Skip to main content
CVE-2026-12486 CRITICAL Act Now

OS command injection in GeoVision GV-I/O Box 4E firmware 2.09 allows remote attackers with high privileges to execute arbitrary shell commands by sending crafted network packets to the libNetSetObj.so library via the DVRSearch service or Network.cgi endpoint. The flaw stems from unsanitized attacker-controlled IP address input passed directly to system() in CNetSetObj::m_F_n_Set_IP_Addr. No public exploit identified at time of analysis, though Talos Intelligence disclosed the issue with technical detail (TALOS-2026-2379).

Command Injection Gv I O Box 4E
NVD VulDB
CVSS 3.1
9.1
EPSS
1.7%
CVE-2026-12851 CRITICAL Act Now

Remote OS command injection in GeoVision GV-I/O Box 4E firmware 2.09 allows attackers with high privileges to execute arbitrary shell commands by sending crafted network packets to the DVRSearch service or Network.cgi endpoint. The flaw lives in libNetSetObj.so where DNS configuration values are concatenated into a shell command string and passed to system() without sanitization. No public exploit identified at time of analysis, but the vendor advisory and a Talos vulnerability report are published.

Command Injection Gv I O Box 4E
NVD VulDB
CVSS 3.1
9.1
EPSS
1.7%
CVE-2026-12849 CRITICAL Act Now

OS command injection in GeoVision GV-I/O Box 4E firmware 2.09 allows attackers who can reach the device's network services to execute arbitrary shell commands via unsanitised netmask input passed to system() inside libNetSetObj.so. The flawed CNetSetObj::m_F_n_Set_Net_Mask routine is reachable through both the network-exposed DVRSearch service and the Network.cgi endpoint, yielding code execution in the context of the configuration daemon. No public exploit identified at time of analysis, but the Talos report provides full reverse-engineered detail that materially lowers the barrier to weaponisation.

Command Injection Gv I O Box 4E
NVD VulDB
CVSS 3.1
9.1
EPSS
1.7%
CVE-2026-10531 MEDIUM POC PATCH This Month

Stored Cross-Site Scripting in the AI Share & Summarize WordPress plugin (all versions before 2.0.4) allows any user holding a Contributor role or above to inject persistent malicious JavaScript via unsanitized shortcode attributes rendered on pages. When a higher-privileged user such as an Administrator subsequently views the affected page, the payload executes in their browser, enabling session hijacking, credential theft, or unauthorized privileged actions. A publicly available proof-of-concept exploit exists per WPScan, and a vendor-released patch is available in version 2.0.4.

WordPress XSS Ai Share Summarize
NVD WPScan VulDB
CVSS 3.1
5.4
EPSS
0.2%
CVE-2026-55666 CRITICAL PATCH Act Now

Authentication bypass leading to account takeover in Rocket.Chat affects the Apple Sign-In OAuth flow prior to versions 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, and 7.10.13. The handleIdentityToken function in the Apple login handler falls back to trusting an attacker-supplied email value when the Apple-issued JWT omits an email claim, so a remote unauthenticated attacker can forge an email-less Apple JWT and log in as any victim by their email address. No public exploit is identified at time of analysis, but the CVSS 4.0 base score of 9.3 (critical) and trivial exploitation conditions make this a high priority for any instance with Apple login enabled.

Authentication Bypass Apple Rocket Chat
NVD GitHub
CVSS 4.0
9.3
EPSS
0.3%
CVE-2026-33543 CRITICAL PATCH Act Now

Authentication bypass in FOSSBilling 0.7.2 and earlier lets remote unauthenticated attackers create a fully privileged administrator account through the guest bootstrap endpoint /api/guest/staff/create, which fails to lock after the first admin exists. Because the account can immediately authenticate, this yields complete takeover of the billing and client-management platform. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the trivial network-based exploitation (CVSS 4.0 9.3) makes it a serious exposure for any internet-facing instance.

Authentication Bypass
NVD GitHub
CVSS 4.0
9.3
EPSS
0.3%
CVE-2026-46423 CRITICAL PATCH Act Now

Authentication bypass in Rocket.Chat's SAML service provider lets attackers log in as arbitrary users when SAML is enabled but the IdP certificate field is left at its empty shipped default, which causes signature validation to be silently skipped. All versions prior to 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11 are affected, and the CVSS 4.0 base score is 9.3 (Critical). There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the fail-open behavior is reachable in a near-default configuration, making it a high-priority fix.

Jwt Attack Denial Of Service
NVD GitHub
CVSS 4.0
9.3
EPSS
0.1%
CVE-2026-56237 CRITICAL PATCH Act Now

Authentication bypass in Capgo before 12.128.2 lets remote unauthenticated attackers mint arbitrary API keys by tampering with a client-side parameter in the key generation request, because the backend never validates that keys are server-generated or bound to the authenticated user. The forged keys grant access to protected endpoints, yielding full confidentiality and integrity compromise of tenant data. No public exploit identified at time of analysis, but the flaw is trivially reproducible from any HTTP client.

Authentication Bypass Capgo
NVD GitHub
CVSS 4.0
9.3
EPSS
0.3%
CVE-2026-56223 CRITICAL PATCH Act Now

Cross-domain SSO account takeover in Capgo before 12.128.2 allows an attacker with enterprise org admin access and a malicious IdP to forge SAML assertions and merge arbitrary victim accounts based solely on email match. The provision-user endpoint fails to validate that the asserting SSO provider is authorized for the victim's email domain, granting full takeover of accounts, organizations, and data. No public exploit identified at time of analysis; CVSS 4.0 base is 9.3 (Critical) reflecting high impact across both vulnerable and subsequent systems.

Authentication Bypass Capgo
NVD GitHub
CVSS 4.0
9.3
EPSS
0.2%
CVE-2026-45689 CRITICAL PATCH Act Now

{"$ne": null} for client_id, client_secret, and refresh_token returns a live token bound to whatever user Mongo matches first; iterating with $nin/$regex walks the entire token collection. No public exploit identified at time of analysis, but exploitation is trivial and capturing an admin token yields full /api/v1/* control and Apps-Engine app installation (server-side code execution). Fixed in the 8.5.0/8.4.1/8.3.3/8.2.3/8.1.4/8.0.5/7.13.7/7.10.11 release line.

Nosql Injection RCE
NVD GitHub
CVSS 3.1
9.1
EPSS
0.3%
CVE-2026-45688 CRITICAL PATCH Act Now

{"$gt": ""} matches the first unexpired credential-token document, yielding a full Meteor auth token bound to a legitimate victim - and full instance compromise if that victim is an administrator. No public exploit identified at time of analysis, but the CVSS 9.1 rating and trivial exploitability make this a high-priority patch.

Authentication Bypass Nosql Injection
NVD GitHub
CVSS 3.1
9.1
EPSS
0.3%
CVE-2026-8927 CRITICAL PATCH Act Now

Proxy credential leakage in libcurl (curl) occurs when a single reused easy handle drives sequential transfers through different environment-variable-configured proxies: after Digest-authenticating to proxyA, libcurl fails to reset the proxy authentication state, so the `Proxy-Authorization:` header meant for proxyA is resent to proxyB. Any application relying on handle reuse with env-var proxy settings and multiple upstream proxies can disclose proxyA's credentials to an unauthorized proxy operator. EPSS is low (0.25%, 16th percentile), it is not on CISA KEV, and no public exploit identified at time of analysis - this is a credential-confidentiality issue rather than a code-execution flaw.

Information Disclosure Curl
NVD VulDB
CVSS 3.1
9.1
EPSS
0.2%
CVE-2026-8924 CRITICAL PATCH Act Now

Cross-domain cookie injection in curl (versions 7.46.0 through 8.20.0) lets a malicious or compromised HTTP server set 'super cookies' that bypass the Public Suffix List (PSL) safeguard, causing curl to scope attacker-supplied cookies to unrelated third-party domains and transmit them on later requests. Rated CVSS 9.1 and tagged as an authentication bypass, the flaw undermines cookie origin isolation, but EPSS is low at 0.22% (12th percentile), there is no CISA KEV listing, and no public exploit was identified at time of analysis. A patched release is available from the curl project.

Authentication Bypass Curl
NVD VulDB
CVSS 3.1
9.1
EPSS
0.2%
CVE-2026-11564 CRITICAL PATCH Act Now

TLS certificate-trust confusion in libcurl (curl 8.17.0 through 8.20.0) lets a reused pooled connection retain trust in the native platform CA store even after the application reconfigures the same easy handle to use custom CA material for a later transfer. An attacker positioned to intercept traffic could present a certificate valid under the native store - which the application intended to no longer trust - to silently intercept or spoof the connection. Rated CVSS 9.1, but EPSS is only 0.20% (9th percentile) and there is no public exploit identified at time of analysis, reflecting the narrow application-usage prerequisite rather than a broadly weaponizable flaw.

Information Disclosure Curl Red Hat
NVD VulDB
CVSS 3.1
9.1
EPSS
0.2%
CVE-2026-8926 CRITICAL PATCH Act Now

Credential disclosure in curl 8.11.1 through 8.20.0 (and earlier) lets curl silently substitute the wrong password when .netrc lookup is combined with a URL that carries a username but no password, such as https://user@example.com/. When no matching entry exists for the specified user, curl falls back to a different user's password stored for that same host and transmits it during authentication, potentially leaking one user's secret to a server or to an unintended account. Publicly available exploit-flow details exist via the originating HackerOne report; EPSS is low (0.20%, 9th percentile) and it is not in CISA KEV.

Information Disclosure Curl
NVD VulDB
CVSS 3.1
9.1
EPSS
0.2%
CVE-2026-52958 CRITICAL PATCH Act Now

Out-of-bounds memory access in the Linux kernel's libceph client (osdmap_decode) lets a malicious or compromised Ceph monitor/OSD send a corrupted OSD map whose max_osd field exceeds the actual message length, reading past the allocated buffer. The flaw affects kernels using the in-kernel Ceph client (RBD/CephFS) and is fixed across multiple stable branches. There is no public exploit identified at time of analysis, and EPSS is low (0.18%, 8th percentile), consistent with a memory-safety bug requiring a hostile Ceph endpoint rather than broad internet exposure.

Linux Buffer Overflow Information Disclosure
NVD VulDB
CVSS 3.1
9.1
EPSS
0.2%
CVE-2026-53043 CRITICAL PATCH Act Now

Out-of-bounds memory read in the Linux kernel's OCFS2 distributed lock manager (dlm_match_regions) lets a remote host send a crafted DLM_QUERY_REGION message whose attacker-controlled qr_numregions field (up to 255) drives loops past the fixed 1024-byte/32-entry qr_regions buffer. Because the o2net transport only checks message byte length and not field values, this enables disclosure of adjacent kernel memory and likely node crashes. There is no public exploit identified at time of analysis and EPSS exploitation probability is low (0.18%, 7th percentile); the issue is fixed across multiple stable kernel branches.

Linux Buffer Overflow Memory Corruption
NVD VulDB
CVSS 3.1
9.1
EPSS
0.2%
CVE-2026-52999 CRITICAL PATCH Act Now

Out-of-bounds read in the Linux kernel's netfilter nfnetlink_osf (passive OS fingerprinting) module occurs when the shared nf_osf_hdr_ctx->optp pointer is not reset after a fingerprint fully matches during TCP option parsing. Affecting systems that use the osf match with NF_OSF_LOGLEVEL_ALL enabled, the flaw causes subsequent fingerprint checks to parse beyond the end of the TCP options buffer, reading garbage data and producing incorrect or missing match logs. Although carrying a 9.1 CVSS, this is a functional/correctness bug in a niche feature; there is no public exploit identified at time of analysis and EPSS is low (0.18%, 7th percentile).

Linux Buffer Overflow Information Disclosure
NVD VulDB
CVSS 3.1
9.1
EPSS
0.2%
CVE-2026-55570 CRITICAL PATCH Act Now

Stored cross-site scripting leading to OS command execution in SiYuan, an open-source personal knowledge management system, affects all desktop client versions prior to 3.7.0. Untrusted marketplace package metadata (name, version, author, description) is serialized via JSON.stringify() into a single-quoted data-obj HTML attribute without escaping single quotes or angle brackets, so a package name containing a single quote breaks out of the attribute and injects arbitrary HTML; because the Electron BrowserWindow runs with nodeIntegration:true and contextIsolation:false, the DOM XSS escalates to arbitrary command execution on the host. No public exploit identified at time of analysis, but the GitHub Security Advisory (GHSA-x88j-wgpr-h22x) notes this is the same root cause and impact as a prior advisory, reached through a sibling sink the earlier patch missed.

Command Injection XSS Siyuan
NVD GitHub
CVSS 3.1
9.0
EPSS
0.3%
CVE-2026-9773 HIGH This Week

Remote authenticated command injection in Unraid's web management server allows attackers to execute arbitrary OS commands as the www-data user by abusing unsanitized input in ToggleState.php. Any user with low-privilege authenticated web access can chain this CWE-78 flaw into full code execution on the underlying NAS host. Discovered and reported through ZDI (ZDI-CAN-30134 / ZDI-26-386); no public exploit identified at time of analysis and no CISA KEV listing.

Command Injection RCE PHP Unraid
NVD
CVSS 3.0
8.8
EPSS
1.1%
CVE-2026-9772 HIGH This Week

Authenticated remote code execution in Unraid stems from OS command injection in the web server's FileUpload.php, where a user-supplied string is passed to a system call without validation, letting any logged-in attacker run arbitrary commands as the www-data user. Tracked as ZDI-CAN-30116 and disclosed via the Zero Day Initiative, it carries a CVSS 8.8 rating; no public exploit identified at time of analysis, and it is not listed in CISA KEV.

Command Injection RCE PHP Unraid
NVD
CVSS 3.0
8.8
EPSS
1.1%
CVE-2026-48732 HIGH PATCH This Week

Command injection in Warp's legacy SSH background command path lets an attacker-controlled remote host inject shell syntax that runs as the victim's authenticated SSH account. Affecting Warp from 0.2023.03.21.08.02.stable_00 up to (but not including) 0.2026.05.06.15.42.stable_01, the flaw stems from the terminal trusting the remote working directory, repository, or directory name reported by an SSH session when assembling helper commands for metadata collection. No public exploit identified at time of analysis, though the fix commit ships regression tests that demonstrate the breakout; not listed in CISA KEV and no EPSS provided.

Command Injection Warp
NVD GitHub
CVSS 3.1
8.8
EPSS
1.0%
CVE-2026-8663 HIGH PATCH This Week

OS command injection in the Rapid7 InsightConnect RPM Plugin on Linux lets authenticated users run arbitrary operating-system commands by injecting shell metacharacters into the repo, key, or name parameters, which are concatenated into a shell command without sanitization (CWE-78). All versions before 1.0.2 are affected. There is no public exploit identified at time of analysis, and the EPSS probability is low (0.73%, 50th percentile).

Command Injection Insightconnect Rpm Plugin
NVD VulDB
CVSS 3.1
8.8
EPSS
0.7%
CVE-2026-50189 HIGH PATCH This Week

Authenticated command execution in Appsmith versions prior to 2.1 lets any administrator run arbitrary OS commands inside the application's Docker container. The bundled supervisord exposes an XML-RPC management interface on port 9001, which Appsmith's Caddy reverse proxy publishes externally at /supervisor/* on the public ingress; combined with the supervisord password being readable through GET /api/v1/admin/env, an admin can authenticate to supervisord and abuse twiddler.addProgramToGroup to spawn programs that execute shell commands. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV. Fixed in 2.1.

Information Disclosure Docker Appsmith
NVD GitHub VulDB
CVSS 4.0
8.9
EPSS
0.2%
CVE-2026-12681 HIGH This Week

Trusted measurement-list poisoning in Google go-attestation through 0.6.0 lets a remote actor who controls a TPM event log fed to an attestation verifier inject arbitrary SHA256 hashes into the verifier's trusted hash database. Because parseEfiSignatureList() never advances past the EFI_SIGNATURE_LIST SignatureHeaderSize vendor bytes, those attacker-chosen bytes are accepted as legitimate hash entries, allowing a compromised boot state to be attested as healthy. No public exploit identified at time of analysis, but the fix is upstream in v0.6.1 and the root cause is documented in GHSA-9r4w-jg96-92mv.

Google Code Injection Go Attestation
NVD GitHub
CVSS 4.0
8.9
EPSS
0.2%
CVE-2026-7761 HIGH This Week

Account takeover in the Ultimate Member WordPress plugin (versions ≤ 2.11.4) allows Contributor-level authenticated users to harvest live password reset links for any account, including administrators, by chaining three logic bugs in the member directory subsystem. The flaw enables full site compromise because reset URLs can be used to set new administrator passwords. No public exploit identified at time of analysis, though Wordfence has published detailed technical write-ups that significantly lower the bar for weaponization.

Authentication Bypass WordPress Ultimate Member User Profile Registration Login Member Directory Content Restriction Membership Plugin
NVD
CVSS 3.1
8.8
EPSS
0.5%
CVE-2026-4297 HIGH This Week

Privilege escalation in the Welcome Software Publishing WordPress plugin (versions ≤ 0.0.31) allows any authenticated user with Subscriber-level access or above to update arbitrary WordPress options via the nc.setOption XML-RPC method. By modifying the default_role option to 'administrator' and registering a new account, attackers achieve full site takeover. No public exploit identified at time of analysis, but the attack pattern is trivial and well-documented for similar WordPress XML-RPC missing-capability flaws.

Authentication Bypass Privilege Escalation WordPress Welcome Software Publishing
NVD
CVSS 3.1
8.8
EPSS
0.5%
CVE-2026-13164 HIGH PATCH This Week

Unauthenticated account self-registration in MailerUp before 1.0.1 lets any remote attacker POST to /api/auth/register/ and obtain a working account, even on instances where operators intended registration to be closed, because the RegisterView is wired with Django REST Framework's AllowAny permission and enforces no email verification, CAPTCHA, or admin approval. Once registered, the attacker can read every email stored by the instance, yielding full disclosure of all stored messages. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; a vendor patch (1.0.1) removes the public registration endpoint entirely.

Authentication Bypass Mailerup
NVD GitHub
CVSS 4.0
8.8
EPSS
0.4%
CVE-2026-57301 HIGH This Week

Jenkins OWASP ZAP Plugin 1.0.7 and earlier performs build operations on the Jenkins controller rather than the assigned agent, allowing attackers with Item/Configure permission to execute arbitrary code on the Jenkins controller.

Jenkins RCE Jenkins Owasp Zap Plugin
NVD VulDB
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-57280 HIGH This Week

Jenkins Script Security Plugin 1402.v94c9ce464861 and earlier does not intercept the implicit type casts applied to the elements of typed for-each loops in sandboxed Groovy scripts, allowing attackers able to provide such scripts to invoke arbitrary constructors and bypass the sandbox protection.

Authentication Bypass Jenkins Jenkins Script Security Plugin
NVD VulDB
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-48793 HIGH PATCH This Week

Arbitrary file write and information disclosure in Jellyfin self-hosted media server (all versions prior to 10.11.10) arise from FFmpeg argument injection in the subtitle conversion path. Because SubtitleController.GetSubtitle carries no [Authorize] attribute, an attacker who can place a maliciously named file into a Jellyfin media library directory (e.g., via a shared NAS, Samba share, or guest upload) can break FFmpeg's argument quoting on Linux and inject arbitrary FFmpeg flags. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV, but the unauthenticated endpoint and high CVSS (8.8) make it a meaningful concern for exposed instances.

Information Disclosure Jellyfin
NVD GitHub
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-49247 HIGH PATCH This Week

Arbitrary file write in Jellyfin media server (10.9.0 through 10.11.9) lets any authenticated non-admin user abuse the POST /ClientLog/Document endpoint to plant attacker-controlled content outside the intended log directory. The endpoint trusts the Client and Version fields of the Authorization header and uses them unsanitized to build the on-disk filename, so embedding ../ sequences in the Client field redirects writes to any path reachable by the Jellyfin service account, with a forced .log extension. No public exploit has been identified at time of analysis, and the issue is fixed in 10.11.10.

Path Traversal Jellyfin
NVD GitHub
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-53075 HIGH PATCH This Week

Local privilege escalation in the Linux kernel's PPP driver allows an unprivileged user to issue network-administration ioctls against a network namespace they should not control. The /dev/ppp device authorizes opens against the file owner's user namespace (f_cred->user_ns) while unattached administrative ioctls act on current->nsproxy->net_ns, so a user who creates a new user namespace via CLONE_NEWUSER and gains CAP_NET_ADMIN only there can still invoke PPPIOCNEWUNIT, PPPIOCATTACH, or PPPIOCATTCHAN against an inherited (parent) network namespace. No public exploit identified at time of analysis, and EPSS is low (0.26%, 17th percentile), indicating no current evidence of mass exploitation.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-48704 HIGH PATCH This Week

Arbitrary code execution in the Warp agentic development environment (builds 0.2023.10.24.08.03.stable_00 through 0.2026.05.06.15.42.stable_01) arises because the Markdown link handler routes resolved local-file links to the operating system's default file opener. A malicious Markdown document or project repository can embed a benign-looking local-file link that, when clicked, hands an executable (such as an extensionless shell script) to the platform file opener (e.g. NSWorkspace.openURL on macOS) instead of a safe viewer/editor, executing it. There is no public exploit identified at time of analysis, but the fix is confirmed in 0.2026.05.06.15.42.stable_01 and the root cause is documented in the upstream commit and GHSA advisory.

Information Disclosure Warp
NVD GitHub
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-13038 HIGH PATCH This Week

Remote code execution in Google Chrome on Windows prior to 149.0.7827.197 stems from a use-after-free condition in the Autofill component, letting a remote attacker run arbitrary code in the renderer when a victim opens a malicious web page. Chromium rates the flaw Critical and CVSS 8.8 reflects high impact across confidentiality, integrity, and availability, tempered by the requirement that the user load attacker-controlled content. There is no public exploit identified at time of analysis, and SSVC records exploitation status as none, but the 'total' technical impact makes prompt patching important.

Memory Corruption Google Microsoft Denial Of Service Use After Free +2
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-13033 HIGH PATCH This Week

Remote code execution in Google Chrome's Blink rendering engine (InterestGroups component, part of the Privacy Sandbox/Protected Audience ad-auction API) affects all desktop versions prior to 149.0.7827.197. A crafted HTML page triggers an out-of-bounds read and write that a remote attacker can leverage to execute arbitrary code in the renderer; Chromium rates this Critical and assigns CVSS 8.8. There is no public exploit identified at time of analysis, but a vendor patch is already available, making prompt updating the priority.

Google RCE Buffer Overflow Information Disclosure Red Hat
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-48720 HIGH PATCH This Week

Arbitrary local file write in Warp terminal (0.2025.03.05.08.02.stable_00 through builds before 0.2026.05.06.15.42.stable_01) lets malicious terminal output silently drop attacker-controlled files onto disk. Warp honored non-inline OSC 1337;File (and multipart MultipartFile) iTerm2 escape sequences by base64-decoding the payload and writing it to the active block's current working directory using the attacker-supplied filename, with no confirmation prompt. Because shell startup files such as .zshenv can be overwritten this way, the write converts into code execution on the victim's host; no public exploit identified at time of analysis and the issue is not in CISA KEV.

Information Disclosure Warp
NVD GitHub
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-13036 HIGH PATCH This Week

Remote code execution in Google Chrome's Blink rendering engine (versions prior to 149.0.7827.197) allows a remote attacker to run arbitrary code within the renderer sandbox by luring a victim to a crafted HTML page. The flaw is a use-after-free (CWE-416) rated High by Chromium with a CVSS of 8.8; it requires user interaction (visiting a malicious page) but no authentication. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, with the CISA SSVC framework recording exploitation status as none.

Memory Corruption Google Denial Of Service Use After Free RCE
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-13031 HIGH PATCH This Week

Remote code execution in Google Chrome's Blink rendering engine (versions prior to 149.0.7827.197) allows a remote attacker to run arbitrary code within the renderer sandbox when a victim visits a crafted HTML page. The flaw is a use-after-free (CWE-416) rated High by Chromium with a CVSS 8.8; no public exploit identified at time of analysis and it is not listed in CISA KEV, though Chrome browser bugs of this class are historically high-value targets. Exploitation requires user interaction (loading a malicious page) but no authentication.

Memory Corruption Google Denial Of Service Use After Free RCE +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-13035 HIGH PATCH This Week

Remote code execution in Google Chrome for macOS prior to 149.0.7827.197 stems from a use-after-free in the browser's Bluetooth subsystem, letting a malicious Bluetooth peripheral corrupt memory and execute arbitrary code in the browser process. The flaw is rated High severity by Chromium with a CVSS 8.8, requires user interaction (UI:R) but no privileges, and currently has no public exploit identified at time of analysis; CISA SSVC marks exploitation status as none.

Memory Corruption Google Denial Of Service Use After Free RCE
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-13027 HIGH PATCH This Week

Renderer-side heap corruption in Google Chrome's FileSystem component (versions prior to 149.0.7827.197) lets a remote attacker who lures a victim to a crafted HTML page trigger a use-after-free, potentially leading to arbitrary code execution within the renderer. Rated High severity by Chromium with a CVSS of 8.8; no public exploit identified at time of analysis, and CISA's SSVC framework currently records exploitation status as 'none'. EPSS data was not provided, but the user-interaction requirement (visiting a page) is the only meaningful barrier, making this a routine but real browser-patch priority.

Memory Corruption Denial Of Service Use After Free Google Red Hat
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-13026 HIGH PATCH This Week

Heap corruption via use-after-free in Google Chrome's Digital Credentials component on macOS allows a remote attacker to potentially execute code by luring a victim to a crafted HTML page, affecting Chrome builds prior to 149.0.7827.197. The flaw was reported internally by Google's Chrome team, and per CISA's SSVC framework exploitation is currently 'none', so this is no public exploit identified at time of analysis despite a high (8.8) CVSS score requiring user interaction. EPSS data was not provided, but the absence of KEV listing and no observed exploitation point to risk driven by Chrome's massive install base rather than confirmed in-the-wild abuse.

Memory Corruption Denial Of Service Use After Free Google Red Hat
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-52918 HIGH PATCH This Week

Use-after-free in the Linux kernel Bluetooth subsystem allows a crafted sequence of socket polling and connection teardown to dereference a freed sock structure, because bt_sock_poll() walks the per-socket accept queue without synchronization while a concurrent child teardown unlinks the same socket and drops its last reference. The flaw has existed since the original Bluetooth import and affects effectively all kernel versions until the fixed stable releases; EPSS is low (0.18%, 7th percentile) and there is no public exploit identified at time of analysis. Successful exploitation of the freed-object access can corrupt kernel memory, enabling denial of service and potentially privilege escalation.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-53053 HIGH PATCH This Week

Improper DMA-alias handling in the Linux kernel's AMD IOMMU driver lets a stale or incorrect Device Table Entry (DTE) be propagated to an alias PCI device, weakening the DMA isolation the IOMMU is meant to enforce. The flaw affects systems on AMD platforms where pci_for_each_dma_alias() supplies an alias-rather than the original-device to clone_alias(), causing the wrong source devid to be used when copying the DTE. EPSS is low (0.17%, 6th percentile) and there is no public exploit identified at time of analysis.

Linux Amd Information Disclosure
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-53057 HIGH PATCH This Week

Privilege/isolation bypass in the Linux kernel RISC-V IOMMU driver allows a local low-privileged actor to leverage stale address translations because the driver failed to issue mandatory TLB and context-cache invalidations (IOTINVAL) after updating Device Directory Table (DDT) or Page Directory Table (PDT) entries. Affecting RISC-V platforms running kernels prior to the stable fixes (6.18.33, 7.0.10, 7.1), the gap can let a device or its controlling principal access memory outside its intended IOMMU domain, breaking DMA isolation. There is no public exploit identified at time of analysis, EPSS risk is low (0.17%, 6th percentile), and it is not in CISA KEV.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-53072 HIGH PATCH This Week

Use-after-free in the Linux kernel Bluetooth subsystem allows kernel memory corruption when the HCI connection-request handler (hci_conn_request_evt()) invokes hci_connect_cfm() without holding hdev->lock under the HCI_PROTO_DEFER path. An adjacent attacker within Bluetooth range can race a concurrent connection teardown against a deferred-setup SCO listener to free and reuse the conn object, yielding high confidentiality, integrity, and availability impact (CVSS 8.8). There is no public exploit identified at time of analysis and EPSS is low (0.16%, 6th percentile), reflecting the narrow, race-dependent trigger rather than broad exploitability.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-53071 HIGH PATCH This Week

Race-condition memory corruption in the Linux kernel Bluetooth L2CAP stack lets a nearby BLE device crash or potentially compromise an affected host. The l2cap_ecred_reconf_rsp() handler calls l2cap_chan_del() without first taking l2cap_chan_lock(), so a crafted L2CAP Enhanced Credit (ECRED) reconfiguration response can mutate the channel list while another kernel thread iterates it. The flaw carries a vendor CVSS of 8.8 but a very low EPSS (0.16%, 6th percentile), is not in CISA KEV, and no public exploit has been identified at time of analysis; a vendor patch is available.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-52934 HIGH PATCH This Week

Kernel heap memory corruption affects the batman-adv (B.A.T.M.A.N. Advanced) mesh routing subsystem of the Linux kernel, where a u16 accumulator in batadv_tvlv_container_list_size() can wrap around when the total size of registered TVLV containers exceeds 65535 bytes, leading to an undersized allocation and a subsequent out-of-bounds memcpy write in batadv_tvlv_container_ogm_append(). An attacker positioned on the mesh able to drive TVLV container accumulation past U16_MAX can corrupt adjacent kernel memory, risking denial of service or potential code execution. This is no public exploit identified at time of analysis, EPSS exploitation probability is low (0.16%), and it is not listed in CISA KEV.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-52952 HIGH PATCH This Week

Use-after-free in the Linux kernel's IOMMU subsystem allows a local low-privileged actor with device-management access to corrupt kernel memory by racing a domain re-attach against an in-progress PCI device reset. The flaw lies in __iommu_group_set_domain_internal(), where the group->recovery_cnt fence wrongly rejected mandatory detach/teardown callers (IOMMU_SET_DOMAIN_MUST_SUCCEED), so group->domain could be freed while still referenced, and pci_dev_reset_iommu_done() could then re-attach the dangling pointer. EPSS is low at 0.16% (6th percentile) and there is no public exploit identified at time of analysis, but the high CVSS (8.8) reflects full kernel-memory confidentiality, integrity, and availability impact.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-54639 HIGH PATCH This Week

{ output: 'object' })`, the Expand API, and the transform lifecycle, and is most dangerous when Style Dictionary runs inside a Node.js server that ingests untrusted tokens. No public exploit identified at time of analysis and CISA has not listed it in KEV.

Prototype Pollution Information Disclosure Style Dictionary
NVD GitHub
CVSS 3.1
8.8
EPSS
0.1%
Prev Page 2 of 10 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy