Skip to main content
CVE-2026-46237 HIGH PATCH This Week

Local privilege-escalation-adjacent denial of service and potential memory corruption in the Linux kernel's AMD GPU VCN3 (Video Core Next 3) driver allows a local low-privileged user with GPU access to trigger an integer overflow in the message bound check of the drm/amdgpu/vcn3 subsystem. The flaw was identified by AMD's SDL review and patched upstream, and per CVSS it yields high confidentiality and availability impact without integrity impact. Exploitation status: no public exploit identified at time of analysis, and EPSS is very low at 0.02%.

Linux Buffer Overflow
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-46218 HIGH PATCH This Week

Out-of-bounds memory access in the Linux kernel's amdgpu (AMD GPU) driver allows local users with low privileges to trigger denial of service or read sensitive kernel memory by interacting with the uvd/vce/vcn IB (indirect buffer) handling paths. The flaw stems from missing bounds checks in ib_get_value and ib_set_value when accessing the IB at predefined offsets, compounded by a signed-integer index that could overflow. No public exploit identified at time of analysis, and EPSS rates exploitation probability at just 0.02%.

Linux RCE
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-46203 HIGH PATCH This Week

Unclocked register access in the Linux kernel's Cadence Quadspi SPI controller driver (spi-cadence-quadspi) occurs during driver unbind, affecting kernel versions through 7.0.x and 7.1-rc1. A local low-privileged user able to trigger driver unbind can cause high-impact confidentiality loss and denial of service on systems using affected SPI hardware. There is no public exploit identified at time of analysis and EPSS rates exploitation probability at just 0.02%.

Information Disclosure Linux Buffer Overflow
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-46191 HIGH PATCH This Week

Out-of-bounds read in the Linux kernel's framebuffer console (fbcon) subsystem allows a local low-privileged attacker to access kernel memory beyond the font buffer when console rotation is enabled and font reallocation fails. The flaw resides in fbcon_rotate_font() which retains the undersized old buffer after a failed reallocation, so printing characters with high-enough codes overflows the font buffer during putcs operations. No public exploit identified at time of analysis, and EPSS exploitation probability is very low (0.02%), but the issue is patched across multiple stable kernel branches.

Linux Information Disclosure Buffer Overflow
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-46190 HIGH PATCH This Week

Out-of-bounds read in the Linux kernel's SPI-NOR flash debugfs interface (spi_nor_params_show) allows local authenticated users with debugfs access to trigger memory disclosure or denial of service on 64-bit systems. The flaw stems from sizeof() being used on a pointer array instead of ARRAY_SIZE(), inflating the bounds-check length by 8x. No public exploit identified at time of analysis and EPSS rates exploitation likelihood at 0.02%.

Linux Buffer Overflow Information Disclosure
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-46150 HIGH PATCH This Week

Permission check bypass in the Linux kernel's fanotify subsystem allows local low-privileged users to circumvent access control decisions enforced by fanotify-based security tools. The flaw stems from fsnotify_get_mark_safe() incorrectly returning false for marks on unrelated groups, causing the permission event evaluation to be skipped entirely. No public exploit identified at time of analysis, and EPSS rates exploitation probability at just 0.02%, but the impact on systems relying on fanotify for access control (antivirus, EDR, HSM) is significant.

Linux Authentication Bypass
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-46149 HIGH PATCH This Week

Out-of-bounds stack read in the Linux kernel SCSI target subsystem's configfs interface allows a local privileged user to trigger a kernel panic or leak adjacent stack memory by reading the tg_pt_gp members sysfs attribute when a long iSCSI IQN fabric WWN (up to 223 bytes) is configured. The flaw stems from misusing the snprintf() return value (which reports intended length, not bytes written) as a memcpy() source length. No public exploit identified at time of analysis, and EPSS is very low (0.02%, 5th percentile).

Linux Buffer Overflow
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-46140 HIGH PATCH This Week

Out-of-bounds kernel memory read in the Linux kernel's MediaTek Bluetooth driver (btmtk) lets a short or malformed WMT firmware event response trigger reads past the SKB tailroom in btmtk_usb_hci_wmt_sync(), potentially leaking adjacent kernel memory or crashing the host. The flaw affects systems using MediaTek USB Bluetooth controllers (MT76xx family) on kernels around 6.11 through release candidates of 7.1, scoring CVSS 7.1 with high confidentiality and availability impact. There is no public exploit identified at time of analysis and EPSS is negligible (0.02%), but a vendor fix is available across multiple stable branches.

Linux Buffer Overflow Information Disclosure
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-46130 HIGH PATCH This Week

Out-of-bounds read in the Linux kernel's dm-verity-fec (forward error correction) subsystem allows kernel memory disclosure or a crash when decoding Reed-Solomon parity data. The flaw affects the device-mapper verity FEC code where fec_decode_bufs() wrongly assumes parity bytes of the first RS codeword never span a parity-block boundary; with certain non-default fec_roots values combined with low-memory buffer-allocation failures, the decoder reads past the end of the parity block buffer. Tracked as CWE-125, it carries a 7.1 CVSS (local, low complexity per NVD) but a negligible EPSS of 0.02%, and there is no public exploit identified at time of analysis.

Linux Buffer Overflow Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-46175 HIGH PATCH This Week

Filesystem inconsistency in the Linux kernel's F2FS implementation allows local authenticated users to trigger fsck misinterpretation of node block migration as fsync-written data, resulting in filesystem integrity issues following a sudden power-off (SPO). Affecting Linux kernel versions through 7.0.7 and 7.1-rc1 (with backports to 6.18.30), the flaw stems from Foreground Garbage Collection (FGGC) failing to clear dentry and fsync marks during node block migration. No public exploit identified at time of analysis, and EPSS is very low at 0.02% (4th percentile).

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-44604 HIGH This Week

Command injection in the rpmuncompress utility of RPM allows local attackers to execute arbitrary commands when a victim extracts a maliciously crafted ZIP, 7z, or GEM archive whose top-level folder name contains shell metacharacters. The flaw affects Red Hat Enterprise Linux 6 through 10 and downstream products including OpenShift Container Platform 4, Satellite 6, Red Hat Hardened Images, and Quarkus Native Builder. No public exploit identified at time of analysis, and the issue requires user interaction with an attacker-supplied archive, but successful exploitation yields full code execution under the extracting user's identity.

Command Injection Pen Drive Powered By Red Hat Lightspeed Red Hat Build Of Quarkus Native Builder Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 6 +7
NVD VulDB
CVSS 3.1
7.0
EPSS
0.0%
CVE-2026-46164 HIGH PATCH This Week

Memory corruption in the Linux kernel's btrfs filesystem can be triggered when create_space_info_sub_group() encounters a kobject initialization failure, causing the sub_group structure to be freed twice. The double-free occurs because btrfs_sysfs_add_space_info_type() already releases the memory via kobject_put() in its error path, after which the caller frees it again. EPSS scores this at 0.02% (5th percentile) and there is no public exploit identified at time of analysis, but a vendor-released patch is available.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.0
EPSS
0.0%
CVE-2026-46154 HIGH PATCH This Week

Local privilege escalation potential exists in the Linux kernel's sched_ext (SCX) subsystem where a use-after-free condition in cgroup setter operations can be triggered when a BPF scheduler is swapped concurrently with cgroup weight, idle, or bandwidth updates. The flaw affects kernel 6.18 and related stable branches and stems from reading scx_root outside the scx_cgroup_ops_rwsem, allowing a stale pointer to be dereferenced after the previous scheduler is freed via RCU. EPSS is very low (0.02%) and no public exploit is identified at time of analysis.

Linux Information Disclosure Memory Corruption Use After Free
NVD VulDB
CVSS 3.1
7.0
EPSS
0.0%
CVE-2026-46644 MEDIUM PATCH GHSA This Month

Symfony's polyfill-intl-idn library (versions 1.17.1–1.38.0) silently accepts malformed Punycode ACE labels — specifically `xn--` prefixed labels whose decoded payload is empty or contains only ASCII characters — which native PHP ext-intl correctly rejects. This divergence allows attackers to craft domain names such as `poc.xn--kc1zs4-.com` that the polyfill normalizes to `poc.kc1zs4.com`, causing hostname blacklist bypasses and inconsistent URL parsing in applications that rely on the polyfill for canonicalization or security-sensitive hostname comparisons. The flaw directly enables server-side request forgery (SSRF) in affected deployments, mirrors the pattern established by CVE-2024-12224, and no public exploit has been identified at time of analysis beyond the proof-of-concept inputs included in the vendor advisory.

SSRF
NVD GitHub
CVSS 4.0
6.9
EPSS
0.1%
CVE-2026-45754 MEDIUM PATCH GHSA This Month

Unauthenticated webhook event injection in Symfony's Mailjet Mailer and LOX24 SMS Notifier bridges allows remote attackers to POST arbitrary forged payloads to an application's webhook endpoint, even when a webhook secret is configured. The root cause is that both `MailjetRequestParser::doParse()` and `Lox24RequestParser::doParse()` accept a secret parameter but silently discard it, returning the payload unconditionally. Attackers who can discover the webhook URL can fabricate bounce, spam, open, click, or delivery events, leading to suppression-list corruption and delivery-metrics fraud. No public exploit has been identified at time of analysis and this vulnerability is not listed in CISA KEV.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.1%
CVE-2026-22872 MEDIUM PATCH GHSA This Month

Privilege escalation in Capsule (the Kubernetes multi-tenancy operator) allows authenticated tenant owners to create cluster-scoped resources - including ClusterRole and ValidatingWebhookConfiguration - by embedding them in TenantResource RawItems, bypassing tenant isolation enforced by the platform. The Capsule Controller's default cluster-admin ClusterRoleBinding means it creates whatever resource it is instructed to process, and its attempt to namespace-scope the resource via obj.SetNamespace() is silently ignored by the Kubernetes API for cluster-scoped kinds. A working proof-of-concept is publicly documented in the GHSA advisory; no CISA KEV listing has been issued at time of analysis.

Privilege Escalation Information Disclosure Denial Of Service Kubernetes
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.1%
CVE-2026-47136 MEDIUM PATCH This Month

Unauthenticated information disclosure in RustFS exposes parsed license metadata - including license subject and expiration timestamp - via the console endpoint GET /rustfs/console/license to any network client that can reach the console listener, with no credentials required. All RustFS releases prior to 1.0.0-beta.2 are affected. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis, and the CVSS 4.0 confidentiality impact is rated Low given the non-sensitive nature of the disclosed data.

Information Disclosure Rustfs
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.1%
CVE-2026-49130 MEDIUM PATCH This Month

CRLF injection in Music Player Daemon (MPD) before version 0.24.11 enables network-accessible, unauthenticated attackers to embed raw CR/LF bytes into URI fields parsed from malicious XSPF playlists, injecting forged key-value lines into MPD text protocol responses - including playlistinfo, currentsong, and listplaylist outputs - as well as the persistent state file. The root mechanism is Expat's decoding of XML numeric character references (e.g., 
) before invoking the character data callback in xspf_char_data, bypassing any empty-string checks that previously served as the only guard. No public exploit code or CISA KEV listing exists at time of analysis, but the no-authentication network vector means any MPD instance that processes externally supplied playlists is exposed; the fix also extended to ASX, PLS, and RSS playlist plugins, indicating the affected surface was broader than the CVE title implies.

Code Injection Mpd
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-49129 MEDIUM PATCH This Month

Server-side request forgery in Music Player Daemon (MPD) before 0.24.11 allows unauthenticated remote attackers to bypass HTTP/HTTPS scheme restrictions by exploiting the CurlInputPlugin's failure to set CURLOPT_REDIR_PROTOCOLS_STR alongside CURLOPT_FOLLOWLOCATION in libcurl. An attacker who can submit URLs to MPD via commands such as add, readcomments, albumart, readpicture, or load can cause MPD to follow redirects to non-HTTP protocols including gopher, ftp, sftp, ldap, dict, rtmp, and rtsp - enabling interaction with internal or restricted network services. No public exploit has been identified at time of analysis and this vulnerability is not listed in CISA KEV, though the CVSS 4.0 score of 6.9 with a fully unauthenticated network attack vector warrants prompt patching on any externally accessible MPD deployment.

SSRF Mpd
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-45755 MEDIUM PATCH GHSA This Month

Unauthenticated webhook event injection in Symfony's Mailtrap Mailer bridge (symfony/mailtrap-mailer) allows any remote attacker who knows the webhook endpoint URL to POST arbitrary forged event payloads - delivery, bounce, open, click, or spam - regardless of whether a signing secret is configured. The root cause is that `MailtrapRequestParser::doParse()` accepts the configured secret as a parameter but never reads it, leaving the `X-Mt-Signature` HMAC header completely unchecked. Successful exploitation enables suppression-list poisoning, delivery-metrics fraud, and manipulation of application logic that reacts to email events. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; the vendor patch is available in versions 7.4.12 and 8.0.12.

Authentication Bypass
NVD GitHub
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-48735 MEDIUM PATCH GHSA This Month

Memory exhaustion in pypdf's XMP metadata parser allows denial of service via specially crafted PDF files containing oversized or element-dense XMP blocks, affecting all versions prior to 6.12.1. The vulnerability stems from an absence of input limits in the XML-based XMP parsing subsystem (CWE-770), meaning processing a malicious PDF can consume unbounded system memory. No public exploit code has been identified at time of analysis, and no confirmed active exploitation exists; however, the patch diff is publicly visible on GitHub, making trivial exploit construction feasible.

Python Denial Of Service Suse Red Hat
NVD GitHub
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-9802 MEDIUM PATCH This Month

Refresh token replay in Keycloak allows a remote attacker who has previously captured a user's refresh token to reuse that token after it has been revoked, bypassing session expiration controls. The vulnerability surfaces specifically when revokeRefreshToken=true is configured alongside persistent session storage, and is triggered by a server restart that resets the internal timing mechanisms responsible for enforcing token revocation. Successful exploitation can yield full account takeover, information disclosure, or privilege escalation; no public exploit identified at time of analysis and the CVE does not appear in CISA KEV.

Privilege Escalation Information Disclosure Authentication Bypass Build Of Keycloak
NVD VulDB
CVSS 3.1
6.8
EPSS
0.0%
CVE-2026-46380 MEDIUM PATCH GHSA This Month

Server-Side Request Forgery in compliance-trestle's HTTPSFetcher._do_fetch() allows a local low-privileged attacker to redirect outbound HTTP requests to internal services or cloud metadata endpoints such as 169.254.169.254 - enabling credential theft from AWS, GCP, or Azure instance metadata. Affected are all pip releases of compliance-trestle before 3.12.2 and versions 4.0.0 through 4.0.2. A public proof-of-concept (poc_ssrf_and_path_traversal.py) with 13 verified exploit vectors is attached to the GitHub Security Advisory GHSA-w76h-q7c6-jpjp; no public exploit identified at time of analysis as confirmed active exploitation (CISA KEV) and no EPSS score was provided in the input data.

Path Traversal SSRF
NVD GitHub
CVSS 3.1
6.7
EPSS
0.0%
CVE-2026-10004 MEDIUM PATCH This Month

UI spoofing in Google Chrome's Passwords component (all versions prior to 148.0.7778.216) allows a remote, unauthenticated attacker to manipulate browser-native password UI elements by delivering a crafted HTML page to a victim. The flaw arises from insufficient input validation (CWE-20) in the Passwords subsystem, enabling attacker-controlled content to render deceptive credential prompts that are visually indistinguishable from legitimate Chrome dialogs. No public exploit has been identified at time of analysis and the CVE is absent from CISA KEV, though the zero-privilege, network-accessible attack surface and High Chromium severity designation make patching a clear priority.

Google Information Disclosure Red Hat Suse Chrome
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-49095 MEDIUM This Month

Privilege escalation in Elastic Kibana's Fleet agent policy management feature allows authenticated Fleet administrators to inject unvalidated values into a configuration override mechanism, causing Elastic Agents to be provisioned with API keys carrying elevated Elasticsearch privileges. Successful exploitation yields unauthorized read/write access to sensitive Elasticsearch security indices beyond the Fleet role's intended scope. No public exploit identified at time of analysis, and CISA KEV does not list this issue.

Privilege Escalation Elastic
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-49094 MEDIUM This Month

Denial of service in Kibana's analytics collections management endpoint allows any authenticated user with viewer-level access to render the service completely unavailable. By submitting a request containing an oversized input value, the attacker causes Kibana to consume excessive CPU and memory, crashing the service for all users and requiring manual intervention to restore. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV, but the low privilege bar - viewer access only - significantly elevates real-world risk in multi-tenant or SaaS Elastic deployments.

Elastic Denial Of Service
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-42399 MEDIUM This Month

Denial of service in Elastic Kibana allows an authenticated low-privileged user to crash the Kibana service and deny access to all users by submitting a maliciously crafted Timelion visualization expression. The Timelion expression parser fails to bound the depth of chained function call processing, causing the resulting data structure to grow exponentially and exhaust available server memory. No public exploit has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog; however, the low attack complexity and minimal privilege requirements make it an accessible attack surface for any credentialed Kibana user.

Elastic Denial Of Service
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-42400 MEDIUM This Month

Denial of service in Kibana allows any authenticated user to crash or render unresponsive a Kibana instance by sending a specially crafted compressed HTTP request payload. The root cause is an architectural ordering flaw: compressed payloads are decompressed and processed before authorization checks are applied, enabling resource exhaustion (CWE-400, CAPEC-130 Excessive Allocation) at minimal privilege cost. No public exploit identified at time of analysis and no CISA KEV listing, but the low attack complexity and broad authentication base (any valid Kibana login) make this a meaningful availability risk for multi-tenant or internet-exposed deployments.

Elastic Denial Of Service
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-33464 MEDIUM This Month

Denial of service in Kibana allows any authenticated low-privileged user to render the Kibana service unresponsive for all users by submitting an oversized, specially crafted payload to an internal API endpoint. The CVSS vector (AV:N/AC:L/PR:L/UI:N/A:H) confirms straightforward network exploitation requiring only valid low-privileged credentials with no user interaction - a low barrier for any insider or compromised account. No public exploit code and no CISA KEV listing have been identified at time of analysis, though the low complexity and authenticated-but-low-privilege condition makes this a realistic risk in shared Kibana deployments.

Elastic Denial Of Service
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-10018 MEDIUM PATCH This Month

Integer overflow in ANGLE (Chrome's graphics translation layer) in Google Chrome prior to 148.0.7778.216 enables remote attackers to read sensitive data from the renderer process memory by enticing a victim to visit a crafted HTML page. The vulnerability is limited to confidentiality impact - no code execution or integrity impact is indicated by CVSS (C:H/I:N/A:N). With an EPSS of 0.03% and no CISA KEV listing, active exploitation is not currently observed, though the network-accessible attack vector and low complexity make the attack straightforward once a victim visits attacker-controlled content.

Google Information Disclosure Red Hat Suse Chrome
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-10008 MEDIUM PATCH This Month

Uninitialized GPU memory use in Google Chrome on Android prior to 148.0.7778.216 enables remote attackers to read potentially sensitive data from the browser's GPU process memory. Exploitation requires user interaction - a victim must visit a crafted HTML page - and is confined to the Android platform, narrowing real-world exposure relative to the CVSS C:H impact rating. No public exploit code exists and this vulnerability is absent from CISA KEV; EPSS at 0.03% (11th percentile) and SSVC exploitation status of 'none' collectively indicate low near-term exploitation probability.

Google Information Disclosure Chrome
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-9981 MEDIUM PATCH This Month

Inappropriate implementation in the Skia graphics library within Google Chrome prior to 148.0.7778.216 enables remote attackers to read potentially sensitive data from renderer process memory by delivering a crafted HTML page. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) confirms unauthenticated network exploitation with high confidentiality impact, constrained only by the requirement for user interaction. No public exploit has been identified at time of analysis, and EPSS at 0.03% (11th percentile) indicates minimal observed exploitation activity.

Google Information Disclosure Chrome
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-9953 MEDIUM PATCH This Month

Out-of-bounds read in Chrome's ANGLE graphics layer exposes process memory to remote attackers who can deliver a crafted HTML page to a victim. Unauthenticated (PR:N) remote exploitation is confirmed by the CVSS vector, though user interaction is required - the victim must open a malicious page. Confidentiality impact is rated High (C:H) with no integrity or availability consequence, making this a targeted information-disclosure primitive rather than a code-execution path. No public exploit or CISA KEV listing exists at time of analysis, and the EPSS score of 0.03% (11th percentile) reflects low observed exploitation pressure.

Google Information Disclosure Buffer Overflow Chrome
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-9912 MEDIUM PATCH This Month

GPU memory disclosure in Google Chrome on Android (versions prior to 148.0.7778.216) exposes potentially sensitive process memory to unauthenticated remote attackers via crafted HTML pages. The root cause is an inappropriate implementation within Chrome's GPU subsystem on Android, classified as CWE-200, which permits out-of-bounds or unauthorized memory reads during rendering operations. No public exploit code exists and no active exploitation is confirmed; EPSS probability sits at a low 0.03%, though the Android-only scope and requirement for user interaction are the primary limiting factors rather than intrinsic exploitation difficulty.

Google Information Disclosure Chrome
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-9908 MEDIUM PATCH This Month

Out-of-bounds read in Chrome's ANGLE graphics layer exposes process memory contents to unauthenticated remote attackers who can lure a user to a crafted HTML page. All Google Chrome desktop versions prior to 148.0.7778.216 are affected, with the vulnerability carrying a CVSS 6.5 and exclusively a confidentiality impact - no integrity or availability loss. No public exploit code has been identified at time of analysis, and the EPSS score of 0.03% (11th percentile) reflects low current exploitation activity, consistent with a typical Chrome graphics-component disclosure ahead of a stable channel patch.

Google Information Disclosure Buffer Overflow Chrome
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-9882 MEDIUM PATCH This Month

Cross-origin data leakage in Google Chrome's ANGLE graphics layer (prior to 148.0.7778.216) allows unauthenticated remote attackers to read sensitive cross-origin information by luring a victim to a crafted HTML page. The root cause is an integer overflow in ANGLE, Chrome's graphics translation engine, which is internally rated Critical by the Chrome security team despite a CVSS score of only 4.3. No public exploit has been identified at time of analysis, and the EPSS exploitation probability is very low at 0.03% (11th percentile), though the cross-origin data leakage class of vulnerability has historically attracted targeted exploitation in browser ecosystems.

Google Information Disclosure Red Hat Suse Chrome
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-9996 MEDIUM PATCH This Month

Out-of-bounds read in the WebRTC subsystem of Google Chrome on macOS (versions prior to 148.0.7778.216) enables remote attackers to exfiltrate potentially sensitive data from browser process memory by luring a user to a crafted HTML page. The CVSS vector (AV:N/AC:L/PR:N/UI:R/C:H/I:N/A:N) confirms network-reachable, unauthenticated exploitation with confidentiality-only impact, but mandates user interaction, limiting fully passive attack scenarios. No active exploitation has been confirmed in CISA KEV, and an EPSS score of 0.03% at the 10th percentile reflects low observed exploitation probability at time of analysis; no public exploit code has been identified.

Google Information Disclosure Buffer Overflow Chrome
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-9917 MEDIUM PATCH This Month

Uninitialized memory exposure in the WebGL subsystem of Google Chrome on Android prior to 148.0.7778.216 allows unauthenticated remote attackers to read potentially sensitive data from browser process memory. Exploitation requires the victim to visit a specially crafted HTML page, placing this in the drive-by/social-engineering threat category rather than fully automated attacks. No public exploit code identified at time of analysis, and EPSS of 0.03% (10th percentile) reflects minimal current exploitation pressure despite the High CVSS confidentiality impact.

Google Information Disclosure Chrome
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-9792 MEDIUM PATCH This Month

Policy enforcement bypass in Red Hat Build of Keycloak's Client Policies framework allows unauthenticated remote attackers to obtain OAuth2 tokens via the Resource Owner Password Credentials (ROPC) grant even when an explicit `reject-ropc-grant` executor is configured to block it. The bypass is triggered specifically when certain condition providers - client-type, client-roles, client-attributes, or client-scopes - are used within the same policy, causing silent executor skipping rather than a fail-closed enforcement error. Successful exploitation results in unauthorized token issuance and potential information disclosure. No public exploit code and no CISA KEV listing have been identified at time of analysis.

Information Disclosure Authentication Bypass Red Hat Build Of Keycloak
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-9796 MEDIUM PATCH This Month

Privilege escalation in Red Hat Build of Keycloak allows an authenticated administrator holding the manage-clients role to exploit a Time-of-check to time-of-use (TOCTOU) race condition in name-based admin role checks, elevating their privileges to realm-admin for all users within the realm. The resulting composite role relationship is persistent - it survives both manual revocation of the attacker's original permissions and system reboots, making remediation non-trivial post-exploitation. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.

Privilege Escalation Red Hat Build Of Keycloak
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-7048 MEDIUM This Month

Time-based blind SQL injection in the Photo Gallery by 10Web WordPress plugin (all versions through 1.8.40) allows authenticated attackers holding contributor-level access or above to exfiltrate sensitive database contents by embedding a crafted shortcode in a post or draft. The `order_by` parameter is passed unsanitized into existing SQL queries, and the injected payload executes when the shortcode is rendered - targeting WordPress databases containing credentials, user PII, and site configuration. No public exploit code or CISA KEV listing has been identified at time of analysis, though the high confidentiality impact and low attack complexity make this a meaningful risk on any site with non-administrative contributors.

SQLi WordPress
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-3173 MEDIUM This Month

Insecure Direct Object Reference in the Meta Field Block WordPress plugin (all versions through 1.5.1) allows authenticated attackers with Contributor-level access to read arbitrary user meta, post meta, and term meta data from any object in the database by supplying unchecked object IDs and types via block attributes. The CVSS vector (AV:N/AC:L/PR:L/UI:N/C:H) confirms this is remotely exploitable with low privilege and no user interaction, with a full confidentiality impact on metadata. Risk is materially elevated on sites running WooCommerce or similar plugins that persist PII - names, billing addresses, phone numbers, emails - in meta fields. No public exploit code has been identified and the vulnerability is not listed in the CISA KEV catalog at time of analysis.

Information Disclosure WordPress Authentication Bypass
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-5737 MEDIUM This Month

Server-Side Request Forgery in Independent Analytics (WordPress plugin, all versions through 2.14.9) enables unauthenticated remote attackers to inject arbitrary referrer domains into the site's analytics database and subsequently trigger server-side HTTP requests to any host - including internal network services and cloud metadata endpoints. The exploit chain combines a bypassable signature check on the public /wp-json/iawp/search REST endpoint (static salt embedded in publicly-accessible JavaScript) with a scheduled favicon fetcher that issues raw cURL requests with zero SSRF mitigations. No public exploit is identified at time of analysis and the vulnerability is not listed in CISA KEV, but CVSS PR:N/AC:L indicates exploitation requires no authentication and minimal complexity, particularly threatening for WordPress deployments on cloud infrastructure.

WordPress SSRF
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-44462 MEDIUM PATCH This Month

{var@P} prompt-string operator. Zed's terminal tool system enforces command-prefix allowlists to control what commands can be executed; the bypass exploits an incomplete input validation list (CWE-184) to chain expansions that resolve to arbitrary shell commands while appearing to match an approved prefix. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV, though the RCE-tagged nature and CVSS High confidentiality impact make it a meaningful concern for users relying on Zed's agentic terminal tool permissions.

RCE Zed
NVD GitHub VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-4334 MEDIUM This Month

Stored Cross-Site Scripting in the Shariff Wrapper WordPress plugin (all versions ≤ 4.6.20) allows authenticated Contributors to inject persistent JavaScript payloads via the 'headline' parameter of the [shariff] shortcode, which then execute in any visitor's browser upon page load. The Changed scope (S:C in CVSS) means the injected payload escapes the plugin's context and runs inside victim browsers across the full WordPress front-end, enabling session theft, credential harvesting, or drive-by redirection. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV, though the low attack complexity and persistent nature of stored XSS make it a meaningful risk on multi-author or open-registration WordPress installations.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-6427 MEDIUM This Month

Stored cross-site scripting in the a3 Lazy Load WordPress plugin (all versions through 2.7.6) allows authenticated Contributor-level users to inject persistent JavaScript into posts via a deliberately crafted <video> tag. Two compounding flaws drive the vulnerability: a regex bug in the _filter_videos() method that mishandles HTML attribute quoting, and unescaped output in the admin/views/form-data.php template. When any user - including a site administrator - views an affected post, the injected event-handler attributes (autofocus, onfocus) execute in the viewer's browser, enabling session hijacking or unauthorized privileged actions. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.

XSS PHP WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-9644 MEDIUM This Month

Stored Cross-Site Scripting in the LiveSmart Video Chat WordPress plugin (all versions through 1.2) allows authenticated contributors to inject persistent malicious scripts via the 'livesmart_widget' shortcode attribute, which execute in any visitor's browser upon page load. The CVSS Scope:Changed rating confirms cross-user impact - a contributor's injected payload can hijack administrator sessions, exfiltrate cookies, or perform unauthorized actions on behalf of higher-privileged victims. No public exploit code and no CISA KEV confirmation exist at time of analysis, but the low privilege bar (contributor-level) meaningfully widens the realistic attacker pool on multi-author WordPress deployments.

XSS WordPress
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-9806 MEDIUM PATCH This Month

Stored XSS in MISP CTI Transmute's notification bell dropdown allows an attacker who can control convert names to inject arbitrary JavaScript that executes in authenticated users' browsers upon opening the notification panel. The vulnerability, tracked as EUVD-2026-32728 and reported by CIRCL, stems from innerHTML-based rendering of user-controlled notification content in base.html and affects all versions prior to upstream commit cf42409 - critically, only on the development branch, not production releases. No public exploit has been identified at time of analysis; the CVSS 4.0 score of 6.3 with AT:P reflects that exploitation requires the attacker to first influence a convert name surfaced in a notification.

XSS Cti Transmute
NVD GitHub
CVSS 4.0
6.3
EPSS
0.0%
CVE-2026-49093 MEDIUM This Month

Server-Side Request Forgery in Kibana allows an authenticated user holding connector management privileges to bypass the operator-configured connector allowlist, forcing the Kibana server to issue outbound HTTP requests to destinations that egress controls were explicitly designed to block. The CVSS Changed Scope (S:C) combined with high confidentiality impact (C:H) means successful exploitation extends beyond Kibana itself, potentially exposing sensitive internal network resources such as cloud metadata services or internal APIs reachable from the Kibana host. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog at time of analysis.

SSRF Elastic
NVD VulDB
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-9989 MEDIUM PATCH This Month

Same-origin policy bypass in Google Chrome's Media component allows remote attackers to read or manipulate cross-origin data via a crafted video file. Affected are all Chrome versions prior to 148.0.7778.216 on desktop platforms, confirmed via ENISA EUVD-2026-33131 and the Chrome stable channel advisory. The CVSS vector (PR:N/UI:R) indicates no authentication is required but victim interaction is necessary; EPSS sits at 0.02% (4th percentile), and no active exploitation is confirmed in the CISA KEV catalog, making this a medium-priority issue despite the network-accessible attack vector.

Google Authentication Bypass Chrome
NVD VulDB
CVSS 3.1
6.3
EPSS
0.0%
Prev Page 7 of 11 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy