Skip to main content
CVE-2026-43872 MEDIUM PATCH This Month

Path traversal across multiple endpoints in Actual, the open-source self-hosted personal finance application, allows authenticated low-privilege users to write files outside intended server directories in all versions prior to 26.5.0. The CVSS 4.0 vector confirms network-accessible exploitation with low-privilege authentication required and impact limited to write operations on the vulnerable system only - no confidentiality or availability impact is indicated. No active exploitation has been confirmed (not in CISA KEV), and the EPSS score of 0.03% (8th percentile) reflects minimal observed exploitation interest at time of analysis.

Path Traversal Actual
NVD GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-47182 MEDIUM PATCH This Month

Improper access control in Frappe Framework (all versions prior to 16.17.4) allows any authenticated user to retrieve private files by guessing their server-side file path, bypassing intended authorization restrictions. The flaw is classified under CWE-284 (Improper Access Control) and affects the file-serving layer of the framework, which underlies widely deployed applications such as ERPNext. No public exploit code has been identified at time of analysis, and exploitation probability is very low per EPSS (0.02%, 7th percentile), though the low attack complexity makes it straightforward for any credentialed user to attempt.

Authentication Bypass Frappe
NVD GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-12058 MEDIUM This Month

Vivo PcSuite's connection confirmation pop-up - a security gate that prompts users to authorize PC-to-device connections - can be bypassed by an adjacent unauthenticated attacker, rooted in CWE-807 (Reliance on Untrusted Inputs in a Security Decision). All versions of PcSuite are listed as affected per the wildcard CPE (cpe:2.3:a:vivo:pcsuite:*:*:*:*:*:*:*:*), and the attack requires only adjacent network positioning with no privileges or user interaction. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV, keeping real-world urgency moderate.

Authentication Bypass Pcsuite
NVD
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-9641 MEDIUM PATCH This Month

Crypt::PBKDF2 for Perl prior to version 0.261630 ships with critically weak password-hashing defaults - HMAC-SHA1 as the pseudorandom function and only 1,000 iterations - leaving derived keys and stored passwords highly vulnerable to offline brute-force attacks. Applications that do not explicitly override these defaults expose any compromised credential store to cracking at rates orders of magnitude faster than OWASP-recommended configurations (220,000-1,400,000 iterations depending on algorithm). No public exploit is identified at time of analysis and the CVE is not listed in CISA KEV, but the structural nature of CWE-916 means all previously generated hashes using the weak defaults remain exploitable even after upgrading the library unless proactively rehashed.

Information Disclosure Crypt Suse
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-44967 MEDIUM PATCH This Month

Memory exhaustion in opentelemetry-cpp OTLP HTTP exporters (traces, metrics, logs) prior to 1.27.0 allows an attacker who controls the configured collector endpoint - or occupies a MITM position on the network path - to crash the instrumented process by returning an arbitrarily large HTTP response body. The curl-based HTTP client read response data into an unbounded in-memory buffer via io-equivalent copy with no size limit, making peak heap allocation entirely attacker-controlled. No public exploit has been identified at time of analysis, and EPSS at 0.02% (6th percentile) indicates low opportunistic exploitation probability, though the targeted threat model (supply-chain-adjacent collector compromise) is realistic in telemetry-heavy environments.

Information Disclosure Opentelemetry Cpp
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-44976 MEDIUM PATCH This Month

Improper access control in Frappe prior to 16.17.4 permits any authenticated user to modify any field in any Onboarding Step record, bypassing expected privilege restrictions. Affected deployments running versions below 16.17.4 expose their onboarding configuration data to unauthorized tampering by low-privileged users. EPSS is extremely low (0.02%, 5th percentile), no public exploit code has been identified, and the vulnerability is not listed in CISA KEV, suggesting no observed active exploitation at time of analysis.

Authentication Bypass Frappe
NVD GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-44975 MEDIUM PATCH This Month

Missing authorization in Frappe allows any authenticated low-privileged user to invoke the onboarding reset function and wipe onboarding state for all users system-wide, affecting all releases before 15.107.2 and 16.17.4. The CWE-862 root cause indicates the reset endpoint performs no role or privilege check before executing a privileged, system-wide operation. No public exploit code exists and EPSS sits at 0.02% (5th percentile), placing real-world exploitation risk at the lower end despite the disruptive potential of forcing every user through onboarding flows on next login.

Authentication Bypass Frappe
NVD GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-1836 MEDIUM PATCH This Month

Credential exposure in Redmine allows any local attacker with access to a previously-used browser session to recover plaintext login credentials stored by the application after form submission. The flaw (CWE-257) affects all tracked Redmine versions per NVD CPE data and represents a classic insecure credential storage issue. No public exploit has been identified at time of analysis, and exploitation is constrained to local attack vectors requiring prior user interaction.

Information Disclosure Redmine
NVD VulDB
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-49347 MEDIUM PATCH This Month

Ticket panel resource exhaustion in Quest Bot (open-source Discord bot, all versions prior to 1.1.8) allows any Discord user with panel access to flood a server with unlimited ticket channels and database records. Each modal submission unconditionally spawns a new Discord channel and database entry with no duplicate-ticket check and no rate limiting, enabling trivial availability denial of the ticketing system. No active exploitation (KEV) or public exploit code has been identified; vendor-released patch version 1.1.8 is confirmed available.

Denial Of Service Questbot
NVD GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-54393 MEDIUM PATCH This Month

Stored cross-site scripting in MISP's setHomePage endpoint allows an authenticated user to persist an arbitrary JavaScript payload as their homepage setting when the Overmind theme is active, which later executes in any victim's browser upon viewing the News page and clicking the "Continue to homepage" link. The root cause is a theme-conditional code path in UserSettingsController that called setSettingInternal() directly, bypassing the validate_homepage validator that enforces a leading slash on path values, combined with an unescaped output sink in app/View/News/index.ctp. No public exploit has been identified at time of analysis; exploitation is bounded by the Overmind-theme-only precondition and mandatory victim interaction.

XSS Misp
NVD GitHub
CVSS 4.0
5.1
EPSS
0.1%
CVE-2026-53722 MEDIUM POC PATCH GHSA This Month

Reflected DOM-based XSS in Nuxt's built-in <NuxtLink> component allows an unauthenticated attacker to inject script-capable URLs (javascript:, vbscript:) that execute in the application's origin when a victim clicks a crafted link, affecting all Nuxt v3 versions prior to 3.21.7 and v4 versions prior to 4.4.7. Exploitation is contingent on application code that binds attacker-controlled input - such as query parameters, CMS link fields, or user-supplied profile URLs - directly to the component's to or href props without prior sanitization. No public exploit code has been identified and the EPSS score of 0.06% (20th percentile) indicates low observed exploitation probability; vendor-released patches are available in versions 3.21.7 and 4.4.7.

XSS Nuxt
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.1%
CVE-2026-10715 MEDIUM This Month

Improper authorization in Camaleon CMS 2.9.2 allows any low-privileged authenticated user to overwrite draft content belonging to other users by supplying an arbitrary post_id to the administrator draft autosave endpoint. The application authenticates the requesting user but performs no ownership check, meaning a contributor or editor can silently corrupt unpublished drafts they do not own. No public exploit code has been identified at time of analysis, and active exploitation has not been confirmed by CISA KEV.

Authentication Bypass Camaleon Cms
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-54357 MEDIUM PATCH This Month

Improper authorization in MISP permits an authenticated organization administrator to read or overwrite user settings and login profile data belonging to site administrator accounts that share the same organization. The ACL checks in UserLoginProfilesController, UserSettingsController, and the UserSetting model correctly scoped operations by org_id membership but failed to exclude users holding site-admin roles, allowing a lower-privileged admin to cross the intended privilege boundary. No public exploit has been identified at time of analysis; a patch is available via a CIRCL-reported upstream commit.

Authentication Bypass Misp
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-54055 MEDIUM PATCH This Month

Arbitrary file write in kitty terminal versions prior to 0.47.2 allows a child process running inside a kitty session to redirect writes to attacker-controlled filesystem paths. The root cause is a missing O_NOFOLLOW flag in the os.open() call within kitty's file transmission protocol: between the initial symlink validation stat-check and the actual file open, an attacker can insert a symlink, causing the write to follow it to an arbitrary destination - a classic TOCTOU race. No public exploit code exists and EPSS sits at 0.01% (1st percentile), indicating no observed exploitation; however, successful exploitation enables high-integrity-impact file overwrites that can facilitate local privilege escalation. Version 0.47.2 resolves the issue.

Privilege Escalation Kitty Suse
NVD GitHub VulDB
CVSS 3.1
5.0
EPSS
0.0%
CVE-2026-50009 MEDIUM PATCH GHSA This Month

Stateless reset token leakage in Netty's QUIC codec (io.netty:netty-codec-classes-quic prior to 4.2.15.Final) enables an on-path attacker to derive the reset token for active connections and terminate them via spoofed Stateless Reset packets. The default HMAC-based generators expose a deterministic relationship between the source connection ID visible in QUIC headers and the server's stateless reset token - after a source-CID rotation, an observer can compute the token from the new connection-ID bytes. No public exploit identified at time of analysis; the CVSS 4.8 Medium rating reflects the on-path attacker prerequisite (AC:H), which meaningfully limits opportunistic exploitation.

Information Disclosure Denial Of Service Netty
NVD GitHub
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-50088 MEDIUM PATCH This Month

Cross-origin information disclosure in the Aqara Developer Portal (developer.aqara.com) and its shared test environments (developer-test.aqara.com, aiot-test.aqara.com) allows a malicious website to read authenticated responses from any victim developer who visits it, exposing portal data tied to IoT/smart-home developer accounts. The flaw is a permissive CORS policy (CWE-942) that trusts untrusted origins; runZero disclosed it and no public exploit identified at time of analysis, though the technique is well-known and trivially scriptable.

Cors Misconfiguration Information Disclosure Aqara Developer Portal Aqara Developer Test Portal
NVD GitHub VulDB
CVSS 3.1
4.7
EPSS
0.0%
CVE-2026-11443 MEDIUM This Month

Cross-site scripting in Allegra's downloadAttachment method enables authenticated remote attackers to inject and execute arbitrary JavaScript within a victim user's browser session. Exploitation requires an authenticated low-privilege attacker account and mandatory victim interaction - the target must visit a malicious page or open a crafted file - limiting the realistic attack surface. Reported by Zero Day Initiative (ZDI-CAN-28236 / ZDI-26-358), patched in Allegra 9.0.0. No public exploit code and no active exploitation (CISA KEV) identified at time of analysis.

Authentication Bypass XSS Allegra
NVD VulDB
CVSS 3.0
4.6
EPSS
0.1%
CVE-2026-47224 MEDIUM PATCH This Month

Heap out-of-bounds read in NanaZip's inherited 7-Zip LvmHandler component allows an unauthenticated remote attacker to crash the application or potentially expose heap memory by tricking a user into opening a maliciously crafted LVM2 disk image. All NanaZip installations from version 3.0.1000.0 up to (but not including) 6.0.1698.0 on Windows are vulnerable. No public exploit code or active exploitation has been identified; an EPSS score of 0.04% at the 11th percentile reflects very low real-world exploitation probability.

Microsoft Information Disclosure Buffer Overflow Nanazip
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-47263 MEDIUM PATCH This Month

Unauthorized access to webhook event data in Discourse exposes internal webhook payloads to any authenticated user - or unauthenticated users on instances with login_required disabled - across versions 2026.1.0 through several branch heads. The flaw resides in the MessageBus channel /web_hook_events/<id>, which the Jobs::RedeliverWebHookEvents job publishes to without enforcing group_id restrictions, allowing unrestricted channel subscription. Compounded by trivially enumerable sequential integer webhook IDs, any low-privilege or anonymous actor can iterate over webhook event history without authorization. No public exploit code exists and EPSS is 0.03% (9th percentile), indicating no observed widespread exploitation at time of analysis.

Information Disclosure Discourse
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-44785 MEDIUM PATCH This Month

Discourse's AI 'explain' helper exposes raw content of hidden posts to any authenticated user with access to the feature, due to an incomplete authorization check on parent posts. Affected instances span three release tracks - 2026.1.x, 2026.3.x, and 2026.4.x - and any user who can invoke the AI helper and find a visible reply to a hidden post can silently read the hidden post's raw text. No public exploit code has been identified and EPSS places exploitation probability at 0.03% (9th percentile), indicating this is a low-urgency but genuine confidentiality bypass for deployments where hidden post content is sensitive.

Information Disclosure Discourse
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-44782 MEDIUM PATCH This Month

Discourse's GroupPostSerializer leaks user real names to authenticated users even when site administrators have explicitly disabled name display via the enable_names site setting. Affected versions span the 2026.1.x, 2026.3.x, and 2026.4.x release lines. An authenticated user querying group post endpoints receives real name data that the platform operator intended to suppress, undermining privacy configurations on Discourse instances that host pseudonymous or anonymous communities. No public exploit code exists and no active exploitation has been identified; the EPSS score of 0.03% (9th percentile) reflects low exploitation probability.

Information Disclosure Discourse
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-44780 MEDIUM PATCH This Month

Discourse's ReviewableQueuedPostSerializer unconditionally exposes full inbound email source - including SMTP headers, sender trace, mail user agent, and body - to category moderation group members accessing the review queue, bypassing the view_raw_email_allowed_groups trust boundary that restricts the dedicated raw-email endpoint. Affected versions span the 2026.1.x, 2026.3.x, and 2026.4.x series on deployments using Discourse's incoming email feature. No public exploit has been identified and EPSS stands at 0.03% (9th percentile), indicating low automated exploitation probability, though the exposed data - including sender IP addresses and routing headers - presents meaningful privacy and de-anonymization risk to users who submitted posts via email.

Information Disclosure Discourse
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-44779 MEDIUM PATCH This Month

Discourse platform versions across three active release tracks expose whisper translation audit logs through bot debug endpoints to any authenticated low-privilege user. The vulnerability (CWE-200) exists across release lines 2026.1.x, 2026.3.x, and 2026.4.x, and has been patched by the vendor across all affected tracks. No public exploit exists and EPSS sits at the 9th percentile (0.03%), indicating this is a low-probability exploitation target; however, the exposure of internal moderation audit logs may pose compliance and confidentiality risks on community platforms handling sensitive staff communications.

Information Disclosure Discourse
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-24618 MEDIUM This Month

Sensitive system information exposure in the Hash Elements WordPress plugin (all versions through 1.5.4) enables authenticated low-privilege users to retrieve embedded sensitive data from the plugin's output or internal responses. Classified under CWE-497, the plugin surfaces system-level information - potentially including API keys, server paths, or configuration values - to parties who should not have access to it. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, but the low authentication barrier (subscriber-level or equivalent WordPress account) broadens the pool of potential abusers on multi-user WordPress installations.

Information Disclosure Hash Elements
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-3433 MEDIUM This Month

Mattermost's WebSocket layer improperly broadcasts `role_updated` events to all authenticated connections regardless of team or channel membership, enabling guest-level authenticated users to observe permission scheme change notifications for private teams they do not belong to. Affected versions span the 10.11.x, 11.5.x, and 11.6.x release lines. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog, but the low attack complexity and broad version impact make patching a straightforward priority for any Mattermost deployment with guest accounts enabled.

Mattermost Information Disclosure
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-6689 MEDIUM This Month

Mattermost's team creation API endpoint (POST /api/v4/teams) fails to enforce the PermissionInviteUser authorization check, allowing authenticated users holding only PermissionCreateTeam to configure invite-controlled team settings - including making a team publicly joinable via open invite and restricting membership by allowed domains - that they are explicitly prohibited from setting on existing teams. Affected versions span the 10.11.x, 11.5.x, and 11.6.x release trains up to their respective latest builds. No public exploit identified at time of analysis, and the flaw has not been listed in CISA KEV.

Authentication Bypass Mattermost
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-47236 MEDIUM PATCH This Month

Unauthorized disclosure of pending invitation emails and member data in Solidtime prior to v0.12.2 allows any authenticated team member to bypass explicit permission controls via the Jetstream web team page. The team page controller gates access only with a coarse `belongsToTeam()` check and then serializes all invitation and member records into Inertia props embedded in the HTML response body, circumventing the `invitations:view` and `members:view` permissions that protect the same data on the API. This is no public exploit identified at time of analysis, with an EPSS of 0.02% reflecting low exploitation probability, though the bypass requires no skill beyond loading the team page as a valid member.

Authentication Bypass Solidtime
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-12065 LOW POC Monitor

Improper authorization in the WebView URL Handler of the Groww Stock, Mutual Fund, Gold App for Android (all versions up to build 20260805) allows a low-privileged attacker with physical device access to invoke custom URL scheme handlers without proper authorization, enabling unauthorized in-app navigation or bypass of client-side access controls. The CVSS 4.0 score of 0.3 reflects severe exploitation constraints: physical access is mandatory, attack complexity is high, and impact is limited to low integrity compromise with no confirmed confidentiality exposure. A public proof-of-concept is available on GitHub and Google Drive; the vulnerability is not listed in CISA KEV and no vendor patch has been confirmed at time of analysis.

Google Information Disclosure Stock Mutual Fund Gold App
NVD VulDB GitHub
CVSS 4.0
0.3
EPSS
0.0%
CVE-2026-53607 LOW Monitor

Server-Side Request Forgery in ApostropheCMS through version 4.30.0 allows unauthenticated remote attackers to pivot the Node.js application process into issuing outbound HTTP requests to arbitrary hosts on the internal network when the `prettyUrls` SEO feature is explicitly enabled on the `@apostrophecms/file` module. The attack exploits the raw `Host` HTTP request header, which the pretty-URL handler uses verbatim to construct and `fetch()` an upstream URL, streaming the full HTTP response - status code, headers, and body - back to the requester. Practical impact is constrained to blind SSRF (network-topology probing via response-code and timing oracles, and verbose proxy or WAF error-body disclosure) rather than arbitrary data exfiltration; no patch exists at time of publication and no public exploit has been identified.

Node.js SSRF Apostrophe
NVD GitHub
CVSS 3.1
3.7
EPSS
0.0%
CVE-2026-53826 LOW PATCH Monitor

Information disclosure in OpenClaw before 2026.4.26 leaks the real host workspace path through sandboxed session spawning, exposing filesystem location and potentially related memory context to child AI model prompts. Authenticated users with low-privilege access can trigger this by spawning child sessions from sandboxed parent sessions, undermining the isolation guarantees of the sandbox environment. With a CVSS 4.0 score of 2.3, no public exploit code, and no CISA KEV listing, this is a low-severity but architecturally meaningful sandbox escape of information relevant to AI agent deployments.

Information Disclosure Openclaw
NVD GitHub VulDB
CVSS 4.0
2.3
EPSS
0.0%
CVE-2026-53835 LOW PATCH Monitor

Configuration enforcement bypass in OpenClaw's Feishu dynamic-agent binding subsystem permits authenticated senders to create or update sender-agent bindings while circumventing configured config-write access controls. All OpenClaw versions prior to 2026.5.6 are affected; an attacker holding valid sender credentials can modify binding state beyond intended policy, potentially redirecting or hijacking agent associations belonging to other users. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog; the CVSS 4.0 score of 2.3 reflects the narrow impact scope and prerequisite deployment conditions.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
2.3
EPSS
0.0%
CVE-2026-53724 LOW PATCH GHSA Monitor

Stored XSS in Parse Server is achievable by authenticated users who bypass the file upload extension blocklist by appending a trailing dot to a blocked filename (e.g., `poc.svg.`), causing the extension parser to return an empty string and skip the block check. The attacker-supplied Content-Type is forwarded unchanged to cloud storage adapters (S3, GCS), which persist and serve the file under that active MIME type - enabling script execution in a victim's browser when the file URL is opened. No active exploitation is confirmed (not in CISA KEV, EPSS 0.05% at 15th percentile), but the attack mechanism is low-complexity and fully documented in the vendor's fix PRs. Patches are available in versions 8.6.79 and 9.9.1-alpha.4.

File Upload XSS Node.js Parse Server
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-48485 LOW PATCH Monitor

Mention injection in Quest Bot prior to version 1.1.6 allows Discord server moderators to embed @everyone or @here mass-ping triggers inside warning reasons, which are later replayed unsanitized when the /warns command outputs stored records. While the bot correctly suppresses Discord mentions during warning creation and several other moderation actions (unbanning, unwarning, kicking, muting, unmuting), the /warns display path lacks equivalent output encoding, creating an inconsistent trust boundary. The issue is patched in version 1.1.6 with no public exploit code identified at time of analysis.

Information Disclosure Questbot
NVD GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-48113 HIGH PATCH GHSA This Week

Authorization bypass in jpillora/chisel through version 1.11.4 allows any authenticated client to tunnel TCP traffic to arbitrary host:port destinations reachable from the chisel server, completely defeating the --authfile ACL. The server enforces remote-address restrictions only during the initial config handshake but never re-validates the destination encoded in SSH channel ExtraData, so a client that authenticates with a permitted remote can immediately open channels to any address. Publicly available exploit code exists (full PoC published in the GHSA advisory), though EPSS is low at 0.02% and the issue is not in CISA KEV.

Authentication Bypass
NVD GitHub
EPSS
0.0%
CVE-2026-28975 MEDIUM GHSA This Month

Denial of service via gzip bomb in swift-nio-extras NIOHTTPRequestDecompressor affects any Swift server using the `.ratio(N)` decompression limit, allowing unauthenticated remote attackers to exhaust server memory without limit. The ratio enforcement logic incorrectly uses the attacker-supplied `Content-Length` request header as the denominator of the compression ratio check instead of the actual number of compressed bytes received, making the check trivially bypassable. No public exploit code has been identified at time of analysis, but the bypass technique is straightforward and requires no special tooling - any HTTP client capable of crafting a gzip payload with a falsified `Content-Length` header can trigger it repeatedly to sustain memory amplification.

Denial Of Service
NVD GitHub
EPSS
0.0%
CVE-2026-28980 HIGH GHSA This Week

Denial of service in Apple's SwiftNIO NIOHTTP1 module (versions <= 2.99.0) allows unauthenticated remote attackers to exhaust server memory or crash processes by submitting HTTP/1 requests containing an unbounded number of small, valid header fields. The HTTPDecoder previously enforced only an 80 KB per-field limit with no cap on cumulative header block size or field count, letting hundreds of thousands of headers accumulate before application code runs. No public exploit identified at time of analysis, but the attack is trivial and impacts any HTTP/1 server or client built on NIOHTTP1, including downstream frameworks like Hummingbird 2 (crashes) and Vapor 4 (memory inflation).

Microsoft Denial Of Service
NVD GitHub
EPSS
0.0%
CVE-2026-43671 HIGH GHSA This Week

Out-of-bounds write in Apple's SwiftNIO ByteBuffer affects all releases from 1.0.0 through 2.99.0 and is fixed in 2.100.0. The flaw stems from UInt32 truncation in internal index/capacity converters, so when an attacker can influence an index, offset, or length passed to specific ByteBuffer write methods with a value above UInt32.max (~4 GiB), safety preconditions silently pass and subsequent writes can corrupt heap memory outside the buffer. No public exploit identified at time of analysis, and the high data-size threshold makes practical exploitation narrow but severe where applicable.

Memory Corruption Buffer Overflow
NVD GitHub
EPSS
0.0%
CVE-2026-28970 MEDIUM GHSA This Month

CRLF injection in SwiftNIO's outbound HTTP/1.1 start line handling enables HTTP request smuggling and HTTP response splitting in applications built on swift-nio 2.0.0 through 2.99.0. The validators NIOHTTPRequestHeadersValidator and NIOHTTPResponseHeadersValidator enforce header field name and value correctness but leave the request URI, HTTP method, and response reason phrase unvalidated, allowing CR/LF sequences to be injected by any attacker who controls those fields. Successful exploitation can smuggle arbitrary HTTP requests past intermediaries, bypass WAF rules, or poison shared web caches. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV; however, exploitation in vulnerable proxy deployments is described as low-effort by the advisory authors.

Authentication Bypass
NVD GitHub
EPSS
0.0%
Prev Page 5 of 5

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy