Skip to main content
CVE-2026-50257 HIGH This Week

Local privilege escalation in X.Org X server and Xwayland enables authenticated local users to trigger a use-after-free in miSyncDestroyFence() by racing two client connections against a shared fence object. Successful exploitation can crash the display server or escalate privileges to root when the X server runs as root, which remains common on legacy and embedded Linux deployments. No public exploit identified at time of analysis, but an upstream fix has been committed by the X.Org maintainers.

Use After Free Memory Corruption Privilege Escalation Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 6 +3
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-47684 HIGH PATCH GHSA This Week

Server-Side Request Forgery in Sync-in Server versions 2.2.1 and earlier allows authenticated low-privileged users to bypass the private-IP blocklist by supplying URLs that resolve to IPv4-mapped IPv6 addresses (::ffff:127.0.0.1, ::ffff:10.x.x.x). The URL download feature's regExpPrivateIP regex fails to recognize the dual-stack representation, letting the server fetch internal resources it should refuse. No public exploit identified at time of analysis beyond the reporter's PoC; the issue is not listed in CISA KEV.

Node.js SSRF
NVD GitHub
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-11297 HIGH PATCH This Week

Navigation restriction bypass in Google Chrome on Android prior to 149.0.7827.53 allows a local attacker to circumvent Reader Mode input validation by supplying a malicious file. No public exploit identified at time of analysis, and EPSS scores exploitation probability at just 0.02% (4th percentile), but Google has released a fix in the stable channel. Chromium internally rates this as Low severity despite the elevated NVD CVSS of 7.7.

Authentication Bypass Google Chrome
NVD VulDB
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-45726 HIGH PATCH GHSA This Week

Sensitive credential disclosure in Sidero Labs Omni (versions 1.3.0–1.6.5 and 1.7.0–1.7.2) allows authenticated users with the low-privileged Reader role to read the ImportedClusterSecrets resource and exfiltrate the full CA private key bundle (Kubernetes, etcd, Talos, and service-account keys) of imported Talos clusters whose secrets have not been rotated. With those keys, attackers can mint cluster-admin certificates and seize complete control of the downstream cluster outside Omni's control plane. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Information Disclosure Kubernetes
NVD GitHub
CVSS 3.1
7.6
EPSS
0.0%
CVE-2026-11296 HIGH PATCH This Week

Privilege escalation in Google Chrome's ImageCapture component before 149.0.7827.53 allows a remote attacker who has already compromised the renderer process to escape sandbox boundaries via a crafted HTML page. The flaw was reported by Google's internal security team and is rated medium-low by Chromium itself despite the 7.5 CVSS score, and no public exploit identified at time of analysis. SSVC indicates no known exploitation but total technical impact if successfully chained.

Google Privilege Escalation
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-11239 HIGH PATCH This Week

Privilege escalation in Google Chrome prior to 149.0.7827.53 allows a remote attacker who has already compromised the renderer process to escape sandbox-style restrictions via the Extensions subsystem using a crafted HTML page. The flaw requires user interaction and high attack complexity, and is rated Low severity by the Chromium team despite the 7.5 CVSS score; no public exploit identified at time of analysis.

Google Privilege Escalation Red Hat Suse Chrome
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-11242 HIGH PATCH This Week

Cross-origin data disclosure in Google Chrome versions prior to 149.0.7827.53 allows a remote attacker who has already compromised the renderer process to leak data across origin boundaries by serving a crafted HTML page through the Plugins component. No public exploit has been identified at time of analysis, and Chromium rates the underlying issue as Low severity despite the NVD CVSS of 7.5. The flaw stems from insufficient validation of untrusted input (CWE-20) within Chrome's plugin handling path.

Information Disclosure Google Red Hat Suse Chrome
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-47261 HIGH PATCH GHSA This Week

File truncation bypass in wasmtime-wasi allows guest WebAssembly modules to truncate (destroy contents of) host files that should be read-only, by invoking the wasip2 `descriptor.open-at` or wasip1 `path_open` interfaces with only the `OpenFlags::TRUNCATE` flag set. The bug affects embeddings that combine `DirPerms::MUTATE` with `FilePerms::READ` (read-only file permissions plus directory mutation), defeating the host's enforced `FilePerms::WRITE` access control. No public exploit identified at time of analysis; CVSS 7.5 reflects the integrity-only impact (C:N/I:H/A:N).

Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-11265 HIGH PATCH This Week

Cross-origin data leakage in Google Chrome's Autofill component prior to version 149.0.7827.53 enables remote attackers to exfiltrate sensitive data from other origins by enticing a victim to visit a crafted HTML page. Despite a CVSS score of 7.5 reflecting high confidentiality impact, the EPSS score of 0.03% and Chromium's own 'Low' severity rating indicate limited real-world risk, and no public exploit identified at time of analysis.

CSRF Google Chrome
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-11255 HIGH PATCH This Week

Cross-origin data leakage in Google Chrome's Storage Access API affects desktop versions prior to 149.0.7827.53, enabling a remote attacker who has already compromised the renderer process to exfiltrate sensitive cross-origin information via a specially crafted HTML page. Google rates the underlying Chromium severity as Low, though NVD assigns CVSS 7.5 due to the unauthenticated network vector, and no public exploit identified at time of analysis.

Information Disclosure Google Red Hat Suse Chrome
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-36501 HIGH This Week

Denial of service in OpenDaylight Controller v12.0.5 allows remote unauthenticated attackers to crash or render the SDN controller unavailable by sending crafted input to the Externalizable.readExternal() deserialization component. No public exploit identified at time of analysis, but SSVC flags the flaw as automatable with partial technical impact, and the network attack vector with low complexity makes opportunistic abuse plausible despite a very low EPSS score (0.02%).

Denial Of Service N A
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-36785 HIGH This Week

Denial of service in Tenda FH451 V1.0.0.9 routers allows remote unauthenticated attackers to crash the device by sending a crafted HTTP request that triggers a stack overflow in the page parameter handler of the fromDhcpListClient function. EPSS exploitation probability is very low (0.01%, 3rd percentile) and no public exploit identified at time of analysis, though proof-of-concept artifacts appear to be hosted in a public GitHub research repository. The flaw is not listed in CISA KEV.

Denial Of Service Tenda Stack Overflow Buffer Overflow N A
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-46493 HIGH PATCH This Week

Weak cryptographic salt generation in HAX CMS (haxcms-php) versions prior to 26.0.1 allows remote unauthenticated attackers to predict or recover salt values used during installation and authentication-related operations. The flaw stems from using PHP's uniqid() - a timestamp-based, non-cryptographic function - as a randomness source (CWE-338). No public exploit has been identified at time of analysis and the CVE is not on CISA KEV.

PHP Information Disclosure
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-45291 HIGH PATCH This Week

Denial of service in CloudburstMC Network versions prior to 1.0.0.CR3-20260418.124334-32 allows remote unauthenticated attackers to close the parent Netty channel, rendering the network layer inoperable. Any publicly accessible application depending on the affected library is exposed, and no public exploit has been identified at time of analysis. The CVSS 7.5 score reflects a high-availability impact with no confidentiality or integrity loss.

Information Disclosure Network
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-45290 HIGH PATCH This Week

Denial of service in Cloudburst Network (cloudburstmc/network) versions prior to 1.0.0.CR3-20260417.085727-30 allows remote attackers to stall the underlying Netty event loop, rendering network processing inoperable for any publicly accessible application that depends on the library. The flaw scores CVSS 7.5 with a fully remote, low-complexity, unauthenticated availability impact, and no public exploit identified at time of analysis.

Denial Of Service Network
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-47249 HIGH PATCH GHSA This Week

Remote denial of service in klever-go v1.7.17 allows any connected P2P peer to send a 442-byte compressed RequestDataType_HashArrayType message that expands into 200,000 decoded hash entries, driving roughly 156 MiB of heap pressure and synchronous CPU work per request inside TxResolver and TrieNodeResolver. The flaw stems from antiflood logic that only counts compressed wire size, leaving validator nodes exposed to resource exhaustion from repeated or concurrent malicious requests. Publicly available exploit code exists (vendor-published PoC) but the issue is not in CISA KEV; EPSS data was not provided.

Denial Of Service
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-47383 HIGH PATCH GHSA This Week

Stored Cross-Site Scripting in NocoDB <= 2026.05.0 allows authenticated commenters to inject HTML payloads into row comments that execute as JavaScript when other users hover over the comment in the expanded form view. Successful exploitation runs script in the NocoDB origin under the victim's session, enabling theft of the auth JWT from localStorage. No public exploit identified at time of analysis; EPSS is low (0.11%, 29th percentile) and the issue is not listed in CISA KEV.

XSS
NVD GitHub
CVSS 4.0
7.4
EPSS
0.1%
CVE-2026-50593 HIGH PATCH This Week

Out-of-bounds write in the SIL Graphite smart-font rendering engine before 1.3.15 allows attackers to corrupt memory by supplying a malicious font file that triggers an integer underflow in the slotat macro. Exploitation requires a victim to render attacker-controlled font content in an application that embeds Graphite (such as Firefox, LibreOffice, or Pango-based renderers), and no public exploit has been identified at time of analysis.

Integer Overflow Buffer Overflow Suse
NVD GitHub VulDB
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-11416 HIGH PATCH This Week

Path traversal in MoviePilot's AliPan, U115, Rclone, and SMB cloud storage download handlers allows an attacker who controls remote filenames to write files outside the configured download directory. The flaw stems from unsanitized concatenation of filenames returned by remote cloud APIs, enabling overwrite of configuration files, plugins, or other files accessible to the application process. No public exploit identified at time of analysis, but a vendor patch is available via upstream commit a0b3800.

Path Traversal Moviepilot
NVD GitHub VulDB
CVSS 4.0
7.2
EPSS
0.1%
CVE-2026-10586 HIGH This Week

Server-Side Request Forgery in the Essential Blocks WordPress plugin (versions through 6.1.3) allows authenticated users with Author-level access or higher to coerce the WordPress server into making arbitrary outbound HTTP requests via the save_ai_generated_image() function. The flaw enables attackers to probe internal network services, read responses from internal endpoints, and potentially modify state on services that trust requests from the WordPress host. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

WordPress SSRF
NVD VulDB
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-47732 HIGH PATCH GHSA This Week

Sandbox policy bypass in Twig templating engine versions 3.25.0 and earlier allows sandboxed template authors to invoke arbitrary `__toString()` methods on any `Stringable` object reachable in the render context, even when those methods are not allowlisted by `SecurityPolicy::checkMethodAllowed()`. The flaw stems from `SandboxNodeVisitor` only wrapping a hardcoded subset of AST nodes in `CheckToStringNode`, leaving many string-coercion points (conditional expressions, comparison/`matches` operators, tests, ranges, includes, spread arguments) unguarded - and the comparison-operator vector enables byte-by-byte oracle recovery of sensitive object string forms. No public exploit identified at time of analysis; fix shipped in Twig 3.26.0 (also referenced by Symfony's advisory page).

PHP Authentication Bypass Oracle
NVD GitHub
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-8714 HIGH PATCH This Week

Denial of service in the RTSP server of TP-Link Tapo C520WS v2 IP cameras allows adjacent network attackers to render the camera's video streaming service non-responsive by sending syntactically invalid RTSP input. The flaw is reachable without authentication or user interaction from the local network segment (CVSS 4.0 vector AV:A/PR:N/UI:N) and no public exploit identified at time of analysis. While confidentiality and integrity are unaffected, availability of the surveillance stream is fully impacted, which is operationally significant for a security camera.

Information Disclosure TP-Link Tapo C520Ws V2
NVD VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2025-59174 HIGH PATCH This Week

Denial-of-service in Ericsson Packet Core Controller (PCC) versions prior to 1.39 allows an adjacent-network attacker without credentials to degrade service by flooding the controller with specially crafted messages. The CVSS 4.0 score of 7.1 reflects high availability impact with no confidentiality or integrity loss; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Ericsson Information Disclosure
NVD VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-25659 HIGH PATCH This Week

Denial of service in Ericsson Packet Core Gateway (PCG) versions prior to 1.30 allows an adjacent-network attacker to degrade telecom packet core service by continuously sending a specially crafted message that triggers improper handling of missing values (CWE-230). The condition persists only while the attack is sustained - the system self-recovers once traffic stops - and no public exploit identified at time of analysis, but the CVSS 4.0 score of 7.1 reflects high availability impact on a carrier-grade network function.

Ericsson Denial Of Service
NVD VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-25658 HIGH PATCH This Week

Denial of service in Ericsson Packet Core Gateway (PCG) versions prior to 1.30 allows adjacent network attackers to degrade service availability by continuously transmitting specially crafted messages that trigger improper handling of missing values (CWE-230). The affected PCG nodes crash repeatedly under sustained attack but self-recover once traffic stops, so impact is transient yet operationally significant for mobile core networks. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.

Ericsson Denial Of Service
NVD VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-25657 HIGH PATCH This Week

Denial of service in Ericsson Packet Core Gateway (PCG) versions prior to 1.30 allows an adjacent-network attacker to degrade service by continuously transmitting malformed messages that the gateway fails to parse safely. The condition causes recurring crashes that persist only while the attack is active, with automatic recovery once it stops, and no public exploit identified at time of analysis.

Ericsson Denial Of Service
NVD VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-11269 HIGH PATCH This Week

Remote code execution within the Chrome renderer sandbox affects Google Chrome desktop builds prior to 149.0.7827.53, stemming from an inappropriate implementation in the Extensions subsystem. An attacker in a privileged network position can deliver a crafted Chrome Extension that, with user interaction, executes arbitrary code confined to the sandbox. No public exploit identified at time of analysis and EPSS probability is very low (0.01%), but a vendor patch is available.

Google RCE Chrome
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-5090 HIGH PATCH This Week

Denial of service in Arista CloudVision Exchange (CVX) allows an attacker with high-privilege access to a connected switch to crash CVX agents by sending malformed TCP packets, causing instability across the CVX cluster. The flaw stems from improper input validation (CWE-20) of messages received from connected switches, and no public exploit has been identified at time of analysis.

Denial Of Service Eos Cloudvision Exchange Cvx
NVD VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2025-5089 HIGH PATCH This Week

Denial of service in Arista EOS switches and CloudVision Exchange (CVX) servers arises from improper input validation in the TCP messaging protocol that governs EOS-CVX cluster communication. Sending malformed messages in either direction - from a CVX server to an EOS switch, or vice versa - triggers a Sysdb agent crash on the EOS device (causing a soft reset) or agent crashes on the CVX server (causing cluster-wide instability). Exploitation requires the attacker to already hold high-privilege access on a device within the cluster, and no public exploit code or CISA KEV listing exists at time of analysis, making this a targeted insider or post-compromise threat rather than an opportunistic one.

Denial Of Service Eos Cloudvision Exchange Cvx
NVD
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-11369 HIGH This Week

Cross-tenant comment access in linqi BPM platform versions through 1.4.8.5 allows any authenticated user to read and write comments on arbitrary process objects across all business units by supplying a chosen GUID to the /api/Comment endpoints. The flaw stems from missing authorization checks on the relatedObjectId parameter and carries a CVSS 4.0 score of 7.1 with no public exploit identified at time of analysis. Because exploitation requires only low-privilege credentials and no user interaction, it is well-suited to insider abuse or post-compromise lateral movement within multi-tenant deployments.

Authentication Bypass Linqi
NVD
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-25622 HIGH This Week

Command injection in Arista Edge Threat Management Next Generation Firewall (NGFW) Captive Portal Custom Handler allows administrators authenticated to the management UI to execute arbitrary shell commands on the underlying platform. The CVSS 4.0 score of 7.0 reflects high privilege requirements (PR:H) offset by network reach and high confidentiality impact, with no public exploit identified at time of analysis.

Command Injection Ng Firewall
NVD
CVSS 4.0
7.0
EPSS
0.2%
CVE-2026-25620 HIGH This Week

Command injection in Arista Edge Threat Management Next Generation Firewall (NGFW) version 17.4.0 allows authenticated high-privileged remote attackers to inject OS commands through the Captive Portal application framework via encrypted password handling. The flaw is unique to release 17.4.0 with earlier versions unaffected, and no public exploit identified at time of analysis. CVSS 4.0 base score of 7.0 reflects high attacker privilege requirement balanced against high confidentiality impact on the firewall appliance.

Command Injection Ng Firewall
NVD
CVSS 4.0
7.0
EPSS
0.2%
CVE-2026-25623 HIGH This Week

Authenticated command injection in Arista Edge Threat Management Next Generation Firewall (NGFW) allows administrators with existing access to the browser management pipeline to break out and execute arbitrary terminal/shell script code on the underlying appliance OS. The flaw stems from insufficient input validation (CWE-78) within management-plane functionality and carries a CVSS 4.0 score of 7.0 with no public exploit identified at time of analysis. Because exploitation requires high-privileged authentication, the issue is a privilege-boundary breach rather than an unauthenticated remote takeover.

Command Injection Ng Firewall
NVD
CVSS 4.0
7.0
EPSS
0.1%
CVE-2026-25621 HIGH This Week

Command injection in Arista Edge Threat Management Next Generation Firewall (NGFW) version 17.4.0 allows high-privileged authenticated attackers to abuse insecure input validation in the Reports application to execute OS commands on the appliance. The flaw uniquely affects 17.4.0, with earlier releases unaffected, and no public exploit identified at time of analysis. CVSS 4.0 base score is 7.0 with confidentiality high and integrity/availability low, reflecting a scope-changing impact constrained by the high privileges required.

Command Injection Ng Firewall
NVD
CVSS 4.0
7.0
EPSS
0.0%
CVE-2026-50265 HIGH This Week

Local privilege escalation in libinput affects Red Hat Enterprise Linux 7, 8, 9, and 10 by allowing a local attacker with access to /dev/uinput to inject arbitrary udev properties via the libinput-device-group helper. Exploitation can result in root code execution through abuse of udev REMOVE_CMD properties that are run when a device is removed, mapping to CWE-78 (OS Command Injection). No public exploit identified at time of analysis, but the issue is vendor-confirmed by Red Hat.

RCE Command Injection Suse
NVD VulDB
CVSS 3.1
7.0
EPSS
0.0%
CVE-2026-34123 HIGH PATCH This Week

Authorization bypass in TP-Link Tapo C520WS v2 cameras allows holders of restricted accounts (such as hub users) to execute privileged operations they are not entitled to perform. By abusing the device API's legitimate method mapping behavior, an authenticated low-privilege attacker on the adjacent network can disguise sensitive calls as whitelisted ones, leading to integrity loss and high availability impact including device resets and configuration changes. No public exploit identified at time of analysis, and the issue was reported by TP-Link itself with a vendor patch available.

Authentication Bypass Tapo C520Ws V2
NVD
CVSS 4.0
7.0
EPSS
0.0%
CVE-2026-45720 HIGH PATCH GHSA This Week

Authentication bypass via SAML session replay in Siderolabs Omni stems from a TOCTOU race condition in the SAML interceptor (internal/pkg/auth/interceptor/saml.go), where the SAMLAssertion 'Used' flag is checked and updated non-atomically. Concurrent requests bearing the same saml-session token can each observe Used==false, allowing an attacker who has intercepted a victim's token to authenticate multiple times as the victim and persist access by registering attacker-controlled public keys. No public exploit identified at time of analysis; the issue was reported by bugbunny.ai and fixed in Omni v1.6.6 and v1.7.3.

Denial Of Service
NVD GitHub
CVSS 3.1
7.0
EPSS
0.0%
Prev Page 2 of 2

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy