Skip to main content
CVE-2026-12417 CRITICAL POC Act Now

Unauthenticated account takeover in the SignUp & SignIn WordPress plugin (versions ≤ 1.0.0) allows remote attackers to reset any user's password - including administrators - via the unauthenticated `pravel_change_password` AJAX action. No public exploit identified at time of analysis, but the trivially-bypassable empty-string comparison and AV:N/AC:L/PR:N/UI:N vector make exploitation essentially one HTTP request. The plugin's small footprint likely keeps EPSS low, but any site running it is fully exposed.

Authentication Bypass PHP Privilege Escalation WordPress Signup Signin
NVD VulDB GitHub
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-12416 CRITICAL POC Act Now

Account takeover in the Invoice Generator WordPress plugin (versions through 1.0.0) allows unauthenticated remote attackers to reset the password of any user, including administrators, by abusing the nopriv `pravel_invoice_change_password()` AJAX handler. Reported by Wordfence with a CVSS of 9.8 and tagged for RCE potential via subsequent admin compromise; no public exploit identified at time of analysis, though the trivial nature of the bug makes weaponization straightforward.

RCE WordPress Invoice Generator
NVD GitHub
CVSS 3.1
9.8
EPSS
0.4%
CVE-2026-56121 CRITICAL POC PATCH Act Now

Remote code execution in Feast (the open-source ML feature store) before 0.63.0 lets remote attackers run OS commands as the feast service account by sending a crafted ApplyFeatureView gRPC request to the registry server. The registry base64-decodes the user_defined_function.body field of an OnDemandFeatureView and passes it to dill.loads() before any authorization check, so no credentials are required. A publicly available exploit code exists (reported by VulnCheck via huntr) and a vendor patch is available, though the flaw is not listed in CISA KEV.

Deserialization Python RCE Feast
NVD GitHub
CVSS 4.0
9.3
EPSS
0.8%
CVE-2026-54069 CRITICAL POC PATCH GHSA Act Now

Origin-validation bypass in SiYuan Note (open-source personal knowledge management) before 3.7.0 lets any installed Chrome/Chromium browser extension obtain RoleAdministrator access to the local kernel HTTP server at 127.0.0.1:6806. Because the kernel unconditionally trusts all chrome-extension:// origins and desktop installs ship with an empty AccessAuthCode by default, a malicious or supply-chain-compromised extension can issue fully authenticated admin API calls with no further authentication, enabling data exfiltration, stored XSS injection, and configuration tampering. Publicly available exploit code exists; there is no public exploit identified as actively exploited.

XSS Google Siyuan
NVD GitHub
CVSS 4.0
9.2
EPSS
0.6%
CVE-2026-49851 HIGH POC PATCH GHSA This Week

Uncontrolled CPU consumption in Mistune, a Python Markdown parser, allows remote unauthenticated attackers to cause denial of service against any application that renders untrusted Markdown through versions prior to 3.3.0. The flaw lives in parse_link_text, which runs a regex search inside a loop and re-scans the remaining input each iteration, yielding roughly O(n²) behavior; a tiny payload of many consecutive '[' characters can pin a CPU core. There is no public exploit identified at time of analysis and the issue is not in CISA KEV, but the trigger is trivial to construct and the GitHub Security Advisory documents the root cause precisely.

Python Denial Of Service Mistune
NVD GitHub
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-56111 HIGH POC PATCH This Week

Out-of-bounds write in Marlin Firmware (3D printer firmware) through 2.1.2.7 lets attackers corrupt firmware memory through the M421 G-code mesh-bed-leveling handler, which fails to upper-bound the X/Y grid indices before writing a 32-bit float into the z_values array. Any actor able to feed G-code to a printer built with MESH_BED_LEVELING enabled can write an attacker-controlled value past the array, overwriting adjacent firmware state and causing denial of service or unpredictable machine behavior. Publicly available exploit code exists and the fix is committed (1f255d1), but there is no public exploit identified as actively exploited in the wild (not in CISA KEV).

Denial Of Service Buffer Overflow Marlin
NVD GitHub
CVSS 4.0
8.3
EPSS
0.5%
CVE-2026-54066 HIGH POC PATCH GHSA This Week

Arbitrary file disclosure in SiYuan personal knowledge management system before 3.7.0 lets an unauthenticated remote attacker read any file inside the workspace directory through its publish-mode HTTP endpoint (default port 6808). The flaw is an incomplete fix for CVE-2026-41894: the earlier patch sanitized the /export/ route but left the identical double-URL-encoding path traversal in the /assets/*path route, exposing conf/conf.json (AccessAuthCode SHA256 hash, API token, sync keys), the temp SQLite databases, and siyuan.log. Publicly available exploit code exists; no public active exploitation has been confirmed.

Path Traversal Siyuan
NVD GitHub
CVSS 3.1
7.5
EPSS
1.9%
CVE-2026-9710 HIGH POC PATCH This Week

Sensitive information disclosure in the premium Cornerstone page builder (bundled with the X theme) versions 3.0.0 through 7.8.7 allows any authenticated WordPress user to extract raw password hashes and other private user metadata. The CSS-preview request handler fails to enforce capability checks while exposing its required nonce on every wp-admin page, and publicly available exploit code exists per WPScan, though no active exploitation has been reported.

WordPress Information Disclosure Cornerstone
NVD WPScan VulDB
CVSS 3.1
7.7
EPSS
0.1%
CVE-2026-9709 HIGH POC PATCH This Week

Authenticated information disclosure in the premium Cornerstone page builder (bundled with the X WordPress theme) before version 7.8.9 allows any logged-in user to enumerate other users' metadata via an unprotected REST API route. Disclosed data includes roles, session token previews, and stored billing/shipping fields, enabling account targeting and potential session abuse. Publicly available exploit code exists per WPScan, though there is no public exploit identified as actively used in the wild and the issue is not listed in CISA KEV.

WordPress Information Disclosure Cornerstone
NVD WPScan VulDB
CVSS 3.1
7.7
EPSS
0.1%
CVE-2026-10735 HIGH POC PATCH This Week

Multiple Shapedsmart-post-show-pro WordPress plugin before 4.0.2, Real Testimonials Pro WordPress plugin before 3.2.5, Product Slider for WooCommerce Pro WordPress plugin before 3.5.3 Pro smart-post-show-pro WordPress plugin before 4.0.2, Real Testimonials Pro WordPress plugin before 3.2.5, Product Slider for WooCommerce Pro WordPress plugin before 3.5.3 were distributed with malicious code through the vendor's compromised update server, allowing unauthenticated attackers to deploy a second-stage payload that exfiltrates credentials and other sensitive data and grants full control of affected sites.

Information Disclosure WordPress Smart Post Show Pro Real Testimonials Pro Product Slider For Woocommerce Pro
NVD WPScan VulDB GitHub
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-60474 HIGH POC This Week

Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by supplying a crafted media file. The flaw is an out-of-bounds read of a language metadata string in gf_media_import (media_import.c), where three characters were read without verifying the string's length. Publicly available exploit code exists (sigdevel PoC), but it is not listed in CISA KEV and EPSS is low (0.19%, 8th percentile), indicating minimal observed real-world exploitation.

Buffer Overflow Denial Of Service Stack Overflow N A
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-60467 HIGH POC This Week

Denial of service in GPAC (libgpac/MP4Box) before 26.02.0 lets an attacker crash the application by feeding it a crafted media file that triggers a use-after-free in gf_filter_pid_inst_swap_delete_task within the filter-core PID handling code. Any pipeline or user that parses untrusted media through GPAC is affected, with publicly available proof-of-concept code, though no active exploitation has been reported and EPSS exploitation probability is low (0.17%, 6th percentile). Impact is limited to availability - there is no confidentiality or integrity loss per the CVSS vector.

Memory Corruption Denial Of Service Use After Free N A
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-10749 HIGH POC PATCH This Week

PHP Object Injection in the Post Duplicator WordPress plugin before 3.0.15 lets authenticated users with Contributor-level access or higher inject arbitrary serialized PHP objects by abusing the plugin's post-duplication routine, which copies attacker-controlled custom meta-data without the WordPress meta API's double-serialization safeguard. Successful exploitation can lead to property-oriented programming attacks and, with a suitable gadget chain present, full compromise of the site. Publicly available exploit code exists (WPScan), though the flaw is not listed in CISA KEV and carries a low EPSS score (0.15%, 5th percentile).

WordPress Code Injection PHP Post Duplicator
NVD WPScan VulDB
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-1840 HIGH PATCH CISA Act Now

Missing authentication in the Aclara Metrum Cellular Web Interface (a Hubbell/Aclara cellular communications module used in utility smart-grid metering) lets remote attackers reach critical system functions without any credentials. Per the CVSS:4.0 vector (PR:N/UI:N) an unauthenticated network attacker can read and modify operational configuration and force device restarts, and repeated restarts can sever device communications - a pure availability impact (VA:H, no confidentiality or integrity loss). There is no public exploit identified at time of analysis and this CVE is not listed in CISA KEV; EPSS data was not provided.

Authentication Bypass Aclara Metrum Cellular Web Interface
NVD GitHub
CVSS 4.0
8.7
EPSS
0.7%
CVE-2026-12485 CRITICAL Act Now

Stack-based buffer overflow in GeoVision GV-I/O Box 4E embedded I/O controllers allows unauthenticated network attackers to corrupt memory via the DVRSearch service on UDP port 10001. The vulnerable code path uses memcpy with an attacker-influenced length derived from a stored IP address into a fixed-size stack buffer, yielding potential remote code execution at CVSS 10.0 with scope change. No public exploit identified at time of analysis, though Talos has published a vulnerability report (TALOS-2026-2377).

Stack Overflow Buffer Overflow Gv I O Box 4E
NVD
CVSS 3.1
10.0
EPSS
0.4%
CVE-2026-12848 CRITICAL Act Now

Remote unauthenticated stack-based buffer overflow in GeoVision GV-I/O Box 4E smart I/O appliances allows any host on the same network to corrupt memory in the DVRSearch service (UDP/10001) by sending a crafted message that triggers an unbounded memcpy of the device's configured DNS address into a fixed-size stack buffer. The flaw is rated CVSS 10.0 with scope change and full CIA impact, and no public exploit has been identified at time of analysis. Successful exploitation can fully compromise the embedded controller used for relay/I/O automation.

Stack Overflow Buffer Overflow Gv I O Box 4E
NVD VulDB
CVSS 3.1
10.0
EPSS
0.4%
CVE-2026-12847 CRITICAL Act Now

Stack-based buffer overflow in the GeoVision GV-I/O Box 4E DVRSearch service allows unauthenticated network attackers to corrupt memory by sending a crafted UDP datagram to port 10001. The flaw stems from an unchecked memcpy of the device's configured gateway field into a fixed-offset reply buffer, enabling code execution on the embedded device with no public exploit identified at time of analysis.

Stack Overflow Buffer Overflow Gv I O Box 4E
NVD
CVSS 3.1
10.0
EPSS
0.4%
CVE-2026-12846 CRITICAL Act Now

Stack-based buffer overflow in GeoVision GV-I/O Box 4E allows unauthenticated remote attackers to overflow a fixed-size stack buffer by sending a crafted UDP packet to the DVRSearch service on port 10001. The flaw, tracked as CWE-121 with a maximum CVSS 10.0 score and scope change, can be triggered by any host able to reach the device on the network, with no public exploit identified at time of analysis.

Stack Overflow Buffer Overflow Gv I O Box 4E
NVD
CVSS 3.1
10.0
EPSS
0.4%
CVE-2026-12537 CRITICAL PATCH Act Now

Pre-sandbox host-level code execution in Google Gemini CLI (versions prior to 0.39.1) and the run-gemini-cli GitHub Action (prior to 0.1.22) allows an unprivileged attacker to run arbitrary commands on CI/CD runner hosts by planting a malicious .gemini/.env file in an untrusted workspace. In headless mode the tool automatically trusted workspace folders and loaded their environment variables before sandboxing, so a workflow that processes attacker-controlled content (for example reviewing a submitted pull request) would execute attacker-supplied commands on the host. No public exploit has been identified at time of analysis, but Google rates this CVSS 4.0 10.0 and a vendor advisory (GHSA-wpqr-6v78-jr5g) with fixed releases is available.

Command Injection RCE Google Gemini Cli Run Gemini Cli Github Action
NVD GitHub VulDB
CVSS 4.0
10.0
EPSS
0.3%
CVE-2026-50551 CRITICAL PATCH GHSA Act Now

Stored cross-site scripting in SiYuan's Attribute View (database) asset cell renderer escalates to remote code execution on the Electron desktop client for all versions prior to 3.7.0. An attacker who can persist crafted content into a database asset cell has malicious JavaScript executed in the privileged Electron context, breaking out to the host operating system; the issue carries a 9.9 CVSS and is fixed in 3.7.0. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.

XSS RCE Siyuan
NVD GitHub
CVSS 3.1
9.9
EPSS
0.4%
CVE-2026-55454 CRITICAL PATCH Act Now

Reverse-proxy takeover in Appsmith versions prior to 2.1 lets an authenticated low-privileged user abuse server-side request forgery to reach the bundled Caddy admin API, which ships with no authentication and listens on 0.0.0.0:2019 inside the container. By forcing the Appsmith server to issue a POST /load to that internal endpoint, the attacker rewrites the live Caddy configuration and seizes control of the reverse proxy that fronts the application. No public exploit identified at time of analysis and the issue is not in CISA KEV, but the vendor-confirmed CWE-749 exposure carries a 9.9 CVSS rating.

SSRF Docker Appsmith
NVD GitHub
CVSS 3.1
9.9
EPSS
0.3%
CVE-2026-54067 CRITICAL POC PATCH GHSA Act Now

Stored cross-site scripting in SiYuan personal knowledge management before 3.7.0 lets an attacker with write access to a synced workspace plant a CSS snippet whose '</style>' sequence breaks out of the surrounding <style> tag when renderSnippet() interpolates it via insertAdjacentHTML, running arbitrary JavaScript in the renderer. On Electron desktop builds the renderer runs with nodeIntegration:true, so the injected handler can reach require('child_process') and escalate the XSS to full host remote code execution. The payload syncs through the workspace repository and fires automatically on every device that pulls, and it bypasses the user's enabledJS=off setting; no public exploit or CISA KEV listing is identified at time of analysis.

XSS Siyuan
NVD GitHub
CVSS 3.1
9.9
EPSS
0.3%
CVE-2026-54158 CRITICAL POC PATCH GHSA Act Now

Stored cross-site scripting in SiYuan's attribute-view (database) cell renderer, affecting all versions prior to 3.7.0, lets a low-privileged attacker with write access to a synced workspace plant a persistent payload that runs arbitrary JavaScript when a victim opens the block-attribute panel. The genAVValueHTML function interpolates cell content raw in its text, url, phone, and mAsset branches and the Go kernel never escapes the value on input, so the malicious row survives sync byte-for-byte and fires on every device that renders it; on the Electron desktop client (nodeIntegration:true) the XSS escalates to host remote code execution via require('child_process'). CVSS is rated 9.9; there is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

XSS Siyuan
NVD GitHub
CVSS 3.1
9.9
EPSS
0.3%
CVE-2026-11856 CRITICAL PATCH Act Now

Cross-origin credential leakage in libcurl (curl 7.10.6 through 8.20.0) causes the HTTP Digest 'Authorization:' header computed for one origin (hostA) to be wrongly reused on a subsequent transfer to a different origin (hostB) when an application reuses the same easy handle. This exposes Digest authentication credentials to an unintended, potentially attacker-controlled host, and is tracked as an Information Disclosure issue (EUVD-2026-41501). No public exploit identified at time of analysis; EPSS is low at 0.25% (16th percentile) and it is not in CISA KEV, so this is a latent credential-exposure bug rather than a demonstrated mass-exploitation threat.

Information Disclosure Curl Red Hat
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-9079 CRITICAL PATCH Act Now

Proxy-credential leakage in libcurl (curl 8.8.0 through 8.20.0) occurs because a request to clear previously set proxy authentication credentials is silently ignored, so the stale username/password remain attached to the reused easy handle and are sent on later transfers that were never meant to use them. This is an information-disclosure defect (tagged Information Disclosure, EUVD-2026-41510) affecting applications that reuse libcurl handles across multiple proxied requests. No public exploit identified at time of analysis and EPSS is low (0.25%, 16th percentile), consistent with a coding/logic flaw rather than a directly weaponizable remote bug.

Information Disclosure Curl
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-8925 CRITICAL PATCH Act Now

Memory-safety defect (double-free) in curl's SASL authentication path affects versions 8.15.0 through 8.20.0 when built with GSASL support: the GSASL context is cleaned up twice without the intervening pointer being cleared, causing the same allocation to be free()'d twice. A malicious or malfunctioning mail/auth server exercising the SASL handshake could trigger the condition, potentially corrupting heap memory and at minimum crashing the client. No public exploit identified at time of analysis, and the EPSS score is low (0.25%, 16th percentile) despite the headline CVSS of 9.8.

Information Disclosure Curl
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-10536 CRITICAL PATCH Act Now

Use-after-free in libcurl's HTTP/2 stream-dependency handling affects a wide range of curl releases (7.88.0 through 8.20.0) when an application sets CURLOPT_STREAM_DEPENDS or CURLOPT_STREAM_DEPENDS_E, then calls curl_easy_reset() before curl_easy_cleanup(); the reset frees an internal priority structure that cleanup later re-accesses. Despite the NVD 9.8 CVSS rating, the flaw is only reachable through a specific application-controlled API call sequence rather than remote attacker input, and is tagged Information Disclosure. No public exploit identified at time of analysis, EPSS is low (0.21%, 11th percentile), and it is not listed in CISA KEV.

Information Disclosure Memory Corruption Use After Free Curl Red Hat
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-53006 CRITICAL PATCH Act Now

Use-after-free in the Linux kernel's IPv6 ICMPv6 receive path (icmpv6_rcv()) allows stale pointers to freed socket buffer memory to be dereferenced after a pskb_pull() call relocates skb->head. The affected code cached the source and destination addresses (saddr/daddr) before the pull, and these stale references were only consumed by net_dbg_ratelimited() in the slow path, limiting practical impact. The flaw is fixed upstream across all maintained stable trees; there is no public exploit identified at time of analysis and EPSS exploitation probability is low (0.18%, 8th percentile).

Linux Information Disclosure
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-52986 CRITICAL PATCH Act Now

Out-of-bounds memory access in the Linux kernel's netfilter SIP connection-tracking helper (nf_conntrack_sip) stems from parsing port numbers in non-NUL-terminated socket-buffer data with simple_strtoul() and dereferencing pointers after sip_parse_addr() without bounds checks. Remote attackers sending crafted SIP messages through a host where the SIP conntrack/NAT helper is active could read past the packet buffer, risking information disclosure or instability (tagged Information Disclosure). Despite a CVSS of 9.8, EPSS is only 0.18% (8th percentile) and no public exploit is identified at time of analysis; a vendor fix is available across multiple stable trees.

Linux Null Pointer Dereference Denial Of Service
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-52982 CRITICAL PATCH Act Now

Use-after-free in the Linux kernel rtl8150 USB-to-Ethernet driver (drivers/net/usb/rtl8150.c) lets the transmit path read freed socket-buffer memory: rtl8150_start_xmit() reads skb->len for TX byte accounting after usb_submit_urb(), but the URB completion handler write_bulk_callback() can free the skb on another CPU first, producing a slab-use-after-free read flagged by KASAN/syzbot. Affected systems are those using an RTL8150-based USB Ethernet adapter; the practical impact is a stale/garbage stat read or a potential crash from freed-memory access rather than reliable info disclosure. There is no public exploit identified at time of analysis (not in CISA KEV, EPSS 0.18%/8th percentile), and the issue was found and fixed via upstream syzbot fuzzing.

Linux Information Disclosure Use After Free Memory Corruption
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-52955 CRITICAL PATCH Act Now

Out-of-bounds memory access in the Linux kernel's libceph CRUSH map decoder (crush_decode()) lets a malicious or compromised Ceph cluster corrupt kernel memory on a connecting client. A crafted CEPH_MSG_OSD_MAP message whose bucket carries mismatched algorithm fields (alg vs b->alg) causes memory to be allocated for one bucket type but processed and later freed as another, leading to OOB access during decode and again during crush map destruction. Despite a 9.8 CVSS, there is no public exploit identified at time of analysis and EPSS is low (0.18%, 8th percentile); the realistic attack surface is limited to hosts mounting/connecting to attacker-controlled Ceph (RBD/CephFS) infrastructure.

Linux Buffer Overflow
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-53046 CRITICAL PATCH Act Now

Denial-of-service (NULL-pointer dereference / use-after-free) in the Linux kernel's in-kernel SMB3 server (ksmbd) affects systems that offload SMB3 message encryption to asynchronous hardware crypto engines such as the Qualcomm Crypto Engine (QCE). ksmbd_crypt_message() installs a NULL completion callback and misinterprets the -EINPROGRESS return from async AEAD requests as a fatal error, freeing the request while the hardware DMA is still running so the later qce_skcipher_done() callback dereferences freed memory and crashes the kernel. There is no public exploit identified at time of analysis, it is not in CISA KEV, and EPSS is low (0.18%, 8th percentile), consistent with the narrow hardware/configuration prerequisites despite the NVD CVSS of 9.8.

Linux Denial Of Service Qualcomm
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-52914 CRITICAL PATCH Act Now

Denial of service in the Linux kernel's batman-adv mesh networking module arises from faulty length accounting during fragment reassembly, where the accumulated payload length can be truncated during updates, letting malformed fragment chains bypass validation and drive reassembly with inconsistent length state. The flaw affects systems running the B.A.T.M.A.N. Advanced (batman-adv) module across many stable kernel series and results in a local denial of service per the upstream description. There is no public exploit identified at time of analysis, EPSS is low (0.18%, 7th percentile), and the NVD CVSS of 9.8 conflicts with the upstream 'local denial of service' characterization.

Linux Denial Of Service Memory Corruption Buffer Overflow
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-53045 CRITICAL PATCH Act Now

Incorrect DLL-enable logic in the Linux kernel's Tegra124 External Memory Controller (EMC) driver (drivers/memory/tegra/tegra124-emc) caused a reversed check of the EMRS register's A0 bit, which determines whether the memory DLL is enabled (DLL is on when A0 is low). On affected NVIDIA Tegra124 SoC platforms this could mis-program DRAM timing during frequency scaling, leading to memory instability rather than a remotely triggerable compromise. The fix has been backported across stable trees; no public exploit identified at time of analysis, and EPSS is very low (0.18%, 7th percentile).

Linux Information Disclosure
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-53002 CRITICAL PATCH Act Now

Stack out-of-bounds write in the Linux kernel's netfilter connection-tracking SIP application-layer gateway (ALG) allows remote attackers to corrupt kernel stack memory by sending crafted SIP/SDP traffic through a NAT device. The flaw lives in mangle_content_len(), reached via nf_nat_sdp_session → process_sdp when rewriting the SDP Content-Length during SIP INVITE handling, where an unbounded sprintf() overflowed an undersized stack buffer (caught by KASAN). There is no public exploit identified at time of analysis and EPSS is low (0.18%), so despite the NVD 9.8 rating the practical risk is gated by whether the SIP conntrack/NAT helper is in use.

Linux Buffer Overflow Memory Corruption
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-52993 CRITICAL PATCH Act Now

Memory corruption in the Linux kernel's TIPC (Transparent Inter-Process Communication) protocol stack allows remote attackers to trigger a double-free in tipc_buf_append() during message reassembly, where tipc_msg_validate() may reallocate and free the working skb while the error path frees a now-stale pointer. Affected systems are those running a vulnerable kernel (introduced around 4.15-era code, present across 5.10-7.0 branches) with the TIPC subsystem in use; successful exploitation can crash the kernel and, depending on heap conditions, potentially lead to privilege escalation. There is no public exploit identified at time of analysis, EPSS risk is low (0.18%, 7th percentile), and it is not listed in CISA KEV.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-53049 CRITICAL PATCH Act Now

Concurrency-induced data corruption in the Linux kernel GFS2 cluster filesystem occurs because gfs2_logd() invokes the log-flushing helpers gfs2_ail1_start(), gfs2_ail1_wait(), and gfs2_ail1_empty() without holding sdp->sd_log_flush_lock, allowing these routines to race with concurrent journal transactions that the lock is meant to serialize. The defect affects systems mounting GFS2 volumes and is fixed by adding a non-locking __gfs2_log_flush() helper and acquiring sd_log_flush_lock in gfs2_logd before flushing. No public exploit identified at time of analysis, and EPSS is low (0.17%, 7th percentile), consistent with a local filesystem race rather than a remotely weaponizable flaw despite the input's 9.8 score.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-52989 CRITICAL PATCH Act Now

Memory-safety flaw in the Linux kernel's NVMe-over-TCP target driver (nvmet-tcp) lets a connected initiator drive the kernel into reading received network data through an uninitialized iov_iter. Because nvmet_tcp_build_pdu_iovec() reported out-of-bounds PDU length/offset only via a fatal-error side effect while returning void, callers such as nvmet_tcp_handle_h2c_data_pdu() continued and advanced the receive state machine over an uninitialized cmd->recv_msg.msg_iter, leading to memory corruption or denial of service. NVD rates this 9.8 (CVSS:3.1 AV:N/AC:L/PR:N/UI:N), but EPSS is low (0.17%, 7th percentile) and there is no public exploit identified at time of analysis; it is not in CISA KEV.

Linux Buffer Overflow
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-53055 CRITICAL PATCH Act Now

Use-after-free in the Linux kernel's HiSilicon SEC2 crypto accelerator driver (crypto/hisilicon/sec2) allows local memory corruption when, under heavy load, the hardware completes and frees a request (req) before the software transmission path finishes referencing it. The fix replaces the freed req with the longer-lived qp_ctx pointer. There is no public exploit identified at time of analysis and EPSS exploitation probability is low (0.17%); despite an NVD-style CVSS of 9.8, this is a local hardware-specific race rather than a remote, network-reachable flaw.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-53010 CRITICAL PATCH Act Now

Use-after-free in the Linux kernel's ksmbd in-kernel SMB3 server occurs during durable handle reconnect, where smb2_open prematurely drops the durable file reference via ksmbd_put_durable_fd(fp); a subsequent error path or scavenger access then dereferences freed fp fields (e.g., fp->create_time). Affecting Linux ksmbd across multiple stable branches and fixed in releases such as 6.6.32, 6.18.33, 7.0.10, and 7.1, the flaw is rated CVSS 9.8 but carries a low EPSS of 0.17% (6th percentile); it is not in CISA KEV and no public exploit identified at time of analysis. An attacker with SMB access can trigger memory corruption potentially leading to information disclosure, denial of service, or code execution in kernel context.

Linux Information Disclosure Memory Corruption Use After Free
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-52931 CRITICAL PATCH Act Now

Use of uninitialized sender variables in the Linux kernel's batman-adv (B.A.T.M.A.N. Advanced) mesh networking module allows a malicious mesh peer to trigger undefined behavior on a node acting as a tp_meter receiver. When such a node receives a crafted ACK packet, batadv_tp_recv_ack() and batadv_tp_stop() execute sender-only code paths that read tp_vars members never initialized for the receiver role, potentially leaking memory contents or crashing the kernel. No public exploit identified at time of analysis; EPSS probability is low (0.17%, 6th percentile) and the issue is not in CISA KEV, but a vendor patch is available across multiple stable trees.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-52924 CRITICAL PATCH Act Now

Use-after-free in the Linux kernel SCTP stack (net/sctp) allows a remote peer to crash the kernel by forcing an association to roll back from COOKIE_ECHOED to COOKIE_WAIT via a Stale Cookie ERROR. When sctp_stream_update() rebuilds the stream table during this rollback it leaves the scheduler's cached stream->out_curr pointer referencing freed memory, so the next scheduler dequeue (FCFS/RR/PRIO) dereferences a dangling sctp_stream_out entry. The flaw is tagged as Denial of Service, carries an NVD CVSS of 9.8, but has a low EPSS of 0.17% (6th percentile); no public exploit identified at time of analysis and it is not listed in CISA KEV.

Linux Denial Of Service
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-53088 CRITICAL PATCH Act Now

Memory mishandling in the Linux kernel's Broadcom GENET (bcmgenet) Ethernet driver stems from an off-by-one error in bcmgenet_put_txcb(), where the function returned the wrong transmit control block (tx_cb) because the write pointer was rewound after reading instead of before, causing incorrect cleanup of TX descriptors. The flaw affects systems using Broadcom GENET network controllers (notably Raspberry Pi 4/5 and various Broadcom SoCs) running affected kernels prior to the stable fixes. No public exploit identified at time of analysis, and EPSS rates exploitation probability at just 0.16% (6th percentile); despite the NVD CVSS 9.8 rating, the realistic impact is local denial-of-service or limited information disclosure rather than remote unauthenticated code execution.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-53086 CRITICAL PATCH Act Now

Denial of service in the Linux kernel's Broadcom GENET (bcmgenet) Ethernet driver arises because the bcmgenet_timeout handler tears down all transmit queues when only a single queue times out, racing against queues still actively transmitting. The flaw affects systems using Broadcom GENET NICs (e.g. Raspberry Pi 4/CM4 and Broadcom set-top-box SoCs) and can lead to kernel instability or a crash under TX timeout conditions. There is no public exploit identified at time of analysis, EPSS is low (0.16%), and it is not listed in CISA KEV.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-53943 CRITICAL PATCH GHSA Act Now

Web cache poisoning in the Ghost Node.js CMS before 6.37.0 lets an unauthenticated attacker inject an x-ghost-preview header that alters the rendered frontend response, which a shared caching layer then stores and serves to other visitors of the same page. When Ghost's public frontend and admin panel share a single domain, this request-specific preview output can be weaponized to hijack staff accounts; separate-domain deployments are not exposed. No public exploit is identified at time of analysis, and the issue carries a vendor CVSS of 9.6.

Node.js Information Disclosure Ghost
NVD GitHub
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-13032 CRITICAL PATCH Act Now

Sandbox escape in Google Chrome on Android before 149.0.7827.197 stems from a use-after-free in the WebGL graphics subsystem, letting a remote attacker who lures a victim to a crafted HTML page potentially break out of the renderer sandbox. Rated Critical by Chromium with a CVSS 9.6 reflecting scope change and total compromise of confidentiality, integrity, and availability. There is no public exploit identified at time of analysis and the issue is not on CISA KEV, though Google has shipped a fix.

Memory Corruption Denial Of Service Use After Free Google Red Hat
NVD VulDB
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-13028 CRITICAL PATCH Act Now

Sandbox escape in Google Chrome for Android before 149.0.7827.197 stems from a use-after-free in the WebGL graphics component, letting a remote attacker who lures a victim to a crafted HTML page break out of the renderer sandbox. Rated Critical by Chromium and carrying a CVSS 9.6 with scope change, the flaw threatens full compromise of the browser process boundary on affected Android devices. There is no public exploit identified at time of analysis, and CISA SSVC marks exploitation status as none.

Memory Corruption Denial Of Service Use After Free Google
NVD VulDB
CVSS 3.1
9.6
EPSS
0.2%
CVE-2025-60468 MEDIUM POC This Month

Heap use-after-free in GPAC MP4Box 2.5-DEV-rev1593-gfe88c3545-master crashes the application when a local authenticated user processes a specially crafted MPEG-2 TS or MP4 file. The defect resides in `gf_filter_pid_inst_swap_delete_task()` within `filter_core/filter_pid.c`, where PID instance cleanup dereferences already-freed objects during a swap/delete operation, causing a heap corruption and denial of service. No public exploit has triggered active exploitation per CISA KEV, but a proof-of-concept is publicly available; EPSS sits at 0.18% (7th percentile), consistent with limited real-world targeting.

Heap Overflow Denial Of Service Buffer Overflow N A
NVD GitHub VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2025-60471 MEDIUM POC This Month

Use-after-free in GPAC MP4Box before version 26.02.0 allows a local attacker to crash the application by supplying a crafted media file, resulting in Denial of Service. The flaw resides in the filter PID lifecycle management within filter_pid.c, where a PID instance could be freed prematurely while a pending reconfiguration task still held a reference to it. Publicly available exploit code exists, though the attack requires user interaction to process the malicious file and exploitation is limited to DoS with no confidentiality or integrity impact.

Memory Corruption Denial Of Service Use After Free N A
NVD GitHub VulDB
CVSS 3.1
5.5
EPSS
0.1%
CVE-2026-12850 CRITICAL Act Now

OS command injection in GeoVision GV-I/O Box 4E firmware 2.09 allows authenticated remote attackers to execute arbitrary shell commands via unsanitized gateway address input passed to system() inside libNetSetObj.so. The flaw is reachable through both the network-exposed DVRSearch service and the Network.cgi endpoint, granting full device compromise. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Command Injection Gv I O Box 4E
NVD VulDB
CVSS 3.1
9.1
EPSS
1.7%
Page 1 of 10 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy