Skip to main content
CVE-2026-54074 HIGH PATCH GHSA This Week

Code injection in @tinacms/cli versions prior to 2.4.3 allows an attacker who controls a Forestry-style project to achieve remote code execution on a developer's workstation when the `tinacms init` Forestry migration runs and the developer subsequently executes `tinacms dev` or `tinacms build`. The `addVariablesToCode` helper unquotes any value matching the marker `__TINA_INTERNAL__:::(.*?):::` placed in a stringified collection JSON, and user-supplied `label`/`name` fields from `.forestry/**/*.yml` are inserted into that JSON without sanitisation, yielding a top-level IIFE in the generated `tina/templates.ts`. A detailed end-to-end PoC is published in the GHSA-4936-9hrh-qqpw advisory; no public exploit identified at time of analysis beyond the disclosure PoC, and the CVE is not in CISA KEV.

Node.js Microsoft Code Injection RCE
NVD GitHub
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-52908 HIGH PATCH This Week

Improper access-control re-validation in the Linux kernel's RDMA/InfiniBand subsystem (the ib_uverbs memory-region re-registration path) allows a local user with RDMA device access to obtain unintended read-write access to memory that was only pinned as read-only. When IB_MR_REREG_ACCESS upgrades a memory region from RO to RW, the underlying umem was not re-evaluated to confirm it is properly pinned for writing, enabling potential memory corruption or disclosure across RDMA-capable drivers. EPSS is low (0.17%, 6th percentile) and there is no public exploit identified at time of analysis; the issue is fixed upstream in multiple stable trees.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-52910 HIGH PATCH This Week

Local privilege escalation / memory corruption in the Linux kernel's SO_REUSEPORT BPF handling allows a local user to trigger a use-after-free (vmalloc out-of-bounds read) by replacing a classic BPF (cBPF) reuseport program via setsockopt() while another thread routes UDP traffic through the same reuseport group. Because the cBPF program is freed immediately by sk_reuseport_prog_free() without waiting for an RCU grace period, in-flight readers in reuseport_select_sock() dereference freed memory; the fix defers freeing until after one RCU grace period. No public exploit identified at time of analysis and EPSS probability is low (0.17%), but the bug is confirmed and fixed upstream.

Linux Ubuntu Buffer Overflow Debian
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-52909 HIGH This Week

Improper network-namespace isolation in the Linux kernel's IPv6 VTI (ip6_vti) tunnel driver allows the per-netns fallback device (ip6_vti0) to be relocated into another network namespace, because vti6_init_net() omits the netns_immutable flag that sibling tunnel drivers (ip6_tunnel, sit, ip6_gre, ip_tunnel) all set. A local user holding CAP_NET_ADMIN in a namespace can move this fallback device, breaking the isolation guarantee the kernel enforces for other fallback tunnels and potentially destabilizing networking state. There is no public exploit identified at time of analysis, and EPSS exploitation probability is low (0.15%, 5th percentile).

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-55878 HIGH PATCH GHSA This Week

Arbitrary file write and read in Symfony UX Toolkit's `ux:install` console command allows a crafted or compromised recipe kit to escape the intended installation directory and overwrite or read attacker-controlled files on a developer's machine or CI runner. Because overwriting controllers, git hooks, or `.env` files yields code execution, this path-traversal flaw escalates to local RCE, and no public exploit identified at time of analysis though the fix and root cause are documented in the upstream GHSA.

Path Traversal RCE
NVD GitHub VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-46461 HIGH PATCH This Week

Local privilege escalation in Dell Server Hardware Manager versions prior to 3.2.2 allows a low-privileged local user to gain higher privileges due to improper access control (CWE-284). The CVSS 7.8 (AV:L/AC:L/PR:L/UI:N) reflects high impact across confidentiality, integrity, and availability once exploited. No public exploit identified at time of analysis and the CVE is not in CISA KEV.

Dell Authentication Bypass Server Hardware Manager
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-49290 HIGH PATCH This Week

Arbitrary file write via path traversal in Slopsmith (a self-hosted Rocksmith 2014 CDLC web app) prior to 0.2.9-alpha.5 allows an attacker who can supply a malicious PSARC or sloppak archive to write files outside the extraction directory, escalating to remote code execution under the default Docker image which runs as root and exposes a writable plugin directory. The CVSS 4.0 vector reports high privileges required (PR:H), reflecting that the attacker must reach the archive-upload/open functionality of an authenticated user. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Path Traversal Python RCE Docker Slopsmith
NVD GitHub VulDB
CVSS 4.0
7.6
EPSS
0.6%
CVE-2026-41156 HIGH This Week

Local privilege escalation and denial of service in Imagination Technologies Graphics DDK arises from a write use-after-free between the CPU-side driver and GPU firmware, where the driver frees a shared memory page before the GPU firmware finishes accessing it. Any unprivileged local user able to issue GPU system calls can trigger the race against multiple released DDK branches (1.18, 23.2, 24.2, 25.1-25.3, 26.1). No public exploit identified at time of analysis, but SSVC rates technical impact as total.

Use After Free Memory Corruption Denial Of Service Graphics Ddk
NVD VulDB
CVSS 3.1
7.7
EPSS
0.1%
CVE-2026-34192 HIGH This Week

Local privilege escalation and denial of service in Imagination Technologies Graphics DDK (PowerVR GPU driver) allows non-privileged users to trigger a use-after-free of GPU MMU page tables via crafted GPU system calls. An error path fails to clean up before freeing the physical page-table allocation, enabling memory corruption that can be leveraged for kernel-context impact. No public exploit identified at time of analysis and SSVC reports no observed exploitation.

Information Disclosure Use After Free Memory Corruption Graphics Ddk
NVD VulDB
CVSS 3.1
7.7
EPSS
0.1%
CVE-2026-56208 HIGH This Week

Heap buffer overflow in libaom's AV1 encoder allows attackers who influence encoder configuration to trigger a 232-byte out-of-bounds heap write on every frame after the second, when Look-Ahead Processing (LAP) mode is active with g_lag_in_frames >= 1. Affected deployments include transcoding pipelines and WebRTC servers that pass user-controlled encoder parameters to libaom. No public exploit identified at time of analysis, and the flaw primarily yields a reliable denial of service with a theoretical path to remote code execution via heap corruption.

RCE Heap Overflow Buffer Overflow Denial Of Service
NVD VulDB
CVSS 3.1
7.6
EPSS
0.3%
CVE-2026-55660 HIGH PATCH GHSA This Week

Cross-window message spoofing in TinaCMS (npm tinacms and @tinacms/app) lets a malicious web page hijack an authenticated editing session because the useTina overlay handler, the OAuth authentication popup handler, and the admin↔preview iframe GraphQL reducer act on window.postMessage event.data without validating event.origin or event.source, and reply with wildcard target origins. An attacker who lures an authenticated Tina editor to a crafted page (or gains an opener/iframe relationship with the Tina admin) can forge messages to drive the editor, inject preview content, or observe and forge the OAuth popup channel to take over the session. There is no public exploit identified at time of analysis; a vendor patch is available in PR #7056 and the flaw carries a CVSS 4.0 base score of 7.6.

XSS
NVD GitHub
CVSS 4.0
7.6
EPSS
0.2%
CVE-2026-54317 HIGH PATCH GHSA This Week

{device_id}`. The KonnectedView HTTP endpoint sets `requires_auth = False` and only enforces Bearer-token validation on POST/PUT methods, leaving the GET handler entirely unauthenticated. Publicly available exploit code exists in the form of a detailed reporter-published proof of concept against Home Assistant Core 2026.5.2.

Python Microsoft Information Disclosure Docker Oracle
NVD GitHub VulDB
CVSS 3.1
7.6
EPSS
0.2%
CVE-2026-50519 HIGH PATCH Exploit Unlikely This Week

Information disclosure in GitHub Copilot Chat for Visual Studio Code (versions 1.0.0 up to but not including 1.123.2) lets a remote, unauthenticated attacker read sensitive data over a network because an insecure default configuration exposes a resource that should be protected. The CVSS 3.1 score of 7.5 reflects high confidentiality impact with no integrity or availability effect. There is no public exploit identified at time of analysis and EPSS exploitation probability is low at 0.53% (40th percentile).

Information Disclosure Github Copilot Chat
NVD VulDB
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-54772 HIGH PATCH GHSA This Week

Denial of service in CoreWCF net.tcp, net.pipe, and net.uds framing handshake allows unauthenticated remote attackers to pin a server thread-pool worker at 100% CPU per TCP connection, exhausting CPU resources with only a small number of concurrent connections. Affects CoreWCF.NetFramingBase versions below 1.8.1 and 1.9.0 through 1.9.0, with no public exploit identified at time of analysis. The CVSS 7.5 (High) score reflects pure availability impact reachable pre-authentication over the network.

Denial Of Service
NVD GitHub
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-42895 HIGH PATCH NO ACTION HOSTED Monitor

Command injection in Microsoft 365 Copilot lets a remote, unauthenticated attacker tamper with data and integrity over the network by injecting unneutralized special elements into a command (CWE-77). The flaw carries a CVSS 7.5 driven entirely by high integrity impact, with no confidentiality or availability loss. There is no public exploit identified at time of analysis, EPSS estimates only a 0.39% 30-day exploitation probability, and CISA's SSVC scores exploitation as none - but a vendor patch is available.

Command Injection Microsoft 365 Copilot
NVD VulDB
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-49293 HIGH POC PATCH GHSA This Week

Denial of service in js-toml versions up to and including 1.1.0 allows remote attackers to exhaust CPU resources by submitting a single TOML document containing an oversized hexadecimal, octal, or binary integer literal. The hand-written parseBigInt loop exhibits O(n²) complexity, and a ~500 kB literal pins one CPU core for ~40 seconds; no public exploit identified at time of analysis, but the patched commit and test suite serve as a clear blueprint. Applies to any service invoking load() on attacker-controlled TOML, such as configuration upload endpoints, CI/CD pipelines, IDE plugins, and build tools.

Apple Denial Of Service Js Toml
NVD GitHub
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-54499 HIGH PATCH GHSA This Week

Arbitrary code execution in Stanford NLP's Stanza 1.12.0 (and ≤1.12.1) occurs when the library loads a malicious PyTorch checkpoint, because its pretrain loader silently falls back from torch.load(weights_only=True) to weights_only=False whenever an UnpicklingError is raised - a condition the attacker fully controls by embedding one unsupported pickle global. Publicly available exploit code exists (working PoC in the GHSA advisory), and any developer, CI pipeline, or production NLP service that downloads Stanza model files from HuggingFace, GitHub, or a shared cache can be compromised. Fixed in Stanza 1.12.2.

Checkpoint Deserialization Python RCE
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-54592 HIGH PATCH GHSA This Week

Denial of service in the Oj Ruby JSON parser (versions <3.17.3) allows remote unauthenticated attackers to crash any process that parses untrusted JSON via Oj::Doc.open followed by a recursive each_child call. A deeply nested JSON document drives doc->where past the 100-element where_path array, causing a subsequent memcpy to overflow an 800-byte stack buffer and trigger the stack canary (SIGABRT). No public exploit identified at time of analysis beyond the vendor-published PoC, and EPSS data was not supplied; the issue is not listed in CISA KEV.

Denial Of Service Information Disclosure Buffer Overflow
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-11576 HIGH This Week

Denial of service in Eclipse ThreadX NetX Duo HTTP server arises from a flawed remediation of CVE-2025-0728, where the refactored shared cleanup label invokes fx_file_close() on an uninitialized file handle whenever an error occurs before file open. Remote attackers can reach the vulnerable PUT path over the network without authentication, triggering undefined behavior, double-close conditions, or memory corruption that can crash the embedded HTTP service. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Buffer Overflow Eclipse Threadx Netx Duo
NVD VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-50559 HIGH PATCH This Week

Authentication bypass in Quarkus Java framework allows remote unauthenticated attackers to circumvent HTTP path-based authorization policies by smuggling encoded semicolons (%3B) as matrix parameters or by using encoded slashes (%2F) and backslashes (%5C) to reach protected static resources. Affects all Quarkus versions prior to the 3.37.0, 3.36.3, 3.33.2.1, 3.33.3, 3.27.4.1, 3.27.5, and 3.20.6.2 patch line. No public exploit identified at time of analysis, though the issue is a documented bypass of the prior CVE-2026-39852 fix.

Authentication Bypass Java Quarkus
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-48774 HIGH PATCH This Week

Improper input validation in ProxySQL versions 3.0.0 through 3.0.8 lets MCP callers bypass the GenAI `run_sql_readonly` tool's read-only contract by submitting multi-statement payloads such as `SELECT 1; RENAME TABLE x TO y`, which execute in full because the backend connection enables `CLIENT_MULTI_STATEMENTS`. An attacker reaching the `/mcp/query` endpoint can perform writes and administrative SQL up to the privileges of the configured MCP backend account. No public exploit identified at time of analysis, though the upstream advisory documents a successful live test against the endpoint.

PostgreSQL Information Disclosure Proxysql
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-55446 HIGH PATCH GHSA This Week

Unauthenticated denial-of-service in Langflow versions prior to 1.0.19 allows remote attackers to render the application unusable for all users indefinitely by sending a single crafted POST to /api/v1/files/upload/ with a malformed multipart boundary containing a very large run of hyphens. The upload endpoint processes the multipart body before performing authentication or flow-ID validation, so no token, cookie, or valid flow UUID is required. A public proof-of-concept is included in the GitHub Security Advisory GHSA-qwqc-p3q8-wcg9, though there is no public exploit identified beyond the PoC at time of analysis and the issue is not listed in CISA KEV.

Python Microsoft Apple Mozilla Denial Of Service +2
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-55690 HIGH POC PATCH GHSA This Week

{{#ev:}} or {{#evl:}} parser functions. The unsanitized service name is reflected into an error message that is rendered as raw HTML, executing in the wiki origin for every visitor to the affected page. No public exploit identified at time of analysis beyond the advisory's own PoC, but working PoC code is published in the GitHub Security Advisory GHSA-c29q-5xm7-5p62.

PHP XSS
NVD GitHub
CVSS 3.1
7.5
CVE-2026-55091 HIGH PATCH GHSA This Week

Prototype pollution in the npm package flat-to-nested (versions <= 1.1.1) lets attackers who control input records pollute Object.prototype by supplying a record with parent set to the string '__proto__'. The convert() function uses plain objects as lookup tables and writes attacker-controlled data through the prototype chain via initPush(), affecting any application that feeds untrusted flat records (REST input, DB rows, user-supplied data) into the library. No CISA KEV listing and no public exploit identified at time of analysis beyond the proof-of-concept embedded in the GitHub Security Advisory.

Privilege Escalation Denial Of Service
NVD GitHub
CVSS 3.1
7.5
CVE-2026-9375 HIGH PATCH This Week

Denial-of-service in urllib3 2.6.3 allows a malicious HTTP server to exhaust client memory via a Brotli decompression bomb that bypasses the streaming API's max_length safeguard added in 2.6.0 (CVE-2025-66471). Any Python application using urllib3 or requests with preload_content=False to stream Brotli-encoded responses from untrusted origins is exposed. No public exploit identified at time of analysis, though an upstream commit and GHSA-mf9v-mfxr-j63j confirm the regression.

Denial Of Service Urllib3 Urllib3 Suse
NVD GitHub VulDB
CVSS 3.0
7.5
EPSS
0.3%
CVE-2026-48787 HIGH This Week

Authenticated remote code execution in gin-vue-admin 2.9.1 lets attackers with access to the code-generation and MCP management features inject arbitrary Go source via POST /autoCode/addFunc and trigger a rebuild/restart through POST /autoCode/mcpStart, yielding OS command execution as the application service account. No public exploit identified at time of analysis, and as of publication a patched version is not confirmed; the upstream GHSA-22cv-9jv2-6m62 advisory only documents allowlist-based workarounds.

Command Injection RCE Gin Vue Admin
NVD GitHub VulDB
CVSS 4.0
7.4
EPSS
0.5%
CVE-2026-49287 HIGH PATCH GHSA This Week

Integrity and availability loss in Statamic CMS versions prior to 5.73.23 and 6.20.0 allows remote attackers to destroy content and assets by manipulating sort parameters that flow into in-memory collection sorting. This is an incomplete-fix follow-up to CVE-2026-41175 (CWE-470, unsafe reflection / method invocation), where the original patch covered the query builder but not the in-memory sort path. No public exploit identified at time of analysis and not in CISA KEV; exploitation requires a non-default template configuration that pipes visitor input into a tag's sort parameter.

Information Disclosure Cms
NVD GitHub
CVSS 3.1
7.4
EPSS
0.3%
CVE-2026-54781 HIGH PATCH GHSA This Week

Authentication bypass in CoreWCF (SAML 1.1 federation) allows remote attackers to be authenticated as the subject of a signed SAML assertion without proving holder-of-key possession or without a standard SubjectConfirmation method being enforced. Affects CoreWCF.Primitives versions before 1.8.1 and 1.9.0 through 1.9.1 when services consume SAML 1.1 tokens via WS2007FederationHttpBinding, WSFederationHttpBinding, or custom IssuedSecurityTokenParameters bindings. No public exploit identified at time of analysis, but the bypass directly defeats per-method authorization policies that federated services rely on.

Authentication Bypass
NVD GitHub
CVSS 3.1
7.4
EPSS
0.2%
CVE-2026-54784 HIGH PATCH GHSA This Week

Authenticated principal impersonation in CoreWCF (versions >=1.9.0, <1.9.1) occurs because the SPNEGO SecurityContextToken proof key returned in the RequestSecurityTokenResponse (RSTR) is wrapped without confidentiality protection, allowing any on-path observer to recover it. An attacker who captures the unprotected handshake can impersonate the authenticated Windows principal for the SCT lifetime (~10 hours) and decrypt or forge subsequent WS-SecureConversation traffic. No public exploit identified at time of analysis, but the vendor-confirmed advisory (GHSA-2288-8h3r-cqgg) and CVSS 7.4 indicate a meaningful confidentiality/integrity exposure for affected .NET WCF replacement deployments.

Microsoft Information Disclosure
NVD GitHub
CVSS 3.1
7.4
EPSS
0.2%
CVE-2026-54774 HIGH PATCH GHSA This Week

SAML token signature bypass in CoreWCF (versions <1.8.1 and 1.9.0) allows remote attackers to forge authenticated SAML assertions when the service validates tokens via a non-X.509 signing method. The SamlSerializer silently skips the final SignatureValue verification step, enabling assertion tampering and authentication bypass against WS-Trust holder-of-key configurations using symmetric proof keys. No public exploit identified at time of analysis, but the GitHub Security Advisory (GHSA-rpj7-hr7h-w6p9) confirms the issue and patches are available.

Denial Of Service
NVD GitHub
CVSS 3.1
7.4
EPSS
0.1%
CVE-2026-54783 HIGH PATCH GHSA This Week

Authentication bypass via XML Signature Wrapping in CoreWCF allows attackers who capture a single signed SOAP envelope to replay arbitrary operations as the victim principal for the lifetime of the signing key. The flaw affects CoreWCF.Primitives versions below 1.8.1 and the 1.9.0 line below 1.9.1, defeating the DetectReplays mitigation because the attacker forges a fresh wsse:Security timestamp rather than reusing the original. No public exploit identified at time of analysis, but the vendor advisory (GHSA-gqv6-pwcg-87r8) provides sufficient technical detail to reproduce.

Information Disclosure
NVD GitHub
CVSS 3.1
7.4
EPSS
0.1%
CVE-2026-3195 HIGH PATCH This Week

Heap out-of-bounds write in QEMU's virtio-snd paravirtualized sound device allows a malicious guest to corrupt host memory by sending oversized audio input that the `virtio_snd_pcm_in_cb` callback fails to size-check against the iov buffer. The flaw represents an incomplete fix for CVE-2024-7730 and affects hypervisor hosts exposing virtio-snd to untrusted guests. No public exploit identified at time of analysis, but the high CIA impact (C:H/I:H/A:H) and guest-to-host boundary crossing make this a meaningful VM escape candidate.

Heap Overflow Buffer Overflow
NVD
CVSS 3.1
7.4
EPSS
0.1%
CVE-2026-55865 HIGH PATCH GHSA This Week

{% case %}` tag that has no `{% when %}`, `{% else %}`, or closing `{% endcase %}`. Because the loop occurs at parse time, any application that renders untrusted or user-supplied Liquid templates can be frozen with a payload as small as `{% case x %}`. It is a pure availability issue (CWE-835) with no confidentiality or integrity impact; not listed in CISA KEV and no evidence of active exploitation, though the trivial trigger is documented in the vendor advisory.

Python Denial Of Service
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.5%
CVE-2026-56211 HIGH This Week

Remote code execution in libaom (reference AV1 codec) is possible when services use the SVC encoder with attacker-supplied frames, allowing crafted pixel data to overlap encoder layer context structures and hijack the cyclic refresh map pointer. The flaw chains a heap out-of-bounds write (CWE-787) with a crash-oracle ASLR bypass to redirect control flow in fork-based video processing services. No public exploit identified at time of analysis, but the issue is tracked under Red Hat and Chromium security trackers and an upstream fix commit has landed in aomedia.

RCE Memory Corruption Buffer Overflow Oracle
NVD VulDB
CVSS 3.1
7.1
EPSS
0.4%
CVE-2026-54528 HIGH PATCH GHSA This Week

Authorization bypass in jupyterlab-git 0.53.0 and earlier allows authenticated JupyterLab users to read admin-excluded git directories on case-insensitive filesystems (macOS APFS, Windows NTFS) by altering the case of URL path segments. The `GitHandler.prepare()` check uses `fnmatch.fnmatchcase()`, which is unconditionally case-sensitive, while the underlying filesystem resolves case-varied paths to the same location. Publicly available exploit code exists (PoC published with the GHSA advisory), but no public exploit identified in active exploitation feeds.

Python Microsoft Apple Information Disclosure
NVD GitHub VulDB
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-49344 HIGH PATCH This Week

Authorization bypass in Mercator information system mapping application prior to version 2025.05.19 allows any authenticated user - including the read-only Auditor role - to query arbitrary Eloquent models via the unprotected `/admin/queries/execute` endpoint. The flaw permits enumeration of the `User` model and even allows the supposedly `$hidden` `password` column to be probed via `LIKE` filter predicates, enabling blind extraction of password hashes. No public exploit identified at time of analysis, but the vendor advisory (GHSA-q3r8-3h7c-96w3) confirms the issue and ships a fix.

Information Disclosure Mercator
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.3%
CVE-2026-56209 HIGH This Week

Arbitrary address write in libaom, the reference AV1 video codec implementation, allows remote attackers to corrupt memory by supplying crafted pixel values to an encoder that has Scalable Video Coding (SVC) enabled, leading to denial of service or potential code execution. The flaw stems from a missing bounds check in the SVC layer ID control function that lets pixel data inject an attacker-controlled pointer into the cyclic refresh map, after which ~1,200 bytes are written deterministically to the chosen address. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

RCE Memory Corruption Buffer Overflow Denial Of Service
NVD VulDB
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-49339 HIGH POC PATCH GHSA This Week

Authenticated path traversal in gonic music streaming server allows any Subsonic user to read or delete other users' playlists and probe arbitrary host file paths by smuggling `..` segments into the playlist `id` parameter. The flaw bypasses the ownership check introduced in commit 6dd71e6, which derived `playlist.UserID` from the first path segment of the attacker-controlled ID without containing the resolved file path. No public exploit identified at time of analysis, but a proof-of-concept test case is embedded in the upstream patch.

Path Traversal Gonic
NVD GitHub VulDB
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-48140 HIGH This Week

Denial of service in NI grpc-device 2.17.0 and earlier allows an authenticated remote attacker to crash or destabilize the gRPC server by sending a crafted BeginSidebandStream message containing an out-of-range enum value. The unchecked cast triggers undefined behavior in the server process, with no public exploit identified at time of analysis. The flaw is reported by the vendor and tracked under GHSA-prfr-q8h3-mqxv.

Denial Of Service Grpc Device Instrumentstudio
NVD GitHub
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-56210 HIGH This Week

Out-of-bounds heap read in libaom's SVC layer ID control function allows remote attackers to leak approximately 40,728 bytes of heap memory or crash AV1 encoder processes by supplying a spatial_layer_id value exceeding the configured number of scalable video coding layers. The flaw affects network-facing services that pass attacker-influenced SVC encoder parameters into the reference AV1 codec, enabling information disclosure or denial of service. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Denial Of Service Information Disclosure Buffer Overflow
NVD VulDB
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-49346 HIGH PATCH This Week

Heap buffer overflow in libde265 prior to version 1.1.0 allows remote attackers to corrupt heap memory and likely achieve code execution by tricking a user into processing a crafted H.265 video stream. The flaw stems from a 32-bit signed integer overflow in plane allocation sizing that wraps to ~1 KB, after which fill_image() writes the true ~4 GB plane content into the undersized buffer. No public exploit identified at time of analysis, but the upstream commit (8a1b5cf) and GHSA-vv8h-932h-7r86 publicly document the exact overflow location.

Integer Overflow Buffer Overflow Libde265
NVD GitHub VulDB
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-49295 HIGH PATCH This Week

Out-of-bounds write in libde265 prior to version 1.0.20 allows remote attackers to corrupt memory by tricking a user into processing a maliciously crafted H.265 bitstream. The flaw resides in the short-term reference picture set handling and can lead to denial of service or potential code execution in any application that links libde265 for HEVC decoding. No public exploit identified at time of analysis, though the upstream patch and commit-level root-cause disclosure provide a clear roadmap for exploit development.

Memory Corruption Buffer Overflow Libde265
NVD GitHub VulDB
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-49338 HIGH POC PATCH GHSA This Week

Broken authorization in gonic music streaming server prior to version 0.21.0 allows any authenticated user to delete or read other users' playlists via the Subsonic API endpoints /rest/deletePlaylist.view and /rest/getPlaylist.view. Because playlist IDs are base64url-encoded paths containing a small integer user ID and a guessable filename, low-privileged users can enumerate IDs to wipe an administrator's curated playlists or exfiltrate the contents of any private playlist. No public exploit identified at time of analysis, and the issue is patched in commit 6dd71e6 included in version 0.21.0.

Authentication Bypass Gonic
NVD GitHub VulDB
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-56079 HIGH PATCH This Week

Cross-tenant data exposure in Capgo before 12.128.2 lets an authenticated org-scoped read API key reach other tenants' PostgREST endpoints and pull HMAC webhook signing secrets plus delivery logs. Disclosed by VulnCheck with a vendor GitHub Security Advisory (GHSA-hj3h-v877-g5rx); no public exploit identified at time of analysis, and the secrets retrieved enable subsequent forgery of authentic-looking webhook events against victim organizations.

Information Disclosure Capgo
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-4027 HIGH This Week

Unauthorized attachment file access in Flexera FlexNet Manager Suite 2025 R1 and R2 allows authenticated low-privileged users to retrieve attachment files belonging to other tenants or users due to insufficient access control enforcement. No public exploit identified at time of analysis, and the issue is not on the CISA KEV list, but the CVSS 4.0 base score of 7.1 reflects meaningful confidentiality impact over the network with low privileges required. Organizations using FNMS for software asset management and license compliance should review the Flexera Community advisory and apply vendor guidance.

Authentication Bypass Flexnet Manager Suite
NVD VulDB
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-39999 HIGH This Week

Authentication bypass in Apache APISIX versions 2.2 through 3.16.0 allows remote attackers to circumvent authentication enforced by the jwt-auth plugin under certain configurations, granting unauthorized access to APIs that should require a valid JWT. The flaw stems from spoofable identity assertions (CWE-290) in the plugin's verification logic, and at time of analysis there is no public exploit identified, but the wide affected version range and gateway role make it operationally significant.

Authentication Bypass Apache Apache Apisix
NVD VulDB
CVSS 4.0
7.0
EPSS
0.4%
Prev Page 3 of 3

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy