Skip to main content
CVE-2026-41839 MEDIUM PATCH This Month

Session fixation in Spring Framework's WebFlux reactive stack (versions 5.3.x through 7.0.x) enables a remote attacker to hijack an authenticated user's session by leveraging a compromised subdomain - typically via cross-site scripting - to plant a known session ID and exchange it for the victim's authenticated session post-login. The attack is classified as CWE-384 and requires both a prior subdomain compromise and user interaction, placing real-world exploitability well below the headline concern for most deployments. No public exploit code and no CISA KEV listing have been identified at time of analysis.

XSS Session Fixation Java Spring Framework
NVD HeroDevs VulDB
CVSS 3.1
4.2
EPSS
0.0%
CVE-2026-0411 MEDIUM PATCH This Month

Information disclosure in NETGEAR Orbi satellite devices (RBR350, RBR760, RBS350, RBS760, RBE97x) allows a low-privileged user on the same network to obtain administrator access to the Orbi router. The flaw resides specifically in the satellite-to-router communication layer, as NETGEAR explicitly confirms Orbi systems deployed without satellites are unaffected. No public exploit exists (CVSS E:U) and CISA SSVC rates exploitation as none, but the high secondary impact scores (SC:H/SI:H/SA:H) reflect that successful exploitation yields full router compromise.

Information Disclosure Netgear Rbe97X Rbr350 Rbr760 +2
NVD VulDB
CVSS 4.0
4.2
EPSS
0.0%
CVE-2026-24315 MEDIUM This Month

SAP Fiori Launchpad is vulnerable to malicious URL crafting that triggers arbitrary service calls within the Fiori domain, enabling credential theft from users who interact with the crafted link. Exploitation requires no attacker privileges (PR:N per CVSS) but demands high attack complexity (AC:H) and user interaction (UI:R), meaning adversaries must possess advanced system knowledge and successfully deliver the URL to a victim. No public exploit code has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog, placing this in the medium-priority tier despite the credential-theft potential.

Information Disclosure SAP
NVD VulDB
CVSS 3.1
4.2
EPSS
0.0%
CVE-2025-54509 MEDIUM This Month

Improper access control in the IOMMU register interface on AMD EPYC server processors allows a high-privileged local attacker to induce non-coherent memory accesses by the AMD Secure Processor (ASP), resulting in loss of system integrity beyond the directly compromised component. Affected processor families span EPYC 8004, 9004, and 9005 series - including embedded variants - covering AMD's current-generation server and embedded datacenter platforms. No public exploit code and no CISA KEV listing exist at time of analysis, but the elevated subsequent integrity impact (SI:H in CVSS 4.0) signals meaningful security boundary degradation, particularly relevant for confidential computing and virtualized environments where ASP integrity is foundational.

Information Disclosure Amd Amd Epyc 9004 Series Processors Amd Epyc 9005 Series Processors Amd Epyc 8004 Series Processors +4
NVD
CVSS 4.0
4.0
EPSS
0.0%
Prev Page 7 of 7

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy