Skip to main content
CVE-2025-71315 MEDIUM PATCH This Month

Denial-of-service in the Linux kernel's DRM VKMS (Virtual Kernel Mode Setting) subsystem arises from an improperly managed custom hrtimer used for vblank timing, replaced in the fix by DRM's standard vblank timer implementation. Local users with low-privileged access to the VKMS device can trigger a kernel availability failure - likely a crash or hang - due to the divergent timer lifecycle in struct vkms_output. EPSS is negligible at 0.02% and no active exploitation is confirmed; this is a low-urgency kernel hardening fix affecting development and CI-focused deployments.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46314 MEDIUM PATCH This Month

Infinite loop denial-of-service in the Linux kernel's drm/v3d GPU driver allows a local low-privileged user to permanently peg a CPU core by submitting a crafted self-referential ioctl extension structure. The vulnerability exists in v3d_get_extensions(), which traverses a userspace-controlled linked list without bounding chain length; when both in_sync_count and out_sync_count are zero, the duplicate-extension guard silently passes on every iteration, trapping the kernel thread indefinitely. No public exploit or active exploitation has been identified at time of analysis; EPSS stands at 0.02%, consistent with the local-access-only attack surface.

Linux Denial Of Service
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46310 MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's Renesas VSP1 media driver crashes the kernel during module unload on Generation 4 Renesas SoC hardware. The defect exists because the cleanup path unconditionally invokes vsp1_drm_cleanup() rather than vsp1_vspx_cleanup() for gen 4 IP versions, while the initialization path correctly checks the IP version - an asymmetry introduced when gen 4 support was added. With an EPSS of 0.02% (4th percentile), no KEV listing, and no public exploit code, real-world exploitation risk is very low and confined to niche embedded and automotive platforms; vendor-released patches are available in stable kernel branches.

Linux Denial Of Service Null Pointer Dereference
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46297 MEDIUM PATCH This Month

Improper interrupt registration in the Linux kernel's libwx network driver causes a kernel WARNING when VF (Virtual Function) misc interrupts are initialized, resulting in high availability impact on affected systems. The libwx driver incorrectly calls request_threaded_irq() with a primary handler, a NULL threaded handler, and the IRQF_ONESHOT flag - an invalid combination flagged as a WARNING by the kernel interrupt management subsystem since commit aef30c8d569c. Exploitation requires local access with low privileges on a system equipped with a Wangxun VF NIC using the libwx driver; no public exploit code exists and EPSS is negligible at 0.02%.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46295 MEDIUM PATCH This Month

KVM/x86 on Linux exposes a race condition in interrupt request register (IRR) scanning that causes incorrect reporting of the highest pending interrupt in nested virtualization scenarios. Specifically, when PID.ON is set by a sender vCPU after the target vCPU has already harvested and cleared the PIR, a second call to vmx_sync_pir_to_irr() observes an empty PIR and returns max_irr=-1 without scanning the IRR, producing a spurious kernel WARNING in vmx_check_nested_events() and a wasted L2 VM-Enter/VM-Exit cycle. The interrupt itself is not lost - it resides in the IRR from the first sync - but the incorrect max_irr triggers the assertion. No public exploit exists and EPSS is 0.02%, consistent with the highly localized, timing-dependent nature of this defect.

Code Injection Linux
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46290 MEDIUM PATCH This Month

Linux kernel x86 EFI runtime service fault handling panics instead of recovering gracefully on systems with buggy EFI firmware, following the FPU softirq changes introduced in commit d02198550423. When kernel_fpu_begin() began using local_bh_disable() in place of preempt_disable(), SOFTIRQ_OFFSET is set in preempt_count for the duration of EFI runtime service calls, causing in_interrupt() to return true in normal task context - which causes efi_crash_gracefully_on_page_fault() to bail unconditionally, escalating to panic(). On hardware where EFI firmware (e.g., GetTime()) accesses unmapped memory, this produces an unrecoverable system freeze. No public exploit identified at time of analysis; EPSS is 0.02%, confirming no observed exploitation activity.

Linux Denial Of Service
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-44119 MEDIUM PATCH This Month

Privilege escalation in Apache HTTP Server 2.4.0 through 2.4.67 allows local users with .htaccess write access to read arbitrary files using the privileges of the httpd daemon process, exploiting improper privilege management (CWE-269). The attack vector is local, requires low privileges, and impacts only confidentiality - no integrity or availability impact is present. No public exploit code and no active exploitation have been identified; SSVC classifies technical impact as partial and the vulnerability as non-automatable, consistent with the targeted, local nature of the attack.

Privilege Escalation Apache Red Hat Apache HTTP Server
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-11552 MEDIUM This Month

Hard-coded credential exposure in SourceCodester's Online Examination & Learning Management System 1.0 (also distributed as Syllabus-aligned Learning Management and Examination System 1.0) allows remote unauthenticated attackers to exploit a statically embedded password ('CICT_2026') in the import_users.php file without any authentication or user interaction. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms fully unauthenticated remote exploitation at low complexity, and the E:P exploit maturity modifier alongside the CVE description's explicit statement of public disclosure confirm that publicly available exploit code exists. Impact is constrained to low confidentiality exposure against the vulnerable component with no confirmed integrity or availability consequences.

PHP Authentication Bypass
NVD VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-11515 MEDIUM This Month

Unauthenticated password reset bypass in SourceCodester Barangay Resident Profiling and Information Management System 1.0 allows remote attackers to reset user accounts to a known hard-coded credential via the `passsword_reset.php` endpoint. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication or user interaction is required, and the E:P modifier confirms publicly available exploit code exists. Despite the VI:L integrity-only CVSS impact rating, the Authentication Bypass tag indicates the realistic consequence is full account takeover for any user whose password can be reset to the predictable hard-coded value 'password123'.

PHP Authentication Bypass
NVD VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-41724 MEDIUM This Month

Stored cross-site scripting in VMware Cloud Foundation Operations (and the related Aria Operations / Telco Cloud Platform builds) lets an authenticated user who can create policies, views, or text-widgets inject script that executes in the browser of any user who later views the affected object, including administrators. Because the CVSS vector marks Confidentiality, Integrity, and Availability as High with Scope:Unchanged, a successful payload effectively lets a low-privileged operator escalate to administrative actions inside the Operations console. No public exploit identified at time of analysis and not currently listed in CISA KEV, but a vendor advisory has been issued by Broadcom.

XSS VMware Vcf Operations Vmware Aria Operations Vmware Telco Cloud Platform
NVD VulDB
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-41722 MEDIUM This Month

Stored cross-site scripting in VMware Cloud Foundation Operations (formerly VMware Aria Operations) allows authenticated users with policy, view, or text-widget creation privileges to inject scripts that execute in the browser context of other users, including administrators. The flaw spans VCF Operations 9.x, the legacy 5.x/Aria Operations 8.18.x line, and VMware Telco Cloud Platform 5.x, with a CVSS of 8.0 driven by high impact across confidentiality, integrity, and availability when a victim admin renders the malicious content. No public exploit identified at time of analysis and no EPSS or KEV signal is provided in the input.

XSS VMware Vcf Operations Vmware Aria Operations Vmware Telco Cloud Platform
NVD VulDB
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-11569 MEDIUM This Month

Stored cross-site scripting in Red Hat Quay 3.x allows an authenticated user with repository write access to upload a malicious SVG file via the filedrop endpoint, which lacks MIME type validation. The uploaded file is persisted and served inline through the CDN, meaning any victim who visits the archive URL will have attacker-controlled JavaScript execute in their browser. No public exploit has been identified at time of analysis, and exploitation requires both repository write privileges and victim interaction, limiting opportunistic mass exploitation.

XSS Red Hat Quay 3 Red Hat
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-41479 MEDIUM PATCH GHSA This Month

Unauthenticated open redirect in Authlib's OAuth 2.0 authorization endpoint allows any remote attacker to weaponize a trusted authorization server domain as a redirector - no client registration, no authenticated session, and no prior state required. The flaw affects all deployments of pip/authlib < 1.6.10 and == 1.7.0 running an authorization endpoint via the Flask or Django integrations. Publicly available exploit code exists and was dynamically confirmed against the live HEAD (v1.6.6-104-g68e6ab3f); no public exploit identified at time of analysis as confirmed actively exploited (CISA KEV status absent), but the trivial, zero-prerequisite exploit path makes phishing and domain-allowlist bypass practical at scale.

Python Open Redirect
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-47244 MEDIUM PATCH GHSA This Month

Unbounded HTTP/2 stream creation in Netty's netty-codec-http2 library exposes any Netty HTTP/2 server running on default configuration to memory exhaustion from a single TCP connection. Because DefaultHttp2Connection.DefaultEndpoint initializes stream limits to Integer.MAX_VALUE and Http2Settings never advertises SETTINGS_MAX_CONCURRENT_STREAMS unless the application explicitly calls initialSettings().maxConcurrentStreams(n), a remote unauthenticated attacker can sustain hundreds of thousands of simultaneous streams, each forcing JVM heap allocations for DefaultStream objects, PropertyMap slots, flow-controller state, and IntObjectHashMap entries. This misconfiguration is also the structural precondition for CVE-2023-44487-style HTTP/2 Rapid Reset amplification. No public exploit has been identified at time of analysis; vendor-released patches are available in 4.1.135.Final and 4.2.15.Final.

Denial Of Service Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-11473 MEDIUM This Month

SQL injection in jflyfox jfinal_cms through version 5.1.0 exposes database contents to remote, low-privileged attackers via an unsanitized `orderBy` parameter in the `list` function of `AdvicefeedbackController.java`. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N) confirms network-reachable exploitation requiring only a low-privileged account, with limited but real confidentiality, integrity, and availability impact. The project was notified via GitHub issue #62 but has not responded, and no vendor-released patch exists at time of analysis. No public exploit code or confirmed active exploitation has been identified.

SQLi Jfinal Cms
NVD VulDB GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-11509 MEDIUM This Month

SQL injection in CodeAstro Leave Management System 1.0 allows authenticated remote attackers to manipulate database queries via the Name parameter in /admin/search_staff_for_updation.php. The vulnerability enables read, write, and denial-of-service impact against the underlying database with low complexity and no user interaction required. No public exploit code or active exploitation has been identified at time of analysis.

PHP SQLi
NVD VulDB
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-47720 MEDIUM GHSA This Month

SQL injection in FUXA's TDengine DAQ storage connector allows unauthenticated remote attackers to read the complete historical PLC tag archive from any FUXA instance using TDengine as its storage backend. The flaw resides in `escapeTdString` (`server/runtime/storage/tdengine/index.js:10`), which doubles single quotes but fails to escape backslashes — enabling backslash-bypass injection via the `sids` parameter on `GET /api/daq` or the Socket.IO `DAQ_QUERY` event. Critically, enabling FUXA's own authentication layer does not close this gap: the Socket.IO handler carries no authorization check and the REST endpoint accepts guest-level requests by design, meaning the authentication bypass and SQLi are compounding issues. No public exploit identified at time of analysis; vendor-released fix confirmed in v1.3.2.

Authentication Bypass SQLi
NVD GitHub
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-49141 MEDIUM PATCH This Month

Cross-tenant contact tampering in WACRM (arnasdon/wacrm) before commit 73041bf allows any authenticated tenant user to read and modify contacts owned by other tenants by passing an arbitrary contact_id to the automation engine endpoint, which invokes a Supabase service-role client that bypasses row-level security. The flaw is an IDOR/authorization bypass (CWE-639) reported by VulnCheck; no public exploit is identified at time of analysis and the issue is not listed in CISA KEV.

Authentication Bypass Wacrm
NVD GitHub
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-47345 MEDIUM PATCH GHSA This Month

HTML serialization in typo3/html-sanitizer before version 2.3.2 fails to encode namespace attributes (xmlns:*), allowing an authenticated low-privilege attacker to inject unsanitized XSS payloads that execute in victims' browsers. The vulnerability bypasses the library's core XSS prevention purpose: crafted namespace attribute values containing raw HTML (e.g., onerror handlers) survive the sanitizer and render as executable markup. No public exploit has been independently identified at time of analysis, though the vendor-published commit includes a working test case demonstrating the exact bypass payload.

XSS Html Sanitizer
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-42890 MEDIUM PATCH GHSA This Month

Arbitrary Node.js code execution via signed Actual Budget macOS binary (versions prior to 26.5.0) is enabled by the ELECTRON_RUN_AS_NODE fuse being left active in the Electron 39.2.7 runtime. An attacker who can place a script on disk or influence the process environment can invoke Actual.app with ELECTRON_RUN_AS_NODE=1, causing the signed binary to act as a Node.js interpreter executing attacker-controlled code under Actual's macOS code signature and entitlements. No public exploit identified at time of analysis; a vendor-released patch exists in version 26.5.0 per GHSA-7rvm-xjpp-63r9.

Apple Code Injection Node.js RCE
NVD GitHub
CVSS 4.0
4.8
EPSS
0.0%
CVE-2026-9549 MEDIUM PATCH This Month

Stored cross-site scripting in Checkmk's service discovery active check output allows a high-privileged administrator to inject persistent malicious HTML or JavaScript that executes in the browsers of other administrators or users with host read permissions when they run checks on the service discovery page. Affected versions span all currently maintained branches: Checkmk below 2.5.0p5, below 2.4.0p31, below 2.3.0p48, and all 2.2.0 releases with no patch for that branch. No public exploit has been identified at time of analysis and the vulnerability is absent from CISA KEV, but the stored nature of the XSS and its targeting of privileged user sessions make it a meaningful lateral-privilege and session-compromise vector within Checkmk deployments.

XSS Checkmk
NVD VulDB
CVSS 4.0
4.8
EPSS
0.0%
CVE-2026-8078 MEDIUM PATCH This Month

Stored cross-site scripting in Checkmk's global settings change log enables a high-privileged administrator to persist malicious HTML or JavaScript within changelog messages, which then executes silently in the browsers of other authenticated users who view the Activate Changes page or Audit log. Affected versions span all 2.2.0 releases and builds prior to 2.5.0p5, 2.4.0p31, and 2.3.0p48. No active exploitation is confirmed (not listed in CISA KEV), and no public exploit code has been identified at time of analysis; however, the insider-threat angle - an already-privileged admin targeting peer users - is the realistic concern here.

XSS Checkmk
NVD VulDB
CVSS 4.0
4.8
EPSS
0.0%
CVE-2026-46298 MEDIUM PATCH This Month

Deadlock vulnerability in the Linux kernel's pseries/papr-hvpipe subsystem allows a local low-privileged attacker on IBM pSeries Power Architecture systems to cause a kernel deadlock by triggering a race between the ioctl or release handler and a hardware interrupt firing on the same CPU. Exploitation is architecture-specific, requiring IBM PAPR hardware with the hvpipe driver loaded, and results in an availability-only denial-of-service. No public exploit exists and EPSS probability stands at 0.02%, consistent with a narrow attack surface; vendor-released patches are confirmed available for Linux 7.0.7, 7.1-rc3, and the 6.18 stable branch.

Linux Race Condition Information Disclosure
NVD VulDB
CVSS 3.1
4.7
EPSS
0.0%
CVE-2026-10787 MEDIUM This Month

Missing authorization on the deleted user groups API in Devolutions Server enables authenticated low-privileged users to enumerate metadata of deleted user groups via crafted API requests, bypassing intended access controls. Affected deployments include versions 2026.2.4.0 and 2026.1.20.0 and earlier, as confirmed by the vendor advisory DEVO-2026-0015. No public exploit exists and CISA SSVC confirms no active exploitation, placing this at low operational priority despite its network-accessible attack vector.

Authentication Bypass Server
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-45536 MEDIUM PATCH GHSA This Month

File descriptor exhaustion in Netty's Unix domain socket native transport allows a local peer to leak two file descriptors per crafted SCM_RIGHTS message into the receiving process, with neither FD ever closed. Affected are applications explicitly configured with DomainSocketReadMode.FILE_DESCRIPTORS on Epoll or KQueue DomainSocketChannel - a non-default opt-in setting. Sustained message flooding by a local socket peer can exhaust the Netty process's file descriptor table, ultimately causing denial of service. No public exploit identified at time of analysis and not listed in CISA KEV; CVSS scores this at 4.0 (Low) reflecting the local-only attack surface and low availability impact.

Information Disclosure Java Linux Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
4.0
EPSS
0.0%
Prev Page 2 of 2

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy