Skip to main content
CVE-2026-57296 HIGH This Week

Path traversal in the Jenkins External Workspace Manager Plugin (versions 1.3.2 and earlier) lets an attacker with Item/Configure permission supply traversal sequences in the custom workspace path of the exwsAllocate Pipeline step to read arbitrary files from the Jenkins controller filesystem, which the vendor notes can escalate to remote code execution. The flaw requires an authenticated low-privileged user (CVSS:3.1 PR:L, base 8.8) and is reported directly by the Jenkins security team. No public exploit identified at time of analysis, and CISA SSVC marks exploitation as none.

Path Traversal Jenkins RCE Jenkins External Workspace Manager Plugin
NVD
CVSS 3.1
8.8
EPSS
0.6%
CVE-2026-12242 HIGH This Week

Authenticated PHP code injection in the AdRotate Banner Manager WordPress plugin (versions ≤5.17.7) allows Contributor-level users to execute arbitrary PHP on the server by abusing the 'banner' attribute of the [adrotate] shortcode. Exploitation requires W3 Total Cache or Borlabs Cache support to be enabled in AdRotate settings, where unsanitized input is concatenated into a PHP string wrapped in mfunc/fragment cache markers. Reported by Wordfence; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Code Injection WordPress PHP RCE Adrotate Banner Manager
NVD
CVSS 3.1
8.8
EPSS
0.5%
CVE-2026-56245 HIGH PATCH This Week

Cross-tenant data poisoning in Supabase Capgo before 12.128.2 allows remote unauthenticated attackers to corrupt billing and quota records by invoking the SECURITY DEFINER record_build_time RPC with only a public anon API key. The flaw stems from missing authorization inside a privilege-elevated PostgREST function, enabling arbitrary build-time inserts against any organization. No public exploit identified at time of analysis, but the trivial network-reachable invocation pattern makes weaponization straightforward.

Privilege Escalation Denial Of Service Capgo
NVD GitHub
CVSS 4.0
8.8
EPSS
0.3%
CVE-2026-45677 HIGH PATCH This Week

Session-destruction denial of service in Rocket.Chat's SAML single logout allows an unauthenticated remote attacker to forcibly log out any SAML-authenticated user by submitting a forged, unsigned LogoutRequest to the SP logout endpoint. Because the integration never validates the SAML signature, an attacker who knows only a victim's NameID - typically their email address, as exposed by Okta, Google Workspace, Microsoft Entra ID, and JumpCloud - can repeatedly destroy sessions and script the attack across many accounts to render the instance unusable. No public exploit identified at time of analysis; the CVSS 4.0 base score is 8.7 (availability-only impact), and fixes are available across all maintained release branches.

Authentication Bypass Microsoft Google
NVD GitHub
CVSS 4.0
8.7
EPSS
0.5%
CVE-2026-56270 HIGH PATCH This Week

Unauthenticated OAuth secret disclosure in FlowiseAI Flowise versions 3.0.13 and earlier allows remote attackers to harvest cleartext SSO client secrets for Google, Microsoft/Azure, GitHub, and Auth0 by sending a single GET request to /api/v1/loginmethod with a guessable organizationId. Affects both FlowiseAI Cloud and self-hosted deployments where the endpoint is reachable; publicly available exploit code exists (vendor GHSA includes a complete request/response PoC), and the leaked credentials enable downstream identity-provider compromise.

Authentication Bypass Microsoft Google Flowise
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.4%
CVE-2026-46348 HIGH PATCH This Week

Server-Side Request Forgery in Mastodon before 4.5.10, 4.4.17, and 4.3.23 lets attackers coerce the server into issuing HTTP requests to loopback interfaces, reaching private resources and internal services that should be unreachable from the public internet. The flaw stems from an incomplete IP-range blocklist that omitted a range capable of resolving to local addresses. No public exploit identified at time of analysis; the upstream advisory (GHSA-crr4-7rm4-8gpw) accompanies the fixed releases.

SSRF Mastodon
NVD GitHub
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-54759 HIGH PATCH This Week

Arbitrary command execution in the SiYuan Electron desktop client (versions prior to 3.7.0) allows a remote attacker to run OS commands on a victim's machine when they merely view a malicious Bazaar marketplace package's README. The root cause is that Lute's HTML sanitizer fails to strip <iframe> elements, which combine with the Electron client's permissive security settings (e.g. node integration / relaxed sandboxing) to escalate stored XSS into full code execution; notably no package installation is required, only viewing the package details. No public exploit has been identified at time of analysis, but the CVSS 4.0 score of 8.7 (High) reflects high confidentiality, integrity, and availability impact.

XSS Siyuan
NVD GitHub
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-56232 HIGH PATCH This Week

Authorization bypass in Capgo before 12.128.2 allows authenticated users with valid subkeys to escape scope restrictions by supplying their own subkey identifier in the x-limited-key-id header, causing middlewareKey to fall back to the unrestricted parent key. With CVSS 4.0 of 8.7 and high impact across confidentiality, integrity, and availability, exploitation only requires low-privileged API access, though no public exploit identified at time of analysis.

Authentication Bypass Capgo
NVD GitHub
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-35025 HIGH This Week

Directory ACL bypass in ProFTPD (through 1.3.9b and 1.3.10rc2) lets authenticated FTP users reach files inside DenyAll-protected directories by prefixing paths with /proc/self/root in the RNFR (rename-from) command. Because the CVSS 4.0 vector specifies PR:L, exploitation requires a valid low-privilege FTP account, after which an attacker can rename and then retrieve files that configured Directory ACLs were meant to protect. There is no public exploit identified at time of analysis and no KEV listing, but the VulnCheck-assessed CVSS of 8.6 reflects the strong confidentiality and integrity impact on file-access controls.

Authentication Bypass Proftpd
NVD GitHub VulDB
CVSS 4.0
8.6
EPSS
0.3%
CVE-2026-49269 HIGH This Week

Apple M1 GPUs retain register file data between compute shader dispatches from different processes. A sandboxed Metal attacker app can run a GPU reader shader that reads stale register values left by a separate sandboxed victim app. In the proof of concept, GPUVictim.app generates a fresh random 128-bit secret using SecRandomCopyBytes and loads it into GPU registers. GPUAttacker.app, a separate sandboxed app, recovers the exact secret from stale GPU register state. NOTE: The vendor stated that this behavior affects only legacy hardware and has already been addressed at the hardware level in current-generation Apple Silicon.

Apple Information Disclosure N A
NVD GitHub
CVSS 3.1
8.6
EPSS
0.3%
CVE-2026-47389 HIGH PATCH This Week

Server-side request forgery in Mastodon (versions before 4.5.10, 4.4.17, and 4.3.23) lets an attacker who controls authoritative DNS for a hostname bypass Mastodon's private-network filter and force the server to connect to internal IPv4 endpoints. The flaw stems from PrivateAddressCheck.private_address? returning false for IPv4-mapped IPv6 addresses (::ffff:a.b.c.d) on Ruby releases older than 3.4, so a malicious AAAA record can redirect any outbound fetch to loopback (127.0.0.1), RFC1918 hosts, or cloud-metadata services like 169.254.169.254. No public exploit identified at time of analysis, but the CVSS 8.6 (scope-changed, high confidentiality) rating reflects direct exposure of internal services and instance credentials.

Information Disclosure Mastodon
NVD GitHub
CVSS 3.1
8.6
EPSS
0.2%
CVE-2026-48721 HIGH PATCH This Week

Command-execution permission bypass in Warp's default unsandboxed CLI agent profile (versions 0.2025.10.08.08.12.stable_00 through the fix in 0.2026.05.06.15.42.stable_01) lets denylisted, confirmation-required commands auto-execute. Because the non-interactive CLI agent matched command strings against its denylist before stripping leading environment-variable assignments, an attacker able to influence the agent's emitted command output (e.g., via prompt injection) can prefix a blocked command such as 'rm' with 'X=1' to evade the safety boundary. No public exploit is identified at time of analysis, and it is not listed in CISA KEV.

Authentication Bypass Warp
NVD GitHub
CVSS 3.1
8.6
EPSS
0.1%
CVE-2025-71332 HIGH This Week

SQL injection in Flowise through 2.2.7 allows authenticated users to execute arbitrary SQL via the importChatflows API by supplying a crafted JSON file whose chatflow.id value is concatenated unsanitized into an IN clause. Successful exploitation enables blind and error-based extraction of stored credentials and tampering with application data. Publicly available exploit code exists in the GHSA advisory, though no active exploitation is confirmed.

SQLi Flowise
NVD GitHub VulDB
CVSS 4.0
8.5
EPSS
0.2%
CVE-2026-45687 HIGH PATCH This Week

Insecure object property modification (mass assignment) in Rocket.Chat's file-upload completion flow allows a low-privileged authenticated user to overwrite arbitrary fields on their own upload record, including the storage backend (store) and store-specific path fields. The flaw stems from sendFileMessage passing the entire attacker-controlled file object into Uploads.updateFileComplete, which Object.assigns it into a MongoDB $set with no writable-field allow-list, enabling an attacker to repoint their upload metadata at arbitrary storage locations and disclose sensitive data. No public exploit identified at time of analysis, and it is not listed in CISA KEV; the issue affects all releases prior to the fixed 8.5.0/8.4.1/8.3.3/8.2.3/8.1.4/8.0.5/7.13.7/7.10.11 builds.

Information Disclosure
NVD GitHub
CVSS 3.1
8.5
EPSS
0.2%
CVE-2026-53091 HIGH PATCH This Week

Out-of-bounds memory access in the Linux kernel networking stack (net/core qdisc segmentation path) lets a local user feed malformed GSO (Generic Segmentation Offload) packets whose headers are not present in skb->head, causing drivers and net/core/tso.c (tso_build_hdr) to memcpy beyond valid bounds. The flaw can leak adjacent kernel memory and/or crash the system; it is not in CISA KEV and no public exploit has been identified, with a low EPSS of 0.15% (5th percentile) indicating low near-term exploitation likelihood. The upstream fix adds proper header pulling via pskb_may_pull() and a new SKB_DROP_REASON_SKB_BAD_GSO drop reason so malicious packets are dropped early.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
8.4
EPSS
0.2%
CVE-2026-42450 HIGH PATCH This Week

Stack buffer overflow in OpenColorIO's .spi3d LUT parser allows a crafted color-lookup file to corrupt memory in any application that loads it. The flaw in FileFormatSpi3D.cpp reads attacker-controlled data from a 4096-byte line into 64-byte stack buffers via unbounded sscanf %s, permitting an overflow of roughly 4000 bytes on non-Windows platforms. It affects all OCIO 1.x and 2.x releases prior to 2.5.2 and, while no public exploit has been identified, the same unsafe pattern was found across the .spi3d, .spi1d, .cube, and .lut parsers.

Microsoft Buffer Overflow Opencolorio Suse
NVD GitHub
CVSS 4.0
8.4
EPSS
0.1%
CVE-2026-13025 HIGH PATCH This Week

Sandbox escape in Google Chrome's DevTools component (versions prior to 149.0.7827.197) lets an attacker who has already compromised the renderer process break out of the sandbox via a crafted HTML page that triggers a race condition. Rated High by Chromium with a scope-changing CVSS 8.3, it requires a prior renderer compromise plus user interaction, and there is no public exploit identified at time of analysis. SSVC lists exploitation as none, indicating no observed in-the-wild use despite the total technical impact.

Information Disclosure Google Red Hat
NVD VulDB
CVSS 3.1
8.3
EPSS
0.2%
CVE-2026-52920 HIGH PATCH This Week

Incorrect strict-mode policy matching in the Linux kernel's netfilter xt_policy module causes multi-element inbound IPsec policy rules to be evaluated in the wrong order, so packets can be matched against the wrong transform descriptor. On systems that filter inbound traffic with iptables/nftables 'policy' matches in strict mode using multiple policy elements, this can let traffic that should be rejected satisfy the rule (or legitimate IPsec traffic fail it), undermining the intended firewall/IPsec enforcement. There is no public exploit identified at time of analysis and EPSS is low (0.16%, 6th percentile); the issue has been resolved upstream with stable patches available.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
8.3
EPSS
0.2%
CVE-2026-11878 HIGH This Week

Cross-site scripting in OpenText Access Manager 5.1 through 5.1.2 lets a remote unauthenticated attacker inject script that executes in the browser of a targeted user of this enterprise SSO/access-management platform (CWE-79). Per the vendor-supplied CVSS 4.0 vector the flaw carries high vulnerable-system confidentiality impact (VC:H) but high attack complexity and a specific attack requirement (AC:H/AT:P), yielding a base score of 8.2. No public exploit identified at time of analysis and it is not listed in CISA KEV.

XSS Access Manager
NVD VulDB
CVSS 4.0
8.2
EPSS
0.2%
CVE-2026-56091 HIGH This Week

Authentication bypass in Apache Shiro affects deployments using the shiro-guice module in a web servlet context, where a specially crafted HTTP request can evade path-based access controls and reach protected resources without valid credentials. It mirrors the older shiro-spring flaw CVE-2020-1957 but targets the Guice integration instead, impacting all Shiro releases through 2.x and 3.0.0-alpha-1. No public exploit identified at time of analysis, though the CVSS 4.0 base score of 8.2 reflects high confidentiality impact and the close analogy to a previously exploited bug class.

Authentication Bypass Java Apache
NVD VulDB
CVSS 4.0
8.2
EPSS
0.4%
CVE-2026-48719 HIGH PATCH This Week

Command injection in Warp's prompt branch-selector chip lets a crafted Git branch name execute in the victim's shell when they click that branch in the UI. It affects Warp builds from 0.2025.08.06.08.12.stable_00 up to the fix in 0.2026.05.06.15.42.stable_01, and is exploitable by anyone able to publish a branch to a repository the victim opens in Warp. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Command Injection Warp
NVD GitHub
CVSS 3.1
8.0
EPSS
0.9%
CVE-2026-55762 HIGH PATCH This Week

{"setDeploymentAs": "new-workspace"}. The endpoint correctly requires authentication but performs no role/permission check (CWE-862), so the action wipes cloud credentials, removes the workspace license, and breaks push notifications for all users until manual re-registration. No public exploit identified at time of analysis; the issue is a denial-of-service / integrity flaw rather than data theft (CVSS C:N, I:H, A:H = 8.1).

Authentication Bypass Rocket Chat
NVD GitHub
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-48725 HIGH This Week

Clipboard hijacking in the Warp agentic terminal (versions 0.2021.04.25.23.05.stable_00 through 0.2026.05.06.15.42.stable_01) lets attacker-controlled terminal output read and write the host desktop clipboard via OSC 52 escape sequences with no confirmation prompt. Any malicious remote host, compromised program, or hostile output stream rendered in the terminal can silently exfiltrate clipboard contents (e.g. copied passwords or tokens) or plant attacker text for the user to later paste. There is no public exploit identified at time of analysis and it is not in CISA KEV, but the fix commit is public; CVSS is 8.1 (High).

Privilege Escalation Warp
NVD GitHub
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-8286 HIGH PATCH This Week

Information disclosure and integrity exposure in curl/libcurl occurs when a new transfer that uses STARTTLS to upgrade a connection may reuse an already-established live connection whose TLS configuration does not match the requested one, so data intended for a strictly-configured secure channel can traverse a connection negotiated under different (potentially weaker or unverified) TLS settings. The flaw affects a very wide range of curl releases from 7.30.0 through 8.20.0 and is tagged as Information Disclosure with high confidentiality and integrity impact (CVSS 8.1). It is not listed in CISA KEV, EPSS is low (0.20%, 9th percentile), and no public exploit code is identified at time of analysis.

Information Disclosure Curl
NVD VulDB
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-52967 HIGH PATCH This Week

Out-of-bounds read and denial-of-service in the Linux kernel SMB/CIFS client (cifs.ko) affects systems mounting SMB shares on 32-bit architectures. When parsing a malicious SMB2 error response, the symlink_data() routine mishandles a hostile ErrorDataLength value, causing either an infinite loop or a read past the buffer that can hang the client or leak adjacent kernel memory. There is no public exploit identified at time of analysis and EPSS exploitation probability is low (0.18%, 8th percentile), but the bug is reachable by any malicious or compromised SMB server a vulnerable client connects to.

Linux Denial Of Service Buffer Overflow Information Disclosure
NVD VulDB
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-10745 HIGH This Week

Log injection in upKeeper Instant Privilege Access through 1.6.1 on Windows allows remote unauthenticated attackers to forge, tamper with, or inject crafted entries into application logs by smuggling unneutralized control characters through logged inputs. The flaw (CWE-117) does not directly compromise the upKeeper agent itself but produces high integrity, confidentiality, and availability impact on subsequent log-consuming systems (SIEM, audit pipelines). No public exploit identified at time of analysis and the CVE is not present in CISA KEV.

Code Injection Microsoft Upkeeper Instant Privilege Access
NVD VulDB
CVSS 4.0
7.9
EPSS
0.3%
CVE-2026-2050 HIGH This Week

Arbitrary code execution in GIMP results from a heap-based buffer overflow in the HDR file parser, where attacker-controlled length data is copied into an undersized heap buffer without bounds validation. Any user who opens a maliciously crafted HDR image (or visits a page that delivers one) can be exploited, with code running in the context of the GIMP process. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Heap Overflow Buffer Overflow RCE Gimp
NVD VulDB
CVSS 3.1
7.8
EPSS
0.5%
CVE-2026-48731 HIGH PATCH This Week

Command injection in the Warp agentic development environment (Linux builds 0.2024.02.20.08.01.stable_01 through pre-0.2026.05.06.15.42.stable_01) lets an attacker run arbitrary shell commands as the local user when a victim opens a maliciously named file through an affected external or system-default editor route. Warp expanded freedesktop .desktop Exec templates and passed the result to a shell, so shell metacharacters embedded in a file path are interpreted rather than treated as data. There is no public exploit identified at time of analysis and the issue is not in CISA KEV; impact is high (CVSS 7.8) but requires local context and user interaction.

Command Injection Warp
NVD GitHub
CVSS 3.1
7.8
EPSS
0.5%
CVE-2026-10043 HIGH PATCH This Week

Arbitrary code execution in MosaicML Composer arises when the library loads a model or resumption checkpoint, because checkpoint parsing deserializes attacker-controlled pickle data without validation (CWE-502). A user who loads a maliciously crafted checkpoint (.pt) file - for example one downloaded from a model hub or shared by a collaborator - runs arbitrary Python code in the context of the training process. Reported through ZDI (ZDI-26-384, ZDI-CAN-27990); no public exploit identified at time of analysis and the issue is not listed in CISA KEV, but an upstream source fix is available.

Deserialization RCE Composer
NVD GitHub
CVSS 3.0
7.8
EPSS
0.3%
CVE-2026-52943 HIGH PATCH This Week

Local privilege escalation in the Linux kernel networking stack (skbuff/MSG_ZEROCOPY path) allows an unprivileged local user to gain full root via a use-after-free on ubuf_info_msgzc. The pskb_carve_inside_header() and pskb_carve_inside_nonlinear() helpers memcpy the skb_shared_info (including the zerocopy destructor_arg/uarg pointer) into a new buffer without calling net_zcopy_get(), so the uarg refcount is decremented more times than it was incremented, freeing the ubuf_info while live TX skbs still reference it. A working proof-of-concept exists that achieves reliable root escalation on a default kernel configuration; the issue is not listed in CISA KEV and EPSS probability is low (0.21%, 11th percentile).

Privilege Escalation Linux
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-52912 HIGH PATCH This Week

Use-after-free in the Linux kernel's netfilter NFQUEUE subsystem affects bridge LOCAL_IN packet handling, where br_pass_frame_up() rewrites skb->dev to the bridge master before queuing without holding a reference on that device. A local attacker who can influence queued bridge traffic and trigger bridge teardown (NETDEV_DOWN) can cause the kernel to re-enter the receive path with a freed bridge master device, yielding a use-after-free with high confidentiality, integrity, and availability impact (CVSS 7.8). There is no public exploit identified at time of analysis, and EPSS exploitation probability is low (0.19%, 9th percentile).

Code Injection Linux Use After Free Memory Corruption
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-52969 HIGH PATCH This Week

Local privilege-relevant memory corruption in the Linux kernel's KVM subsystem (kvm_reset_dirty_gfn) lets any process holding /dev/kvm bypass a dirty-ring bounds check via a u64 integer overflow, driving a near-U64_MAX guest frame number into gfn_to_rmap() for an out-of-bounds kvm_rmap_head load and a conditional write-flag clear. Affected are kernels from 5.11 through the 7.x line running VMs on the shadow-paging (legacy/rmap) MMU path. This is a local (AV:L), low-privilege (PR:L) issue rated CVSS 7.8; there is no public exploit identified at time of analysis, EPSS is low at 0.19% (9th percentile), and it is not on CISA KEV.

Integer Overflow Linux Buffer Overflow
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-53033 HIGH PATCH This Week

Local privilege escalation via a use-after-free in the Linux kernel's BPF sockmap subsystem (unix_stream_bpf_update_proto) allows a local attacker with BPF/sockmap privileges to corrupt kernel memory by racing a BPF iterator program against an AF_UNIX socket close. The flaw is a race condition where the `peer` pointer becomes stale during a TCP_ESTABLISHED→TCP_CLOSE transition, leading to a sock_hold() on freed memory (confirmed by a KASAN slab-use-after-free report). With a CVSS of 7.8 (local, low complexity, low privileges) it carries high confidentiality, integrity, and availability impact, though EPSS is low (0.19%) and there is no public exploit identified at time of analysis.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-52991 HIGH PATCH This Week

Local privilege-escalation-capable memory corruption in the Linux kernel's PSI (Pressure Stall Information) subsystem allows a local user with write access to cgroup pressure files to trigger a use-after-free or NULL-pointer dereference. The flaw stems from a race between pressure_write() and cgroup file release/rmdir on the kernfs_open_file->priv pointer, confirmed via a KASAN slab-use-after-free report in pressure_write+0xa4/0x210. No public exploit identified at time of analysis, and EPSS is low (0.19%, 8th percentile), indicating no observed mass exploitation.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-52992 HIGH PATCH This Week

Out-of-bounds heap write in the Linux kernel's ADFS (Acorn Disc Filing System) driver allows a local attacker to corrupt kernel memory by mounting a crafted new-format ADFS disc image whose disc record declares a zone count of zero. adfs_read_map() forwards nzones==0 to kmalloc_array(0, ...), which returns ZERO_SIZE_PTR, and adfs_map_layout() then writes to dm[-1], an out-of-bounds write before the allocated buffer. The flaw was found by syzkaller; there is no public exploit identified at time of analysis and EPSS scores it at just 0.18% (8th percentile).

Buffer Overflow Memory Corruption Linux
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-52962 HIGH PATCH This Week

Memory leak in the Linux kernel's Ceph client (CephFS) allows a local, low-privileged user to exhaust kernel buffer memory by repeatedly triggering the retry path in __ceph_setxattr(), where the old_blob holding ci->i_xattrs.prealloc_blob is never released via ceph_buffer_put(). The flaw affects systems mounting CephFS and is addressed by an upstream stable fix; there is no public exploit identified at time of analysis and EPSS exploitation probability is very low (0.18%). Note: the CWE-787 (out-of-bounds write) classification and 'Buffer Overflow' tag conflict with the description, which describes a resource/buffer leak rather than memory corruption.

Buffer Overflow Memory Corruption Linux
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-52947 HIGH PATCH This Week

Local privilege escalation and memory corruption is possible in the Linux kernel's QRTR (Qualcomm IPC Router) networking subsystem (net/qrtr/af_qrtr.c), where qrtr_port_remove() decrements a socket's reference count via __sock_put() before erasing the port from the qrtr_ports XArray and before the RCU grace period elapses, violating the RCU update ordering. A concurrent RCU reader (qrtr_reset_ports() or qrtr_port_lookup()) can retrieve the socket and call sock_hold() on an object whose refcount has already reached zero, producing refcount saturation and a use-after-free. The issue was reproduced by syzkaller fuzzing; it carries a CVSS of 7.8 (AV:L), EPSS is low at 0.18% (8th percentile), it is not on CISA KEV, and no public exploit identified at time of analysis.

Linux Information Disclosure Memory Corruption Use After Free
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-53130 HIGH PATCH This Week

Out-of-bounds kernel memory write in the Linux kernel's OMFS filesystem driver (fs/omfs) allows a local attacker to corrupt kernel memory by mounting a crafted OMFS image. omfs_fill_super() validates that s_sys_blocksize is not larger than PAGE_SIZE but fails to enforce a lower bound, so a value below OMFS_DIR_START (0x1b8 = 440) triggers an unsigned integer underflow in omfs_make_empty(), driving a roughly 4 GiB memset() that overwrites kernel memory far beyond the block buffer. There is no public exploit identified at time of analysis, the EPSS score is low (0.18%), and it is not listed in CISA KEV; the fix has been backported across many stable kernel branches.

Linux Information Disclosure Integer Overflow
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-53036 HIGH PATCH This Week

Local memory corruption / control-flow corruption in the Linux kernel arm64 BPF JIT stems from an off-by-one in the check_imm() branch-displacement range check, which lets a forward branch be silently rewritten into a backward branch when a B.cond/CBZ/CBNZ (imm19) or B/BL (imm26) displacement falls in the over-permissive extra bit of range. A local user able to load a BPF program on arm64 can trigger miscompiled JIT code that corrupts kernel control flow, with potential for code execution, data corruption, or denial of service. EPSS is low (0.18%, 8th percentile), with no public exploit identified at time of analysis and no CISA KEV listing.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-48703 HIGH PATCH This Week

OS command injection in Warp's AI Agent code-search tooling allows attacker-controlled inputs to escape read-only search operations and execute arbitrary shell commands in the user's terminal. Affected builds from 0.2025.04.09.08.11.stable_00 up to 0.2026.05.06.15.42.stable_01 implement the Grep and FileGlob actions — which the Agent's command-execution policy authorizes only as read/search — by concatenating Agent-supplied search text, paths, and glob patterns into unquoted shell command strings. There is no public exploit identified at time of analysis, though the vendor fix commit and its regression tests publicly demonstrate the injection technique (e.g. a $(touch /tmp/warp-poc) payload).

Command Injection Warp
NVD GitHub
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-53096 HIGH PATCH This Week

Memory-safety data race in the Linux kernel's BPF DEVMAP_HASH redirect path (dev_map_redirect_multi(), SKB/generic XDP path) lets a concurrent reader in softirq context observe a partially-constructed hash node because hlist_for_each_entry_safe() dereferences list pointers without the rcu_dereference() acquire barrier that pairs with writers' rcu_assign_pointer(). Affecting kernels from 5.14 up to the fixed stable releases, it can lead to memory corruption or information disclosure on weakly-ordered architectures (ARM64, POWER) when BPF devmap-hash redirect is in use. No public exploit identified at time of analysis; EPSS is low (0.18%, 7th percentile) and it is not in CISA KEV.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-53062 HIGH PATCH This Week

Concurrent cache-block invalidation in the Linux kernel's device-mapper dm-cache `smq` policy (running in passthrough mode) corrupts shared state because the `invalidate_mapping` operation is invoked from multiple workers without locking. This produces data races on the allocated-blocks counter and use-after-free conditions in internal data structures during concurrent writes, enabling local memory corruption with potential for privilege escalation or denial of service. There is no public exploit identified at time of analysis, and the EPSS probability is very low (0.18%, 7th percentile), consistent with a hard-to-trigger local race rather than a remotely weaponizable flaw.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-53050 HIGH PATCH This Week

Local privilege escalation and memory-corruption risk in the Linux kernel disk quota subsystem arises from a use-after-free race between dquot_scan_active() and quota deactivation in quota_release_workfn(). On affected kernels (multiple stable trees from 4.19 through 6.x/7.x), a dquot can be acquired by the scan path after being placed on the releasing list with dq_count==0, so under memory pressure the caller may operate on a freed dquot, corrupting kernel memory. EPSS is low (0.18%, 7th percentile) and there is no public exploit identified at time of analysis; the issue requires local access with low privileges per the CVSS vector.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-53016 HIGH PATCH This Week

Out-of-bounds write in the Linux kernel's AMD Cryptographic Coprocessor (ccp) driver allows a local low-privileged user to overrun a caller-supplied IV buffer by 8 bytes when issuing rfc3686(ctr(aes)) requests through the AF_ALG socket interface. The ccp_aes_complete() handler unconditionally copies AES_BLOCK_SIZE (16 bytes) back into the IV buffer, but RFC3686 skciphers expose only an 8-byte IV, corrupting adjacent memory. There is no public exploit identified at time of analysis, it is not listed in CISA KEV, and the EPSS probability is low (0.18%, 7th percentile).

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-53011 HIGH PATCH This Week

Local privilege escalation and memory corruption in the Linux kernel's taprio traffic scheduler (net/sched) arises from a use-after-free in advance_sched() during an admin-to-oper schedule switch, affecting kernels from 5.2 through the fixed releases. After switch_schedules() queues the old oper schedule for RCU freeing, the 'next' pointer still references a freed entry that is then written to and published via rcu_assign_pointer(), letting a local user with network-configuration capability corrupt kernel memory for potential code execution. No public exploit identified at time of analysis, and EPSS is low (0.18%, 7th percentile), consistent with a complex local-only TSN feature rather than mass exploitation.

Linux Information Disclosure Memory Corruption Use After Free
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-53004 HIGH PATCH This Week

Out-of-bounds write in the Linux kernel SCTP stack (sctp_getsockopt_peer_auth_chunks) lets a local unprivileged process trigger an 8-byte overrun past its own supplied getsockopt buffer, silently corrupting adjacent data in the caller's userspace address space. The bug is a size-check that omits the 8-byte sizeof(struct sctp_authchunks) header, so a buffer sized exactly to num_chunks passes validation but copy_to_user still writes the struct header. There is no public exploit identified at time of analysis (not in CISA KEV; EPSS 0.18%), though the kernel changelog cites a working reproducer on v7.0-13-generic, and a vendor patch is available.

Buffer Overflow Memory Corruption Linux
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-52976 HIGH PATCH This Week

Local privilege escalation in the Linux kernel's drm/xe Intel GPU driver arises from two error-handling defects in xe_exec_queue_create_ioctl() that leave a freed exec queue linked into either the VM's preempt-fence compute list or the hardware engine group list, producing a dangling pointer and a use-after-free. A local user with access to the DRM device on systems running the affected Intel Xe driver (introduced around 6.12) can trigger the faulty cleanup paths to corrupt kernel memory, with potential for code execution at kernel privilege. There is no public exploit identified at time of analysis and EPSS is low (0.18%, 7th percentile); the issue is fixed upstream and in stable releases.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-52975 HIGH PATCH This Week

Concurrent access to an unprotected pointer in the Linux kernel's 802.3ad (LACP) bonding driver allows a local user to trigger a data race between the AD state-machine worker and the rtnetlink read path that fetches active aggregator info. Discovered by syzbot/KCSAN, the torn read of the `port->aggregator` pointer can disclose kernel memory state or destabilize the bonding driver on systems configured with LACP NIC teaming. There is no public exploit identified at time of analysis, and EPSS exploitation probability is low (0.18%, 7th percentile).

Linux Information Disclosure Google
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-52951 HIGH PATCH This Week

Local denial of service in the Linux kernel's Intel Xe DRM driver (drm/xe/dma-buf) arises from use-after-free and NULL pointer dereference race conditions in the dma-buf import path, affecting kernels from 6.8 through the fixes in 6.12.91, 6.18.33, 7.0.10 and 7.1. When a buffer object is shared from another GPU driver such as amdgpu, the exporter can invoke the Xe invalidate_mappings hook against a partially initialized or already-freed bo, crashing the system; two customers reported NULL ptr derefs in evict_flags. This is tagged Denial of Service, has no public exploit identified at time of analysis, and carries a low EPSS of 0.18% (7th percentile).

Linux Denial Of Service Null Pointer Dereference
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-52973 HIGH PATCH This Week

Local privilege escalation in the Linux kernel futex subsystem stems from a slab use-after-free in futex_hash_put, triggered when a process shares its mm via CLONE_VM without CLONE_THREAD. The flawed need_futex_hash_allocate_default() check broke the non-concurrency assumption for per-CPU mm->futex_ref allocation, letting a stale +1 bias land on a percpu counter the mm no longer references. Carries CVSS 7.8 (high) with full C/I/A impact; no public exploit identified at time of analysis and EPSS is low (0.17%).

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
Prev Page 3 of 10 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy