_type header length
virtbt_rx_handle() reads the leading pkt_type byte from the RX skb
and forwards the remainder to hci_recv_frame() for every
event/ACL/SCO/ISO type, without checking that the...
Information Disclosure
Linux
-
CVE-2026-46185
None
In the Linux kernel, the following vulnerability has been resolved:
smb/client: fix out-of-bounds read in symlink_data()
Since smb2_check_message() returns success without length validation for
the symlink error response, in symlink_data() it is possible for
iov->iov_len to be smaller than sizeof(...
Buffer Overflow
Linux
-
CVE-2026-46184
None
In the Linux kernel, the following vulnerability has been resolved:
sound: ua101: fix division by zero at probe
Add a missing sanity check for bNrChannels in detect_usb_format()
to prevent a division by zero in playback_urb_complete() and
capture_urb_complete().
USB core does not validate class-s...
Denial Of Service
Linux
-
CVE-2026-46183
None
In the Linux kernel, the following vulnerability has been resolved:
mm/damon/sysfs-schemes: protect path kfree() with damon_sysfs_lock
damon_sysfs_quot_goal->path can be read and written by users, via DAMON
sysfs 'path' file. It can also be indirectly read, for the parameters
{on,off}line committ...
Information Disclosure
Linux
-
CVE-2026-46182
None
In the Linux kernel, the following vulnerability has been resolved:
pseries/papr-hvpipe: Prevent kernel stack memory leak to userspace
The hdr variable is allocated on the stack and only hdr.version and
hdr.flags are initialized explicitly. Because the struct papr_hvpipe_hdr
contains reserved padd...
Information Disclosure
Linux
-
CVE-2026-46181
None
In the Linux kernel, the following vulnerability has been resolved:
RDMA/mlx4: Fix mis-use of RCU in mlx4_srq_event()
Sashiko points out the radix_tree itself is RCU safe, but nothing ever
frees the mlx4_srq struct with RCU, and it isn't even accessed within the
RCU critical section. It also will ...
Denial Of Service
Linux
-
CVE-2026-46180
None
In the Linux kernel, the following vulnerability has been resolved:
wifi: brcmfmac: Fix potential use-after-free issue when stopping watchdog task
Watchdog task might end between send_sig() and kthread_stop() calls, what
results in the use-after-free issue. Fix this by increasing watchdog task
ref...
Information Disclosure
Linux
-
CVE-2026-46179
None
In the Linux kernel, the following vulnerability has been resolved:
ASoC: SOF: Don't allow pointer operations on unconfigured streams
When reporting the pointer for a compressed stream we report the current
I/O frame position by dividing the position by the number of channels
multiplied by the num...
Information Disclosure
Linux
-
CVE-2026-46178
None
In the Linux kernel, the following vulnerability has been resolved:
RDMA/mlx4: Fix resource leak on error in mlx4_ib_create_srq()
Sashiko points out that mlx4_srq_alloc() was not undone during error
unwind, add the missing call to mlx4_srq_free().
Information Disclosure
Linux
-
CVE-2026-46177
None
In the Linux kernel, the following vulnerability has been resolved:
ipmi: Add limits to event and receive message requests
The driver would just fetch events and receive messages until the
BMC said it was done. To avoid issues with BMCs that never say they are
done, add a limit of 10 fetches at a...
Information Disclosure
Linux
-
CVE-2026-46176
None
In the Linux kernel, the following vulnerability has been resolved:
RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init()
mlx5_ib_dev_res_srq_init() allocates two SRQs, s0 and s1. When
ib_create_srq() fails for s1, the error branch destroys s0 but falls
through and unconditionally a...
Information Disclosure
Linux
-
CVE-2026-46175
None
In the Linux kernel, the following vulnerability has been resolved:
f2fs: fix fsck inconsistency caused by FGGC of node block
During FGGC node block migration, fsck may incorrectly treat the
migrated node block as fsync-written data.
The reproduction scenario:
root@vm:/mnt/f2fs# seq 1 2048 | xarg...
Information Disclosure
Linux
-
CVE-2026-46174
None
In the Linux kernel, the following vulnerability has been resolved:
x86/CPU/AMD: Prevent improper isolation of shared resources in Zen2's op cache
Make sure resources are not improperly shared in the op cache and
cause instruction corruption this way.
Information Disclosure
Linux
Amd
-
CVE-2026-46173
None
In the Linux kernel, the following vulnerability has been resolved:
exit: prevent preemption of oopsing TASK_DEAD task
When an already-exiting task oopses, make_task_dead() currently calls
do_task_dead() with preemption enabled. That is forbidden:
do_task_dead() calls __schedule(), which has a co...
Buffer Overflow
Linux
-
CVE-2026-46172
None
In the Linux kernel, the following vulnerability has been resolved:
ipv6: xfrm6: release dst on error in xfrm6_rcv_encap()
xfrm6_rcv_encap() performs an IPv6 route lookup when the skb does not
already have a dst attached. ip6_route_input_lookup() returns a
referenced dst entry even when the lookup...
Information Disclosure
Linux
-
CVE-2026-46171
None
In the Linux kernel, the following vulnerability has been resolved:
riscv: kvm: fix vector context allocation leak
When the second kzalloc (host_context.vector.datap) fails in
kvm_riscv_vcpu_alloc_vector_context, the first allocation
(guest_context.vector.datap) is leaked. Free it before returning...
Information Disclosure
Linux
-
CVE-2026-46170
None
In the Linux kernel, the following vulnerability has been resolved:
mptcp: pm: ADD_ADDR rtx: free sk if last
When an ADD_ADDR is retransmitted, the sk is held in sk_reset_timer(),
and released at the end.
If at that moment, it was the last reference being held, the sk would
not be freed. sock_put...
Information Disclosure
Linux
-
CVE-2026-46169
None
In the Linux kernel, the following vulnerability has been resolved:
hfsplus: fix uninit-value by validating catalog record size
Syzbot reported a KMSAN uninit-value issue in hfsplus_strcasecmp(). The
root cause is that hfs_brec_read() doesn't validate that the on-disk
record size matches the expec...
Authentication Bypass
Linux
-
CVE-2026-46168
None
In the Linux kernel, the following vulnerability has been resolved:
mptcp: fix scheduling with atomic in timestamp sockopt
Using lock_sock_fast() (atomic context) around sock_set_timestamp()
and sock_set_timestamping() is unsafe, as both helpers can sleep.
Replace lock_sock_fast() with sleepable ...
Information Disclosure
Linux
-
CVE-2026-46167
None
In the Linux kernel, the following vulnerability has been resolved:
usb: usblp: fix uninitialized heap leak via LPGETSTATUS ioctl
Just like in a previous problem in this driver, usblp_ctrl_msg() will
collapse the usb_control_msg() return value to 0/-errno, discarding the
actual number of bytes tra...
Information Disclosure
Linux
-
CVE-2026-46166
None
In the Linux kernel, the following vulnerability has been resolved:
wifi: mac80211: use safe list iteration in radar detect work
The call to ieee80211_dfs_cac_cancel can cause the iterated chanctx to
be freed and removed from the list. Guard against this to avoid a
slab-use-after-free error.
Information Disclosure
Linux
-
CVE-2026-46165
None
In the Linux kernel, the following vulnerability has been resolved:
openvswitch: vport: fix self-deadlock on release of tunnel ports
vports are used concurrently and protected by RCU, so netdev_put()
must happen after the RCU grace period. So, either in an RCU call or
after the synchronize_net()....
Information Disclosure
Linux
-
CVE-2026-46164
None
In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix double free in create_space_info_sub_group() error path
When kobject_init_and_add() fails, the call chain is:
create_space_info_sub_group()
-> btrfs_sysfs_add_space_info_type()
-> kobject_init_and_add()
-> failure
-> k...
Information Disclosure
Linux
-
CVE-2026-46163
None
In the Linux kernel, the following vulnerability has been resolved:
wifi: b43legacy: enforce bounds check on firmware key index in RX path
Same fix as b43: the firmware-controlled key index in b43legacy_rx()
can exceed dev->max_nr_keys. The existing B43legacy_WARN_ON is
non-enforcing in production...
Buffer Overflow
Linux
-
CVE-2026-46162
None
In the Linux kernel, the following vulnerability has been resolved:
ice: fix double free in ice_sf_eth_activate() error path
When auxiliary_device_add() fails, ice_sf_eth_activate() jumps to
aux_dev_uninit and calls auxiliary_device_uninit(&sf_dev->adev).
The device release callback ice_sf_dev_re...
Information Disclosure
Linux
-
CVE-2026-46161
None
In the Linux kernel, the following vulnerability has been resolved:
md/raid10: fix divide-by-zero in setup_geo() with zero far_copies
setup_geo() extracts near_copies (nc) and far_copies (fc) from the
user-provided layout parameter without checking for zero. When fc=0
with the "improved" far set l...
Information Disclosure
Linux
-
CVE-2026-46160
None
In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix missing last_unlink_trans update when removing a directory
When removing a directory we are not updating its last_unlink_trans field,
which can result in incorrect fsync behaviour in case some one fsyncs the
directory a...
Information Disclosure
Linux
-
CVE-2026-46159
None
In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to info-leak
btrfs_ioctl_space_info() has a TOCTOU race between two passes over the
block group RAID type lists. The first pass counts entries to determine
the a...
Information Disclosure
Linux
-
CVE-2026-46158
None
In the Linux kernel, the following vulnerability has been resolved:
mptcp: pm: ADD_ADDR rtx: always decrease sk refcount
When an ADD_ADDR is retransmitted, the sk is held in sk_reset_timer().
It should then be released in all cases at the end.
Some (unlikely) checks were returning directly instea...
Information Disclosure
Linux
-
CVE-2026-46157
None
In the Linux kernel, the following vulnerability has been resolved:
ALSA: pcm: oss: Fix data race at accessing runtime.oss.trigger
Currently the runtime.oss.trigger field may be accessed concurrently
without protection, which may lead to the data race. And, in this
case, it may lead to more sever...
Information Disclosure
Linux
-
CVE-2026-46156
None
In the Linux kernel, the following vulnerability has been resolved:
LoongArch: Fix potential ADE in loongson_gpu_fixup_dma_hang()
The switch case in loongson_gpu_fixup_dma_hang() may not DC2 or DC3, and
readl(crtc_reg) will access with random address, because the "device" is
from "base+PCI_DEVICE_...
Information Disclosure
Linux
-
CVE-2026-46155
None
In the Linux kernel, the following vulnerability has been resolved:
smb/client: fix out-of-bounds read in smb2_compound_op()
If a server sends a truncated response but a large OutputBufferLength, and
terminates the EA list early, check_wsl_eas() returns success without
validating that the entire O...
Buffer Overflow
Linux
-
CVE-2026-46154
None
In the Linux kernel, the following vulnerability has been resolved:
sched_ext: Read scx_root under scx_cgroup_ops_rwsem in cgroup setters
scx_group_set_{weight,idle,bandwidth}() cache scx_root before acquiring
scx_cgroup_ops_rwsem, so the pointer can be stale by the time the op runs.
If the loaded...
Information Disclosure
Linux
-
CVE-2026-46153
None
In the Linux kernel, the following vulnerability has been resolved:
8021q: delete cleared egress QoS mappings
vlan_dev_set_egress_priority() currently keeps cleared egress
priority mappings in the hash as tombstones. Repeated set/clear cycles
with distinct skb priorities therefore accumulate mappi...
Information Disclosure
Linux
-
CVE-2026-46152
None
In the Linux kernel, the following vulnerability has been resolved:
wifi: mac80211: drop stray 'static' from fast-RX rx_result
ieee80211_invoke_fast_rx() is documented as safe for parallel RX, but
its per-invocation rx_result is declared static. Concurrent callers then
share one instance and can o...
Information Disclosure
Linux
-
CVE-2026-46151
None
In the Linux kernel, the following vulnerability has been resolved:
usb: usblp: fix heap leak in IEEE 1284 device ID via short response
usblp_ctrl_msg() collapses the usb_control_msg() return value to
0/-errno, discarding the actual number of bytes transferred. A broken
printer can complete the G...
Information Disclosure
Linux
-
CVE-2026-46150
None
In the Linux kernel, the following vulnerability has been resolved:
fanotify: fix false positive on permission events
fsnotify_get_mark_safe() may return false for a mark on an unrelated group,
which results in bypassing the permission check.
Fix by skipping over detached marks that are not in th...
Authentication Bypass
Linux
-
CVE-2026-46149
None
In the Linux kernel, the following vulnerability has been resolved:
scsi: target: configfs: Bound snprintf() return in tg_pt_gp_members_show()
target_tg_pt_gp_members_show() formats LUN paths with snprintf() into a
256-byte stack buffer, then will memcpy() cur_len bytes from that
buffer. snprintf...
Buffer Overflow
Linux
-
CVE-2026-46148
None
In the Linux kernel, the following vulnerability has been resolved:
spi: microchip-core-qspi: control built-in cs manually
The coreQSPI IP supports only a single chip select, which is
automagically operated by the hardware - set low when the transmit
buffer first gets written to and set high when ...
Information Disclosure
Linux
-
CVE-2026-46147
None
In the Linux kernel, the following vulnerability has been resolved:
KVM: arm64: Fix pin leak and publication ordering in __pkvm_init_vcpu()
Two bugs exist in the vCPU initialisation path:
1. If a check fails after hyp_pin_shared_mem() succeeds, the cleanup
path jumps to 'unlock' without callin...
Information Disclosure
Linux
-
CVE-2026-46146
None
In the Linux kernel, the following vulnerability has been resolved:
ALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3()
The convert_chmap_v3() has a loop with its increment size of
cs_desc->wLength, but we forgot to validate cs_desc->wLength itself,
which may lead to potential endl...
Information Disclosure
Linux
-
CVE-2026-46145
None
In the Linux kernel, the following vulnerability has been resolved:
RDMA/mana: Validate rx_hash_key_len
Sashiko points out that rx_hash_key_len comes from a uAPI structure and is
blindly passed to memcpy, allowing the userspace to trash kernel
memory. Bounds check it so the memcpy cannot overflow.
Buffer Overflow
Linux
-
CVE-2026-46144
None
In the Linux kernel, the following vulnerability has been resolved:
RDMA/mana: Fix error unwind in mana_ib_create_qp_rss()
Sashiko points out that mana_ib_cfg_vport_steering() is leaked, the normal
destroy path cleans it up.
Information Disclosure
Linux
-
CVE-2026-46143
None
In the Linux kernel, the following vulnerability has been resolved:
ASoC: qcom: q6apm-lpass-dai: Fix multiple graph opens
As prepare can be called mulitple times, this can result in multiple
graph opens for playback path.
This will result in a memory leaks, fix this by adding a check before
openi...
Information Disclosure
Linux
-
CVE-2026-46142
None
In the Linux kernel, the following vulnerability has been resolved:
net: libwx: fix VF illegal register access
Register WX_CFG_PORT_ST is a PF restricted register. When a VF is
initialized, attempting to read this register triggers an illegal
register access, which lead to a system hang.
When the...
Information Disclosure
Linux
-
CVE-2026-46141
None
In the Linux kernel, the following vulnerability has been resolved:
powerpc/xive: fix kmemleak caused by incorrect chip_data lookup
The kmemleak reports the following memory leak:
Unreferenced object 0xc0000002a7fbc640 (size 64):
comm "kworker/8:1", pid 540, jiffies 4294937872
hex dump (first...
Information Disclosure
Linux
-
CVE-2026-46140
None
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: btmtk: validate WMT event SKB length before struct access
btmtk_usb_hci_wmt_sync() casts the WMT event response SKB data to
struct btmtk_hci_wmt_evt (7 bytes) and struct btmtk_hci_wmt_evt_funcc
(9 bytes) without first c...
Buffer Overflow
Linux
-
CVE-2026-46139
None
In the Linux kernel, the following vulnerability has been resolved:
smb: client: use kzalloc to zero-initialize security descriptor buffer
Commit 62e7dd0a39c2d ("smb: common: change the data type of num_aces
to le16") split struct smb_acl's __le32 num_aces field into __le16
num_aces and __le16 res...
Information Disclosure
Linux
Microsoft
-
CVE-2026-46138
None
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt
hci_le_create_big_complete_evt() iterates over BT_BOUND connections for
a BIG handle using a while loop, accessing ev->bis_handle[i++] on each
...
Denial Of Service
Linux
-
CVE-2026-46137
None
In the Linux kernel, the following vulnerability has been resolved:
mptcp: pm: ADD_ADDR rtx: fix potential data-race
This mptcp_pm_add_timer() helper is executed as a timer callback in
softirq context. To avoid any data races, the socket lock needs to be
held with bh_lock_sock().
If the socket is...
Information Disclosure
Linux
-
CVE-2026-46136
None
In the Linux kernel, the following vulnerability has been resolved:
wifi: mt76: mt7921: fix a potential clc buffer length underflow
The buf_len is used to limit the iterations for retrieving the country
power setting and may underflow under certain conditions due to changes
in the power table in C...
Denial Of Service
Linux
-
CVE-2026-46135
None
In the Linux kernel, the following vulnerability has been resolved:
nvmet-tcp: fix race between ICReq handling and queue teardown
nvmet_tcp_handle_icreq() updates queue->state after sending an
Initialization Connection Response (ICResp), but it does so without
serializing against target-side queue...
Information Disclosure
Linux
-
CVE-2026-46134
None
In the Linux kernel, the following vulnerability has been resolved:
platform/chrome: cros_ec_typec: Init mutex in Thunderbolt registration
cros_typec_register_thunderbolt() missed initializing the `adata->lock`
mutex. This leads to a NULL dereference when the mutex is later
acquired (e.g. in cros...
Information Disclosure
Linux
Google
-
CVE-2026-46133
None
In the Linux kernel, the following vulnerability has been resolved:
RDMA/rxe: Reject unknown opcodes before ICRC processing
Even after applying commit 7244491dab34 ("RDMA/rxe: Validate pad and ICRC
before payload_size() in rxe_rcv"), a single unauthenticated UDP packet
can still trigger panic. Th...
Buffer Overflow
Linux
-
CVE-2026-46132
None
In the Linux kernel, the following vulnerability has been resolved:
net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in rtnl_fill_vfinfo
rtnl_fill_vfinfo() declares struct ifla_vf_broadcast on the stack
without initialisation:
struct ifla_vf_broadcast vf_broadcast;
The struct cont...
Information Disclosure
Linux
-
CVE-2026-46131
None
In the Linux kernel, the following vulnerability has been resolved:
KVM: x86: check for nEPT/nNPT in slow flush hypercalls
Checking is_guest_mode(vcpu) is incorrect, because translate_nested_gpa()
is only valid if an L2 guest is running *with nested EPT/NPT enabled*.
Instead use the same condition...
Information Disclosure
Linux
-
CVE-2026-46130
None
In the Linux kernel, the following vulnerability has been resolved:
dm-verity-fec: fix reading parity bytes split across blocks (take 3)
fec_decode_bufs() assumes that the parity bytes of the first RS codeword
it decodes are never split across parity blocks.
This assumption is false. Consider v-...
Buffer Overflow
Linux
-
CVE-2026-46129
None
In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix double free in create_space_info() error path
When kobject_init_and_add() fails, the call chain is:
create_space_info()
-> btrfs_sysfs_add_space_info_type()
-> kobject_init_and_add()
-> failure
-> kobject_put(&space_in...
Information Disclosure
Linux
-
CVE-2026-46128
None
In the Linux kernel, the following vulnerability has been resolved:
ipmi: Check event message buffer response for bad data
The event message buffer response data size got checked later when
processing, but check it right after the response comes back. It
appears some BMCs may return an empty mess...
Information Disclosure
Linux
-
CVE-2026-46127
None
In the Linux kernel, the following vulnerability has been resolved:
RDMA/ocrdma: Don't NULL deref uctx on errors in ocrdma_copy_pd_uresp()
Sashiko points out that pd->uctx isn't initialized until late in the
function so all these error flow references are NULL and will crash. Use
the uctx that isn...
Denial Of Service
Linux
-
CVE-2026-46126
None
In the Linux kernel, the following vulnerability has been resolved:
RDMA/mana: Fix mana_destroy_wq_obj() cleanup in mana_ib_create_qp_rss()
Sashiko points out there are two bugs here in the error unwind flow, both
related to how the WQ table is unwound.
First there is a double i-- on the first fa...
Information Disclosure
Linux
-
CVE-2026-46125
None
In the Linux kernel, the following vulnerability has been resolved:
wifi: mac80211: remove station if connection prep fails
If connection preparation fails for MLO connections, then the
interface is completely reset to non-MLD. In this case, we must
not keep the station since it's related to the l...
Information Disclosure
Linux
-
CVE-2026-46124
None
In the Linux kernel, the following vulnerability has been resolved:
isofs: validate block number from NFS file handle in isofs_export_iget
isofs_fh_to_dentry() and isofs_fh_to_parent() pass an attacker-
controlled block number (ifid->block or ifid->parent_block) from
the NFS file handle to isofs_e...
Information Disclosure
Linux
-
CVE-2026-46123
None
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: virtio_bt: clamp rx length before skb_put
virtbt_rx_work() calls skb_put(skb, len) where len comes directly
from virtqueue_get_buf() with no validation against the buffer we
posted to the device. The RX skb is allocated...
Buffer Overflow
Linux
-
CVE-2026-46122
None
In the Linux kernel, the following vulnerability has been resolved:
wifi: b43: enforce bounds check on firmware key index in b43_rx()
The firmware-controlled key index in b43_rx() can exceed the dev->key[]
array size (58 entries). The existing B43_WARN_ON is non-enforcing in
production builds, all...
Buffer Overflow
Linux
-
CVE-2026-46121
None
In the Linux kernel, the following vulnerability has been resolved:
mm/damon/sysfs-schemes: protect memcg_path kfree() with damon_sysfs_lock
Patch series "mm/damon/sysfs-schemes: fix use-after-free for [memcg_]path".
Reads of 'memcg_path' and 'path' files in DAMON sysfs interface could race
with ...
Information Disclosure
Linux
-
CVE-2026-46120
None
In the Linux kernel, the following vulnerability has been resolved:
ip6_gre: Use cached t->net in ip6erspan_changelink().
After commit 5e72ce3e3980 ("net: ipv6: Use link netns in newlink() of
rtnl_link_ops"), ip6erspan_newlink() correctly resolves the per-netns
ip6gre hash via link_net. ip6erspan_...
Information Disclosure
Linux
-
CVE-2026-46119
None
In the Linux kernel, the following vulnerability has been resolved:
libceph: Fix slab-out-of-bounds access in auth message processing
If a (potentially corrupted) message of type CEPH_MSG_AUTH_REPLY
contains a positive value in its result field, it is treated as an
error code by ceph_handle_auth_r...
Buffer Overflow
Linux
-
CVE-2026-46118
None
In the Linux kernel, the following vulnerability has been resolved:
pseries/papr-hvpipe: Fix null ptr deref in papr_hvpipe_dev_create_handle()
commit 6d3789d347a7 ("papr-hvpipe: convert papr_hvpipe_dev_create_handle() to FD_PREPARE()"),
changed the create handle to FD_PREPARE(), but it caused kern...
Denial Of Service
Linux
-
CVE-2026-46117
None
In the Linux kernel, the following vulnerability has been resolved:
RDMA/mana: Remove user triggerable WARN_ON() in mana_ib_create_qp_rss()
Sashiko points out that the user can specify WQs sharing the same CQ as a
part of the uAPI and this will trigger the WARN_ON() then go on to corrupt
the kerne...
Information Disclosure
Linux
-
CVE-2026-46116
None
In the Linux kernel, the following vulnerability has been resolved:
xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete
KASAN reproduces a slab-use-after-free in __xfrm_state_delete()'s
hlist_del_rcu calls under syzkaller load on linux-6.12.y stable
(reproduced on 6.12.47, also reacha...
Denial Of Service
Linux
-
CVE-2026-46115
None
In the Linux kernel, the following vulnerability has been resolved:
block: add pgmap check to biovec_phys_mergeable
biovec_phys_mergeable() is used by the request merge, DMA mapping,
and integrity merge paths to decide if two physically contiguous
bvec segments can be coalesced into one. It curren...
Information Disclosure
Linux
-
CVE-2026-46114
None
In the Linux kernel, the following vulnerability has been resolved:
RDMA/rxe: Reject non-8-byte ATOMIC_WRITE payloads
atomic_write_reply() at drivers/infiniband/sw/rxe/rxe_resp.c
unconditionally dereferences 8 bytes at payload_addr(pkt):
value = *(u64 *)payload_addr(pkt);
check_rkey() previo...
Information Disclosure
Linux
-
CVE-2026-46113
None
In the Linux kernel, the following vulnerability has been resolved:
KVM: x86: Fix shadow paging use-after-free due to unexpected GFN
The shadow MMU computes GFNs for direct shadow pages using sp->gfn plus
the SPTE index. This assumption breaks for shadow paging if the guest
page tables are modifie...
Information Disclosure
Linux
-
CVE-2026-46112
None
In the Linux kernel, the following vulnerability has been resolved:
RDMA/hns: Fix unlocked call to hns_roce_qp_remove()
Sashiko points out that hns_roce_qp_remove() requires the caller to hold
locks. The error flow in hns_roce_create_qp_common() doesn't hold those
locks for the error unwind so it...
Information Disclosure
Linux
-
CVE-2026-46111
None
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: hci_conn: fix potential UAF in create_big_sync
Add hci_conn_valid() check in create_big_sync() to detect stale
connections before proceeding with BIG creation. Handle the
resulting -ECANCELED in create_big_complete() an...
Information Disclosure
Linux
-
CVE-2026-46110
None
In the Linux kernel, the following vulnerability has been resolved:
net: stmmac: Prevent NULL deref when RX memory exhausted
The CPU receives frames from the MAC through conventional DMA: the CPU
allocates buffers for the MAC, then the MAC fills them and returns
ownership to the CPU. For each hard...
Information Disclosure
Linux
-
CVE-2026-46109
None
In the Linux kernel, the following vulnerability has been resolved:
usb: ulpi: fix memory leak on ulpi_register() error paths
Commit 01af542392b5 ("usb: ulpi: fix double free in
ulpi_register_interface() error path") removed kfree(ulpi) from
ulpi_register_interface() to fix a double-free when devi...
Information Disclosure
Linux
-
CVE-2026-46108
None
In the Linux kernel, the following vulnerability has been resolved:
ipmi:si: Return state to normal if message allocation fails
There were places where nothing would get started if a message
allocation failed, so the driver needs to return to normal state.
Information Disclosure
Linux
-
CVE-2026-46107
None
In the Linux kernel, the following vulnerability has been resolved:
dm-thin: fix metadata refcount underflow
There's a bug in dm-thin in the function rebalance_children. If the
internal btree node has one entry, the code tries to copy all btree
entries from the node's child to the node itself and ...
Information Disclosure
Linux
-
CVE-2026-46106
None
In the Linux kernel, the following vulnerability has been resolved:
eventfs: Hold eventfs_mutex and SRCU when remount walks events
Commit 340f0c7067a9 ("eventfs: Update all the eventfs_inodes from the
events descriptor") had eventfs_set_attrs() recurse through ei->children
on remount. The walk on...
Information Disclosure
Linux
-
CVE-2026-46105
None
In the Linux kernel, the following vulnerability has been resolved:
scsi: mpt3sas: Limit NVMe request size to 2 MiB
The HBA firmware reports NVMe MDTS values based on the underlying drive
capability. However, because the driver allocates a fixed 4K buffer for
the PRP list, accommodating at most 51...
Information Disclosure
Linux
-
CVE-2026-46104
None
In the Linux kernel, the following vulnerability has been resolved:
selinux: use sk blob accessor in socket permission helpers
SELinux socket state lives in the composite LSM socket blob.
sock_has_perm() and nlmsg_sock_has_extended_perms() currently
dereference sk->sk_security directly, which ass...
Information Disclosure
Linux
-
CVE-2026-45756
LOW
Uncontrolled PCRE backtracking in Symfony's JsonPath component allows denial of service when attacker-influenced JSONPath expressions containing match() or search() filters are evaluated server-side. Affected applications that pass user-supplied JSONPath queries to JsonCrawler::find() can be made to execute catastrophically backtracking patterns such as '(a+)+$', pinning a CPU core for several seconds per request; a small number of concurrent requests can exhaust the entire PHP worker pool. The vulnerability is compounded by error suppression (@preg_match) that silences PCRE backtrack-limit exceptions, producing no log trace of the attack. No public exploit code and no CISA KEV listing are identified at time of analysis, but the advisory itself provides a working proof-of-concept pattern.
PHP
Denial Of Service
-
CVE-2026-45753
LOW
Stored XSS via bypass in Symfony's HtmlSanitizer component allows `javascript:` URIs to survive sanitization when applications use permissive configurations that admit `action`, `formaction`, `poster`, or `cite` attributes. The root cause is an incomplete attribute list in `UrlAttributeSanitizer::getSupportedAttributes()`, which caused `DomVisitor` to skip URI scheme validation entirely for those four attribute types. No public exploit identified at time of analysis and no CVSS score has been assigned, but successful exploitation enables JavaScript execution in victims' browsers - with the attack gated behind non-default sanitizer configuration choices made by the integrating application.
XSS
-
CVE-2026-45287
LOW
File descriptor exhaustion in go.opentelemetry.io/otel/schema v1.0 and v1.1 enables denial of service against long-running Go processes. The ParseFile function in schema/v1.0/parser.go opens schema files via os.Open but never closes them - neither via defer nor by transferring ownership to the downstream Parse(io.Reader) call - leaving descriptors open until the Go garbage collector finalizes the file object. Publicly available exploit code exists demonstrating that repeated ParseFile calls accumulate leaked descriptors until the process receives EMFILE ('too many open files'), disrupting all subsequent file, socket, and descriptor operations. Exploitation is contingent on an application exposing ParseFile invocation to attacker-controlled or attacker-triggered paths.
Denial Of Service
-
CVE-2026-41565
None
CryptX versions before 0.088_001 for Perl have a stack buffer overflow in four AEAD decrypt_verify helpers.
The gcm_decrypt_verify, ccm_decrypt_verify, chacha20poly1305_decrypt_verify and eax_decrypt_verify XS routines copied the caller-supplied authentication tag into a fixed 144-byte stack buffer...
Buffer Overflow
Stack Overflow
Cryptx
-
CVE-2026-37579
None
An issue in SMSGate sms-core<=2.1.13.6 allows a remote attacker to execute arbitrary code via the Cmpp7FDeliverRequestMessageCodec.java component
RCE
Java
-
CVE-2026-30963
LOW
CVSS 3.9
Namespace hijacking in Capsule (Kubernetes multi-tenancy operator) prior to v0.13.0 allows an authenticated tenant administrator to reassign any namespace to their own tenant by patching it through the namespace/status or namespace/finalize subresource APIs, which bypass Capsule's ValidatingWebhookConfiguration enforcement entirely. The webhook intercepts direct namespace modifications but omits these subresource paths, leaving a gap that an attacker with explicitly delegated RBAC permissions can exploit with a single PATCH request. A complete, working proof-of-concept is publicly available in the GitHub Security Advisory GHSA-2ww6-hf35-mfjm; no CISA KEV listing was identified, indicating no confirmed widespread active exploitation at time of analysis.
Information Disclosure
Kubernetes
-
CVE-2026-30761
None
An arbitrary file upload vulnerability in the pages/admin.uploadmapimg.php component of SourceBans Material Admin v1.1.6 allows attackers to execute arbitrary code via uploading a crafted image file.
PHP
RCE
File Upload
N A
-
CVE-2026-30760
None
An issue in SourceBans Material Admin before v.1.1.6 (3ecd95e) allows attackers to manipulate arbitrary user data in the web app via a crafted XAJAX call.
Information Disclosure
N A
-
CVE-2026-9828
LOW
CVSS 1.2
Security restriction bypass in logback-core's HardenedObjectInputStream allows limited object injection via logback's SimpleSocketServer and SimpleSSLSocketServer components, affecting all versions through 1.5.32 inclusive. An attacker who can influence serialized data submitted to these socket server endpoints can instantiate objects from java.lang and java.util classes not explicitly blocked by the hardened deserializer, circumventing its intended allowlist controls. The vendor and NVD both confirm no practical remote code execution or significant privilege escalation has been identified; the real-world impact is limited confidentiality and integrity exposure. No public exploit identified at time of analysis beyond E:P proof-of-concept maturity indicated in the CVSS vector. Not listed in CISA KEV.
RCE
Deserialization
-
CVE-2026-9658
None
Plack::Middleware::Security::Common versions before 0.13.1 for Perl did not block header injections in request paths.
The header injection rule was ineffective at blocking header injections in the request paths unless they were double-encoded, for example,
GET /path\r\nHTTP/1.1\r\nHost: secret.e...
Code Injection
Plack
-
CVE-2026-9098
None
In Casdoor versions 2.362.0 and earlier, the SAML callback handler in controllers/auth.go accepts any well-formed SAMLResponse sent to /api/acs without verifying that it corresponds to an AuthnRequest previously issued by Casdoor. Additionally, if an administrator disables or deletes an IdP (Identit...
Authentication Bypass
Casdoor
-
CVE-2026-9097
None
Casdoor versions 2.362.0 and earlier do not verify that a JWT used for token exchange is still active. The GetTokenExchangeToken() function in object/token_oauth.go validates the JWT signature and parses its claims, but never queries the Token table to verify whether the subject token has been revok...
Information Disclosure
Microsoft
Casdoor
-
CVE-2026-9096
None
Casdoor versions 2.362.0 and earlier do not enforce SAML assertion time bounds. The gosaml2 library reports all time-validation results, including NotOnOrAfter and NotBefore, in the assertionInfo.WarningInfo field. However, ParseSamlResponse() never reads this field, meaning that time bounds are com...
Denial Of Service
Casdoor
-
CVE-2026-9094
None
Casdoor versions 2.362.0 and earlier contain a vulnerability enabling cross-organization token exchange. The GetTokenExchangeToken function in object/token_oauth.go validates JWT signatures but does not verify that the token's user belongs to the same organization as the target application. This can...
Privilege Escalation
Microsoft
Casdoor
-
CVE-2026-9093
None
In Casdoor versions 2.362.0 and earlier, the SAML service provider implementation does not validate the AudienceRestriction element in SAML assertions. The buildSp function in object/saml_sp.go never sets AudienceURI on the gosaml2 SAMLServiceProvider struct and never inspects WarningInfo.NotInAudie...
Denial Of Service
Casdoor
-
CVE-2026-9092
None
Casdoor versions 2.362.0 and earlier contain a vulnerability involving unverified email binding that may enable account takeover. The getExistUserByBindingRule function matches users by email without checking the email_verified claim from upstream providers; the idp.UserInfo struct does not even inc...
Information Disclosure
Casdoor
-
CVE-2026-9091
None
Casdoor versions 2.362.0 and earlier contain a logic flaw in the social‑login binding flow that allows users to bypass configured MFA requirements. The binding‑rule code path in controllers/auth.go calls HandleLoggedIn directly without invoking checkMfaEnable. Any user authenticating via this path i...
Authentication Bypass
Casdoor
-
CVE-2026-9090
None
Casdoor versions 2.362.0 and earlier contain a vulnerability that allows an attacker to bypass authentication by supplying an arbitrary signing certificate. The buildSpCertificateStore function extracts the X.509 certificate directly from the incoming SAMLResponse instead of using the trusted pre-co...
Denial Of Service
Casdoor