Skip to main content
CVE-2026-49824 HIGH PATCH GHSA This Week

Cross-namespace access control bypass in Fission (Kubernetes-native serverless framework) prior to 1.24.0 allows an authenticated tenant with permission to create Function objects in their own namespace to reference an Environment in a different namespace, because the admission webhook in pkg/webhook/function.go validated namespace equality only for secrets and configmaps, not for spec.environment.namespace. An attacker can pivot across Kubernetes namespace boundaries and pull in environment configuration belonging to other tenants (CVSS 8.5, scope-changed, high confidentiality impact). No public exploit identified at time of analysis, though the upstream fix and full patch diff are publicly available on GitHub.

Authentication Bypass Kubernetes
NVD GitHub VulDB
CVSS 3.1
8.5
EPSS
0.0%
CVE-2026-9151 HIGH PATCH This Week

OS command injection in the VPN module of TP-Link Archer AX12 v1, AX17 v1, AX18 v1, and AX1300 v1.6 routers allows an authenticated attacker on an adjacent network to execute arbitrary commands by uploading a malicious VPN client configuration file. The flaw stems from improper sanitization of special characters during configuration import (CWE-78) and carries a CVSS 4.0 base score of 8.5. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV, but TP-Link has released firmware fixes for all affected models.

Command Injection TP-Link
NVD
CVSS 4.0
8.5
EPSS
0.4%
CVE-2026-8637 HIGH PATCH This Week

Local privilege escalation in Lenovo's LanSchool Classic client application allows authenticated users on affected endpoints to execute arbitrary code with elevated privileges via an uncontrolled search path (CWE-427). The flaw carries a CVSS 4.0 score of 8.5 with high impact across confidentiality, integrity, and availability, and no public exploit identified at time of analysis. Because LanSchool Classic is widely deployed in K-12 and education environments, exploitation could let a student or low-privileged user gain SYSTEM-level control of managed classroom devices.

RCE Lanschool Classic
NVD
CVSS 4.0
8.5
EPSS
0.0%
CVE-2026-9045 HIGH PATCH This Week

Local privilege escalation in Lenovo Accessories and Display Manager for Enterprise on Windows allows an authenticated low-privileged user to execute arbitrary code with elevated privileges, per a Lenovo-disclosed internal finding (LEN-213623). The CVSS 4.0 base score of 8.5 reflects high impact to confidentiality, integrity, and availability of the vulnerable system, though no public exploit identified at time of analysis. The CWE-306 (Missing Authentication for Critical Function) classification combined with the 'Authentication Bypass' tag suggests a privileged operation in the product is reachable without proper access checks.

RCE Microsoft Authentication Bypass Lenovo
NVD
CVSS 4.0
8.5
EPSS
0.0%
CVE-2026-45549 HIGH This Week

Privilege escalation in Roxy-WI versions 8.2.6.4 and prior allows any authenticated user - including the lowest-privilege 'guest' role 4 - to start, stop, or restart the roxy-wi-smon-agent systemd unit on arbitrary managed servers, with the action executing as root via Roxy-WI's passwordless sudo SSH credentials. The flaw stems from missing role and group-ownership checks on the agent_action endpoint, and no public exploit has been identified at time of analysis though the vulnerability is trivially reachable once an account exists.

Authentication Bypass Nginx Apache
NVD GitHub
CVSS 3.1
8.5
EPSS
0.0%
CVE-2026-52750 HIGH PATCH This Week

Command injection in Ghidra versions before 12.1 on Windows allows attackers to execute arbitrary OS commands under the Ghidra user's privileges when a victim clicks a maliciously crafted URL embedded in a program comment annotation. The flaw stems from improper escaping of cmd.exe metacharacters in URL annotation handling, and exploitation requires user interaction (UI:A). No public exploit identified at time of analysis, though VulnCheck published a dedicated advisory alongside the NSA's GitHub security advisory.

Command Injection Microsoft Ghidra
NVD GitHub
CVSS 4.0
8.4
EPSS
0.0%
CVE-2026-10721 HIGH This Week

PHP Object Injection in Concrete CMS versions below 9.5.2 allows arbitrary PHP object instantiation through unsafe unserialize() calls in the Permission, Cache, and Search components. The flaw is triggered when a malicious serialized payload has already been written to the database, meaning the unauthenticated trigger depends on a prior write primitive existing in the deployment. No public exploit identified at time of analysis, and CVSS 4.0 base scores it 8.4 with high confidentiality, integrity, and availability impact.

PHP Deserialization
NVD VulDB
CVSS 4.0
8.4
EPSS
0.0%
CVE-2026-24067 HIGH This Week

Local privilege escalation in Slate Digital Connect 1.37.0 for macOS allows unprivileged users on the host to gain root-level capabilities by abusing a TOCTOU race in the privileged helper's XPC client validation. The com.slatedigital.connect.privileged.helper.tool2 service identifies callers by PID and then queries code-signing information, but PID reuse lets an attacker substitute a trusted process between check and use. No public exploit identified at time of analysis, and EPSS is very low (0.02%), but the technical pattern is well-known on macOS and a SEC Consult advisory describes the flaw in detail.

Apple Authentication Bypass Privilege Escalation
NVD VulDB
CVSS 3.1
8.4
EPSS
0.0%
CVE-2026-52755 HIGH PATCH This Week

Arbitrary file write in NSA's Ghidra reverse-engineering framework before version 12.0.4 allows attackers to escape the theme directory via Zip Slip path traversal sequences in malicious theme ZIP archives, leading to code execution or credential compromise. The flaw requires user interaction (importing the booby-trapped theme) and is exploited locally against the user running Ghidra. No public exploit identified at time of analysis, though the technique (Zip Slip) is well-documented and trivially reproducible.

RCE Path Traversal Ghidra
NVD GitHub
CVSS 4.0
8.4
EPSS
0.0%
CVE-2026-52752 HIGH PATCH This Week

Arbitrary file write in NSA Ghidra versions prior to 12.0.2 allows local attackers to achieve code execution by tricking a user into installing a malicious extension archive. The extension installer fails to sanitize ZIP entry names, enabling classic Zip Slip path traversal that writes files outside the intended extension directory. No public exploit identified at time of analysis, though the technique is well-documented and trivially reproducible.

RCE Path Traversal Ghidra
NVD GitHub
CVSS 4.0
8.4
EPSS
0.0%
CVE-2026-24066 HIGH This Week

Local privilege escalation in Slate Digital Connect 1.37.0 for macOS allows unprivileged users to execute commands as root by connecting to the privileged XPC helper service with a self-signed certificate whose subject OU matches the expected value. The flaw stems from improper certificate validation (CWE-296) in the helper's client authorization logic, which fails to verify the certificate chains to a trusted code-signing authority. No public exploit is identified in CISA KEV at time of analysis, and EPSS reflects very low (0.01%) near-term exploitation probability, but a detailed vendor-lab advisory is publicly available.

Apple Authentication Bypass Privilege Escalation
NVD VulDB
CVSS 3.1
8.4
EPSS
0.0%
CVE-2025-10238 HIGH PATCH This Week

Local privilege escalation to System Management Mode (SMM) in Lenovo ThinkPad BIOS firmware allows a high-privileged local user to execute arbitrary code at one of the most privileged execution rings on x86 hardware. The flaw, an out-of-bounds write (CWE-787) discovered by Lenovo during an internal security assessment, affects a wide range of current-generation ThinkPad models including X1 Carbon 13th Gen, X13 Gen 6, T14s Gen 6, P14s/P16v Gen 3, L13/L14/L16 Gen 6, and E16 Gen 3. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Buffer Overflow Memory Corruption X13 Gen 6 Type 21Rk 21Rl Laptops Thinkpad Bios X1 Carbon 13Th Gen Type 21Nx 21Ny Laptops Thinkpad Bios P16V Gen 3 Type 21Rs 21Rt Laptop Thinkpad Bios +105
NVD
CVSS 4.0
8.4
EPSS
0.0%
CVE-2025-10237 HIGH PATCH This Week

Arbitrary privileged memory read/write in Lenovo ThinkPad embedded controller (EC) firmware allows a local administrator on affected ThinkPad models (X13 Gen 6, X1 Carbon 13th Gen, P16v Gen 3, L16 Gen 1/2, T14s Gen 6, P14s Gen 6, L13 Gen 6, L14 Gen 6) to access or modify protected memory regions. Discovered during Lenovo's internal security assessment, the issue is rated CVSS 4.0 8.4 (High) and there is no public exploit identified at time of analysis, with no CISA KEV listing. Despite the high score, exploitation requires high privileges and local access, narrowing realistic abuse to attackers who already have admin on the host or to supply-chain/insider scenarios.

Information Disclosure X13 Gen 6 Type 21Rk 21Rl Laptops Thinkpad Bios X1 Carbon 13Th Gen Type 21Nx 21Ny Laptops Thinkpad Bios P16V Gen 3 Type 21Rs 21Rt Laptop Thinkpad Bios L16 Gen 1 Type 21L7 21L8 Laptops Thinkpad Bios +91
NVD
CVSS 4.0
8.4
EPSS
0.0%
CVE-2026-46558 HIGH PATCH This Week

Cross-workspace authorization bypass in Plane (makeplane) prior to version 1.3.1 allows any authenticated user of one workspace to read, copy, delete, and overwrite file assets belonging to other workspaces on the same instance. The flaw stems from missing membership checks on V2 asset endpoints and is fixed in v1.3.1; no public exploit identified at time of analysis.

Authentication Bypass Plane
NVD GitHub
CVSS 3.1
8.3
EPSS
0.0%
CVE-2026-45567 HIGH This Week

Authentication bypass in Roxy-WI versions 8.2.6.4 and prior allows remote unauthenticated attackers to reach protected API functionality by including the 'api' substring in the URL, with the /api/gpt endpoint specifically exposed without authentication. The flaw carries a CVSS 8.3 with scope change and affects a web management interface for HAProxy, Nginx, Apache, and Keepalived, and no public exploit has been identified at time of analysis. No vendor-released patch exists at time of publication, making this a high-priority issue for any internet-exposed installation.

Authentication Bypass Nginx Apache
NVD GitHub
CVSS 3.1
8.3
EPSS
0.0%
CVE-2026-50637 HIGH PATCH This Week

Metric injection in the Perl module Metrics::Any::Adapter::Statsd before version 0.04 allows remote attackers to inject arbitrary StatsD metrics by supplying metric names or values containing newlines, colons, or pipes that the send method passes unvalidated into UDP packets. Because the StatsD protocol multiplexes multiple metrics per packet using newline delimiters, an attacker who controls any string flowing into a recorded metric can forge additional metrics, poisoning monitoring data and downstream alerting. EPSS is very low (0.03%), no public exploit is identified at time of analysis, and there is no CISA KEV listing.

Code Injection Metrics
NVD VulDB
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-10846 HIGH PATCH This Week

Off-path DNS response spoofing in NLnet Labs ldns 1.2.0 through 1.9.0 allows remote attackers to inject forged answers into applications that use the library as a UDP stub resolver, including the bundled drill tool. The library fails to validate the response source address/port, the query transaction ID, and the question section against the original query, making cache and answer poisoning feasible without on-path positioning. No public exploit identified at time of analysis, but the CVSS 4.0 score of 8.2 reflects high integrity impact on any downstream application that trusted ldns to validate DNS answers.

Information Disclosure Ldns Suse
NVD VulDB
CVSS 4.0
8.2
EPSS
0.0%
CVE-2026-41717 HIGH PATCH This Week

Remote code execution risk in Spring Data MongoDB arises from a SpEL expression injection flaw (CWE-917) triggered during parameter binding for repository methods annotated with @Query that use a capture-all placeholder. With CVSS 8.1 (AV:N/AC:H/PR:N/UI:N) and no public exploit identified at time of analysis, unauthenticated attackers who can influence query parameters reaching such a method could execute arbitrary SpEL expressions on the server.

Code Injection Java Spring Data Mongodb
NVD HeroDevs
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-41732 HIGH PATCH This Week

Insecure deserialization in Spring for Apache Pulsar's JsonPulsarHeaderMapper allows remote attackers to bypass trusted-package controls and potentially trigger arbitrary Java object instantiation through Pulsar message headers. The flaw stems from a prefix-based package match plus an unsafe empty-allow-list default, affecting versions 1.1.0-1.1.17, 1.2.0-1.2.17, and 2.0.0-2.0.5. No public exploit identified at time of analysis, but the CVSS 8.1 rating and CWE-502 classification place this firmly in the high-impact Java deserialization category that has historically yielded remote code execution.

Deserialization Apache Java Spring For Apache Pulsar
NVD HeroDevs VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-41731 HIGH PATCH GHSA This Week

Unsafe deserialization in Spring for Apache Kafka (versions 2.8.0-4.0.5 across multiple branches) allows a malicious Kafka producer to send crafted message headers that cause downstream consumers to instantiate arbitrary JDK types via Jackson. The flaw stems from a prefix-based trusted-packages check in JsonKafkaHeaderMapper and the deprecated DefaultKafkaHeaderMapper, which silently extends trust to every subpackage. No public exploit identified at time of analysis, but the bug class (CWE-502 with Jackson default typing) has a long history of leading to remote code execution in Spring/Java ecosystems.

Deserialization Apache Java Spring For Apache Kafka
NVD HeroDevs VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-45569 HIGH This Week

Path traversal in Roxy-WI versions 8.2.6.4 and prior allows authenticated remote attackers to read arbitrary configuration files via the config_file_name and configver parameters. The vendor's attempted fix in commit d4d10006 is ineffective due to a logic error - it uses Python tuple-membership instead of substring containment - leaving all realistic '../' payloads unblocked, with no public exploit identified at time of analysis.

Path Traversal Nginx Apache
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-0274 HIGH PATCH This Week

Improper credential validation in the CommvaultSecurityIQ integration for Palo Alto Networks Cortex XSOAR and Cortex XSIAM allows remote attackers to read and modify protected resources without authentication. The CVSS 4.0 base score of 8.1 reflects high impact to confidentiality, integrity, and availability across a network-reachable attack surface, though no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Information Disclosure Cortex Xsiam Commvaultsecurityiq Marketplace Cortex Xsoar Commvaultsecurityiq Marketplace
NVD VulDB
CVSS 4.0
8.1
EPSS
0.0%
CVE-2026-41729 HIGH PATCH This Week

Server-Side Expression Language (SpEL) injection in Spring Data REST allows authenticated remote attackers to execute arbitrary expressions by sending JSON Patch requests targeting Map-typed entity properties. Affected versions span 3.7.0 through 5.0.5, and successful exploitation yields high confidentiality and integrity impact (CVSS 8.1). No public exploit identified at time of analysis, but the low attack complexity and network reachability make this a credible threat to any exposed REST repository accepting application/json-patch+json.

Code Injection Java Spring Data Rest
NVD HeroDevs
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-47838 HIGH PATCH This Week

Authentication bypass via X.509 certificate impersonation in Spring Security affects versions 5.7.0-5.7.24, 5.8.0-5.8.26, 6.3.0-6.3.17, 6.4.0-6.4.17, and 6.5.0-6.5.10, where the SubjectDnX509PrincipalExtractor mishandles malformed Common Name (CN) values and resolves the principal to the wrong identity. An attacker holding a carefully crafted client certificate can authenticate as a different legitimate user, gaining their privileges. No public exploit identified at time of analysis, and the EPSS score of 0.02% (4th percentile) reflects no observed exploitation activity.

Authentication Bypass Java Spring Security
NVD VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-48060 HIGH PATCH GHSA This Week

Cross-Site Scripting in Litestar Python web framework versions prior to 2.22.0 allows remote attackers to execute arbitrary JavaScript in victim browsers by poisoning the csrftoken cookie, whose contents are rendered into HTML templates without escaping when the documented csrf_input helper is used. Publicly available exploit code exists via the GitHub Security Advisory GHSA-542p-wvx7-72m4, which includes two working proof-of-concept applications. The flaw only manifests in applications that combine a template engine (Jinja, Mako, MiniJinja) with CSRF protection and the recommended hidden CSRF input field pattern.

XSS Python CSRF
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-45565 HIGH This Week

Path traversal bypass in Roxy-WI versions 8.2.6.4 and earlier allows authenticated remote attackers to escape input sanitization in the EscapedString Pydantic validator and inject shell metacharacters alongside '..' sequences. The flaw stems from a flawed if/elif/elif/else control flow that strips metacharacters without re-enforcing the '..' block, and the result is never shlex-quoted before reaching downstream command contexts. No public exploit identified at time of analysis, and no vendor-released patch identified at time of analysis.

Information Disclosure Nginx Apache
NVD GitHub
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-2049 HIGH PATCH This Week

Arbitrary code execution in GIMP via malicious HDR (High Dynamic Range) image files allows attackers to run code in the context of the user opening the file. The flaw is a heap-based buffer overflow (CWE-122) in the HDR parser, requiring the victim to open a crafted file or visit a malicious page that delivers one. No public exploit identified at time of analysis, but the vulnerability was reported through ZDI (ZDI-CAN-28618) indicating verified researcher analysis.

RCE Heap Overflow Buffer Overflow Gimp
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-45257 HIGH This Week

Page-cache corruption in FreeBSD's kTLS-RX subsystem (CVE-2026-45257 / FreeBSD-SA-26:26.kTLS) enables an unprivileged local user to overwrite arbitrary bytes in the backing physical page of any world-readable file, including SUID-root binaries, by exploiting in-place AES-GCM decryption running directly over sendfile(2)-produced EXTPG mbufs via the kernel direct map (DMAP). The write bypasses the VFS layer entirely, defeating file permissions, mount options, and chflags schg immutable flags - making this the FreeBSD functional equivalent of Linux CVE-2022-0847 (Dirty Pipe). A public exploit (bumsrakete.c) is included in the oss-security disclosure and achieves reliable root LPE in approximately 1.5 seconds on default FreeBSD 13.0 through 15.0 on amd64, arm64, and riscv; no public KEV listing has been identified at time of analysis.

Authentication Bypass Freebsd
NVD
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-50567 HIGH PATCH This Week

Path traversal in Fission Kubernetes serverless framework prior to version 1.25.0 allows authenticated tenants to write files outside the intended extraction directory by submitting a crafted package archive. The fetcher sidecar (fission-fetcher) processes attacker-controlled Package.Spec.Source.URL or Deployment.URL archives via Unarchive in pkg/utils/zip.go, where filepath.Join was used without verifying the resolved path stayed under the destination, enabling cross-tenant file overwrite, tampering with mounted secret/config volumes, or overwriting the fetcher binary itself. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Path Traversal Kubernetes
NVD GitHub VulDB
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-47701 HIGH PATCH GHSA This Week

Service account token disclosure in OpenTelemetry Operator's TargetAllocator (versions prior to 0.152.0) allows a tenant with ServiceMonitor write permissions in a watched namespace to exfiltrate the OpenTelemetry Collector pod's mounted Kubernetes service account JWT or any other file on the Collector's filesystem. By setting the bearerTokenFile field on a ServiceMonitor to an arbitrary path (such as /var/run/secrets/kubernetes.io/serviceaccount/token) and pointing the scrape target to an attacker-controlled endpoint, the Collector reads the file and ships its contents as an Authorization: Bearer header on every scrape interval. No public exploit is identified at the time of analysis, though the technique mirrors a well-known Prometheus Operator primitive (ArbitraryFSAccessThroughSMs).

Information Disclosure Kubernetes
NVD GitHub
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-49823 HIGH PATCH GHSA This Week

Cross-namespace access control bypass in Fission prior to 1.24.0 allows an authenticated tenant to reference Package objects belonging to other Kubernetes namespaces because the admission webhook validated namespaces for Secret and ConfigMap references but omitted the equivalent check for PackageRef.Namespace. A low-privileged user with rights to create Function objects in their own namespace can therefore reach Package contents in arbitrary namespaces, producing a scope-changing confidentiality breach (CVSS 7.7, S:C, C:H). No public exploit identified at time of analysis; not listed in CISA KEV.

Authentication Bypass Kubernetes
NVD GitHub VulDB
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-49822 HIGH PATCH GHSA This Week

Cross-namespace information disclosure in Fission prior to 1.24.0 allows a low-privilege developer with namespace-scoped permissions to create a KubernetesWatchTrigger (KWT) that establishes a persistent watch channel against Kubernetes resources in any other namespace, breaking the platform's tenancy boundary. The flaw stems from missing namespace-equality enforcement in the kubewatcher controller, which honored an attacker-supplied Spec.Namespace value and even treated an empty value as cluster-wide visibility. No public exploit identified at time of analysis, but the upstream fix (PR #3379, merged into v1.24.0) and detailed advisory GHSA-gc3j-79f2-7vvw confirm the defect class.

Authentication Bypass Kubernetes
NVD GitHub VulDB
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-49821 HIGH PATCH GHSA This Week

Cross-namespace package reference flaw in Fission prior to version 1.24.0 allows an authenticated tenant to point a Package CRD at an Environment in another namespace, because the buildermgr controller never verified that Package.spec.environment.namespace matched Package.metadata.namespace. With CVSS 7.7 and a scope-changed confidentiality impact, a low-privileged user in one namespace can cause the controller to read and build against environment resources belonging to other tenants. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Information Disclosure Kubernetes
NVD GitHub VulDB
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-20252 HIGH PATCH This Week

Server-side request forgery in Splunk Enterprise (below 10.2.4, 10.0.7, 9.4.12, 9.3.13) and Splunk Cloud Platform lets a low-privileged authenticated user coerce the Dashboard Studio PDF export feature into issuing HTTP requests to arbitrary internal destinations. The flaw stems from a flawed prefix-match on trusted domains plus uncritical redirect-following by the PDF export service. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

SSRF Splunk Splunk Enterprise Splunk Cloud Platform
NVD
CVSS 3.1
7.6
EPSS
0.0%
CVE-2026-42558 HIGH This Week

Stored cross-site scripting in Xibo CMS prior to 4.4.2 allows authenticated users with elevated DataSet privileges to chain a Stored XSS with an iframe sandbox escape via the Data Connector functionality, executing script in another user's browser context. Scope-changed impact (S:C) with high confidentiality loss means a low-privileged-but-trusted operator can compromise an admin session viewing the affected dataset content. No public exploit identified at time of analysis and the issue is not on the CISA KEV list.

Microsoft XSS
NVD GitHub
CVSS 3.1
7.6
EPSS
0.0%
CVE-2026-6893 HIGH This Week

Root command injection in dracut's legacy DHCP path allows adjacent-network attackers to execute arbitrary commands inside the initramfs by sending crafted DHCP options (e.g., malicious hostname) that are written unescaped into temporary shell scripts. The flaw affects Red Hat Enterprise Linux 6 through 10, Red Hat Hardened Images, and OpenShift Container Platform 4, granting full system compromise during early boot. No public exploit identified at time of analysis, and EPSS is low (0.16%, 36th percentile), but SSVC rates technical impact as total.

Command Injection RCE Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 +4
NVD VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-45541 HIGH This Week

Remote denial-of-service in Espressif ESP-IDF's esp_http_server WebSocket handshake allows unauthenticated attackers to crash IoT devices by sending a malformed Sec-WebSocket-Protocol header. The flaw (CWE-476 NULL-pointer dereference) is triggered pre-authentication during subprotocol negotiation and affects ESP-IDF 5.2.6, 5.3.5, 5.4.4, 5.5.4, and 6.0; no public exploit identified at time of analysis, though upstream commits disclose the exact vulnerable code path.

Denial Of Service Null Pointer Dereference Esp Idf
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-52726 HIGH POC PATCH GHSA This Week

Arbitrary code execution in Dulwich (pure-Python Git implementation) versions 0.23.2 through 1.2.4 allows a malicious upstream repository to drop executable files into a victim's .git/hooks/ directory during a recursive clone or submodule update. When the victim subsequently runs any git or dulwich command that invokes the planted hook, the attacker's code executes with the victim's privileges. No public exploit identified at time of analysis, though the technique mirrors the well-documented upstream Git flaws CVE-2024-32002 and CVE-2024-32004.

Path Traversal Python RCE Suse Red Hat
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-42542 HIGH PATCH This Week

Remote unauthenticated denial-of-service in TDengine versions 3.4.0.0 through 3.4.1.5 allows attackers to crash the taosd server process by sending a single crafted RPC packet, with no credentials or prior session state required. The flaw is a CWE-191 integer underflow (vendor tags also reference Integer Overflow) in RPC packet handling, fixed in version 3.4.1.6. No public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.

Integer Overflow Denial Of Service Tdengine
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-48110 HIGH PATCH GHSA This Week

Denial of service in Russh (Rust SSH client/server library) versions 0.34.0 through 0.60.x allows remote SSH peers to trigger excessive memory allocation by sending oversized, high-fanout, or malformed length-prefixed SSH strings, name-lists, and byte fields before field-specific bounds checks are applied. The flaw affects both client and server message handlers and impacts availability only (CVSS 7.5, C:N/I:N/A:H). No public exploit identified at time of analysis.

Information Disclosure Russh
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-53114 HIGH PATCH GHSA This Week

Denial of service in CometD Java server (versions 5.0.0-5.0.22, 6.0.0-6.0.18, 7.0.0-7.0.18, 8.0.0-8.0.8) allows a single remote unauthenticated client to exhaust server memory by repeatedly sending /meta/connect messages with a fixed ack value while the acknowledgement extension is enabled, causing the unacknowledged message queue to grow without bound and triggering an OutOfMemoryError. The CVSS 7.5 score reflects high availability impact with no confidentiality or integrity impact, and no public exploit identified at time of analysis, though the GitHub Security Advisory GHSA-cqgj-h8vf-4w59 provides clear protocol-level reproduction details.

Denial Of Service
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-53461 HIGH PATCH GHSA This Week

Out-of-bounds heap write in ImageMagick's ICON decoder allows remote attackers to crash the application by supplying a maliciously crafted ICON file processed by versions prior to 6.9.13-50 and 7.1.2-25. The flaw stems from an incorrect loop condition during ICON parsing, leading to memory corruption and denial of service. No public exploit identified at time of analysis, but ImageMagick's broad deployment as an image-processing backend in web applications makes drive-by exposure plausible.

Memory Corruption Buffer Overflow Imagemagick
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-53460 HIGH PATCH GHSA This Week

Denial of service in ImageMagick prior to 6.9.13-50 and 7.1.2-25 allows remote attackers to trigger an out-of-memory condition by submitting crafted images that bypass memory request validation in the AcquireAlignedMemory routine. The CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) vector reflects unauthenticated network exploitability with high availability impact but no confidentiality or integrity loss. No public exploit identified at time of analysis, and the issue is not present on the CISA KEV list.

Denial Of Service Imagemagick
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-41716 HIGH PATCH This Week

Denial-of-service in Spring Data Commons (versions 2.7.0-4.0.5) allows remote unauthenticated attackers to exhaust JVM heap memory by repeatedly submitting unique property-name strings that are permanently retained in an internal property-lookup cache. The flaw maps to CWE-770 (Allocation of Resources Without Limits or Throttling) and carries a CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) reflecting purely availability impact. No public exploit identified at time of analysis and the issue is not currently listed in CISA KEV.

Denial Of Service Java Spring Data Commons
NVD HeroDevs
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-41695 HIGH This Week

Denial of service in Spring Data Commons 3.4.x, 3.5.x, and 4.0.x allows remote unauthenticated attackers to exhaust server resources by supplying crafted property path strings that the MappingContext resolves inefficiently. The flaw is reachable wherever applications expose property path parsing to untrusted input, and with CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) it is trivially triggerable, though no public exploit identified at time of analysis and the issue is not on the CISA KEV list.

Denial Of Service Java Spring Data Commons
NVD VulDB HeroDevs
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-40988 HIGH PATCH This Week

Denial of service in Spring Security's SAML 2.0 service provider module allows remote unauthenticated attackers to exhaust application memory by submitting a maliciously compressed SAML payload over the REDIRECT binding. The flaw stems from an unbounded inflater that decompresses attacker-controlled data without size limits, enabling a classic decompression-bomb attack against any Spring application using SAML Login or Logout. No public exploit identified at time of analysis, but the network-reachable, no-authentication CVSS profile (7.5 High) makes this a near-term patching priority for SAML-enabled deployments.

Denial Of Service Java Spring Security
NVD VulDB HeroDevs
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-46541 HIGH This Week

Denial-of-service in Nimiq core-rs-albatross (Rust implementation of the Albatross Proof-of-Stake consensus) prior to version 1.4.0 allows a malicious DHT node to suppress all valid DHT GET responses for a query by being the first to reply with an unverifiable record. Because the DhtResults accumulator is only created after the first record passes verification, a single bad first response causes subsequent valid records to be discarded as 'DHT inconsistent state', breaking peer/validator discovery. No public exploit identified at time of analysis, but the patch and full root cause are public in PR #3707.

Information Disclosure
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-41728 HIGH PATCH This Week

Authorization bypass in Spring Data REST's JSON Patch handler allows remote unauthenticated attackers to modify protected entity fields by routing writes through intermediate path segments of a multi-segment JSON Pointer. The flaw affects Spring Data REST 3.7.x through 5.0.5 and carries a CVSS 7.5 (high) integrity-only impact; no public exploit has been identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass Java Spring Data Rest
NVD HeroDevs
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-9060 LOW POC PATCH Monitor

Stored Cross-Site Scripting in Store Locator WordPress plugin before 1.6.6 allows administrator-level users to inject persistent malicious scripts into the plugin's admin settings page, with execution triggered when any privileged user visits the page. Critically, this bypass works even when WordPress's `unfiltered_html` capability is restricted - a control commonly enforced in multisite networks - meaning a subsite admin could target visiting super admins. A publicly available exploit exists via WPScan, though no active exploitation has been confirmed by CISA KEV. CVSS rates this 3.5 (Low), but multisite deployments face materially higher practical risk.

XSS WordPress
NVD WPScan
CVSS 3.1
3.5
EPSS
0.0%
CVE-2026-48860 HIGH PATCH This Week

Authentication bypass in Erlang/OTP's TLS distribution module (inet_tls_dist) lets any attacker holding a TLS certificate signed by a CA in the node's trust store gain full Erlang distribution access, including remote code execution via rpc:call/4 and code:load_binary/3. The flaw stems from check_ip/1 inspecting the local socket address (inet:sockname/1) instead of the peer's address (inet:peername/1), so the LAN-allowlist subnet comparison always matches. No public exploit identified at time of analysis, but the one-line root cause is fully disclosed in the upstream fix commit.

Authentication Bypass Otp Suse Red Hat
NVD GitHub VulDB
CVSS 4.0
7.5
EPSS
0.0%
Prev Page 2 of 6 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy