Skip to main content
CVE-2026-52935 HIGH PATCH This Week

Out-of-bounds read in the Linux kernel's xfrm espintcp (ESP-in-TCP IPsec encapsulation) send path allows a local user with a socket using espintcp to corrupt the one-message-at-a-time transmit state, leading to memory disclosure or a crash. The flaw stems from espintcp_sendmsg() reinitializing emsg->skmsg and reusing ctx->partial while a previous partial send is still in flight, attaching a stale offset to a fresh sk_msg. No public exploit is identified at time of analysis and EPSS is low (0.16%, 6th percentile), reflecting a niche, configuration-dependent attack surface rather than broad exploitability.

Linux Memory Corruption Buffer Overflow
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-52927 HIGH PATCH This Week

Out-of-bounds kernel memory read in the Linux kernel ebtables 32-bit compat layer (compat_mtw_from_user) lets a local low-privileged user holding CAP_NET_ADMIN trigger KASAN-detected OOB reads by supplying an undersized match_size/target_size for an extension whose ->compat_from_user() callback assumes it can read compatsize bytes. It affects Linux from 2.6.34 through builds before the fix and is resolved upstream across all maintained stable branches; no public exploit is identified at time of analysis and EPSS is low (0.16%, 6th percentile).

Linux Buffer Overflow Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-52919 HIGH PATCH This Week

Local privilege escalation via use-after-free in the Linux kernel's batman-adv (B.A.T.M.A.N. advanced) mesh networking module allows a local low-privileged user to crash or potentially gain code execution by triggering a tp_meter counter underflow during interface shutdown. Concurrent shutdown paths (timeout, user cancel, normal finish) each decrement the 'sending' atomic counter, underflowing it to -1, which traps the sender kthread in an infinite loop and produces a use-after-free when the mesh interface is removed while the zombie thread still runs. No public exploit identified at time of analysis, and EPSS is low at 0.16%; a vendor patch is available across multiple stable trees.

Linux Information Disclosure Integer Overflow
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-53025 HIGH PATCH This Week

Use-after-free in the Linux kernel's greybus 'raw' driver (drivers/staging/greybus/raw.c) allows a local user holding an open character-device handle to trigger memory corruption when the underlying raw bundle is disconnected and the application later closes the cdev. The flaw stems from the gb_raw structure (which embeds the cdev) being freed in the disconnect callback while a userspace reference remains, causing cdev_put to operate on freed memory and a refcount underflow/panic, especially with CONFIG_INIT_ON_FREE_DEFAULT_ON=y. No public exploit identified at time of analysis, and EPSS is low (0.16%, 6th percentile), consistent with a local, niche-driver issue.

Linux Information Disclosure Memory Corruption Use After Free
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-53024 HIGH PATCH This Week

Local privilege-level denial of service in the Linux kernel's Greybus 'raw' character device driver (gb_raw) allows a user with access to the chardev to trigger a use-after-free by writing to the device after a disconnect has freed the underlying gb_connection object, causing a kernel NULL pointer dereference and panic (observed reliably with CONFIG_INIT_ON_FREE_DEFAULT_ON=y). The flaw is a race between the raw_write() path calling gb_operation_sync_timeout() and gb_connection_destroy() running during disconnect. EPSS is low (0.16%, 6th percentile) with no public exploit identified at time of analysis and no CISA KEV listing.

Linux Denial Of Service Memory Corruption Use After Free
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-53005 HIGH PATCH This Week

Local use-after-free in the Linux kernel's AF_UNIX subsystem occurs when SOCKMAP (BPF socket map) redirects skbs carrying inflight file descriptors, hiding them from the AF_UNIX garbage collector and breaking the Tarjan-based GC's assumption that unix_edge.successor stays alive — producing a slab use-after-free in unix_del_edges() plus inflight-socket leaks and incorrect fdinfo accounting. Affected are kernels supporting SOCKMAP/sk_psock redirect (roughly 5.15 through pre-fix 7.x trees); a local attacker who can set up SOCKMAP redirection and pass SCM_RIGHTS descriptors can corrupt kernel memory toward privilege escalation or denial of service. There is no public exploit identified at time of analysis, EPSS is low (0.16%, 6th percentile), and it is not in CISA KEV.

Linux Information Disclosure Debian Use After Free Memory Corruption
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-52987 HIGH PATCH This Week

Local privilege escalation and kernel memory corruption is possible in the Linux kernel's AMD GPU driver (amdgpu) via a double drm_exec_fini() in the user-queue validation path. When amdgpu_userq_vm_validate() runs with new_addition set, a failure in amdgpu_ttm_tt_get_user_pages() routes execution to a cleanup label that finalizes the already-freed drm_exec object a second time, corrupting kernel state. No public exploit identified at time of analysis, and EPSS rates exploitation probability at only 0.16% (6th percentile), consistent with a hard-to-trigger local bug rather than a mass-exploited flaw.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-52933 HIGH PATCH This Week

Local privilege escalation potential in the Linux kernel's io_uring poll subsystem arises from a signed-comparison flaw in io_poll_get_ownership(), where atomic_read() returns a signed int and the IO_POLL_CANCEL_FLAG (BIT(31)) makes poll_refs negative, so the '>= IO_POLL_REF_BIAS' slowpath check is never taken. Affecting kernels from the 5.15/6.x stable series through pre-patch 7.x, a local user with io_uring access can drive poll-reference accounting into an incorrect state during request cancellation, with CVSS 7.8 (AV:L) rating high confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis and EPSS is low (0.16%, 6th percentile), but a vendor patch is available across stable branches.

Linux Denial Of Service
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-53129 HIGH PATCH This Week

Local privilege-dependent use-after-free in the Linux kernel's fs/mbcache subsystem allows a privileged user (root or CAP_SYS_ADMIN) to trigger memory corruption when unmounting an ext2, ext4, or ocfs2 filesystem. mb_cache_destroy() frees the cache without cancelling the pending c_shrink_work item, so a still-running mb_cache_shrink_worker() accesses freed memory (CWE-416), potentially leading to kernel code execution or crash. No public exploit identified at time of analysis; EPSS is low (0.16%, 5th percentile) and it is not on CISA KEV.

Memory Corruption Linux Use After Free Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-53110 HIGH PATCH This Week

Memory-safety and information-disclosure risk in the Linux kernel s390 (IBM Z) eBPF JIT compiler stems from incomplete ABI compliance: the JIT sign-extended values but never zero-extended unsigned BPF program return values and kfunc arguments as the s390x calling convention requires. On s390x hosts, a local user able to load BPF programs can cause the JIT to emit code that leaves stale upper register bits, producing incorrect computation that can leak kernel data or corrupt execution. There is no public exploit identified at time of analysis, EPSS is low (0.16%), and the issue is not in CISA KEV; it is fixed in multiple stable releases.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-53085 HIGH PATCH This Week

Local privilege escalation and memory corruption in the Linux kernel BPF subsystem arises from a use-after-free in the open-coded task_vma iterator, which read task->mm locklessly and took mmap_read_trylock() without ever calling mmget(). On kernels where a concurrent task exit frees the mm_struct (not protected by SLAB_TYPESAFE_BY_RCU), a BPF program iterating that task's VMAs can access freed memory, enabling information disclosure or kernel control-flow corruption. The fix has been merged upstream; there is no public exploit identified at time of analysis, EPSS is low (0.16%, 5th percentile), and it is not listed in CISA KEV.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-53081 HIGH PATCH This Week

Local privilege escalation in the Linux kernel (6.11 through pre-patch 6.12.x/6.18.x/7.0.x) arises from a BPF verifier state-pruning flaw in regsafe() handling of BPF_ADD_CONST scalar registers, where base register IDs are not checked for mapping consistency. An attacker able to load BPF programs can construct two verifier states that falsely appear equivalent, causing state pruning to incorrectly succeed and letting an unsafe program bypass verification. With CVSS 7.8 (AV:L/PR:L) and full C/I/A impact, successful exploitation can corrupt kernel memory; there is no public exploit identified at time of analysis and EPSS is low (0.16%).

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-53090 HIGH This Week

{abs,ind} instructions can take inside BTF-annotated subprograms when a packet data load fails. The verifier only validated the success path, leaving the failure path unanalyzed, which can let an unsafe BPF program pass verification. EPSS is low (0.15%, 5th percentile) and there is no public exploit identified at time of analysis, but the CVSS 7.8 (local, low-complexity) rating reflects a genuine memory-safety risk for any host where BPF program loading is reachable.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-53020 HIGH PATCH This Week

Local privilege escalation or memory disclosure is possible in the User Mode Linux (UML/'um') architecture of the Linux kernel (affected around 6.19, fixed in 7.0.10 and 7.1) due to a TLB-sync race condition where the page table is traversed and modified without holding the page table lock. Concurrent threads in the same process can corrupt page table state, with CVSS 7.8 (local, low-privilege) and a high-impact triad; there is no public exploit identified at time of analysis and EPSS is low at 0.15% (5th percentile), consistent with a hard-to-trigger local race rather than a mass-exploited flaw.

Linux Information Disclosure Race Condition
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-53009 HIGH PATCH This Week

Local privilege-impacting memory corruption in the Linux kernel's Intel ice network driver allows a double-free of a transmit buffer's skb when the TX offload paths fail. When ice_tso() or ice_tx_csum() return an error, ice_xmit_frame_ring() frees the skb but leaves the 'first' tx_buf still marked ICE_TX_BUF_SKB, so a later ice_clean_tx_ring() during interface teardown frees the same skb a second time. Carries a CVSS 3.1 base of 7.8 (AV:L/PR:L), but with a low EPSS of 0.15% (5th percentile), no KEV listing, and no public exploit identified at time of analysis.

Code Injection Linux Intel
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-53078 HIGH PATCH This Week

Out-of-bounds read and kernel pointer leak in the Linux kernel's eBPF sock_ops subsystem lets a local low-privileged actor able to load BPF programs disclose kernel memory and corrupt kernel state. The SOCK_OPS_GET_SK() and SOCK_OPS_GET_FIELD() macros fail to zero the destination register on the !fullsock/!locked_tcp_sock path when dst_reg == src_reg, leaving a stale ctx pointer that the verifier mistakes for a valid socket or a scalar. There is no public exploit identified at time of analysis, and EPSS exploitation probability is low (0.14%, 4th percentile).

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-52959 HIGH PATCH This Week

Page allocator corruption in the Linux kernel's AMD SEV-SNP guest driver (virt/sev-guest) affects confidential-computing guests running kernels from 6.14 onward. When a guest issues an extended guest request (SVM_VMGEXIT_EXT_GUEST_REQUEST), an untrusted host can return SNP_GUEST_VMM_ERR_INVALID_LEN with a length that does not match the original allocation; the cleanup path then frees pages using a host-controlled page order, corrupting the guest's page allocator. CVSS is 7.8 (local, high C/I/A), but EPSS is just 0.11% (2nd percentile), and there is no public exploit identified at time of analysis and no CISA KEV listing.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-13037 HIGH PATCH This Week

Arbitrary code execution within the renderer sandbox affects Google Chrome on Android before 149.0.7827.197 via a use-after-free defect in the WebView component, reachable when a victim renders a crafted HTML page. The flaw lets an attacker corrupt freed memory in the rendering process to gain code execution confined to the sandbox; CVSS is 7.8 (High) and Chromium rates it High severity. There is no public exploit identified at time of analysis, and CISA SSVC marks exploitation status as none, but a vendor patch is already available.

Memory Corruption Google Denial Of Service Use After Free RCE
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-9776 HIGH This Week

Unauthenticated information disclosure in ATEN Unizon allows remote attackers to read arbitrary files from affected installations by abusing a path-traversal weakness in the writeFileToHttpServletResponse method. Because the underlying service runs with SYSTEM privileges, an attacker can exfiltrate sensitive files including configuration, credentials, and OS-level data. Cataloged via ZDI (ZDI-26-380 / ZDI-CAN-28505) with no public exploit identified at time of analysis; not listed in CISA KEV and no EPSS score was provided.

Path Traversal Information Disclosure Unizon
NVD
CVSS 3.0
7.5
EPSS
1.6%
CVE-2026-54699 HIGH PATCH This Week

OS command injection in Warp (the agentic terminal/development environment) affects builds from 0.2024.03.12.08.02.stable_01 up to the fix in 0.2026.05.06.15.42.stable_01 when running under Windows Subsystem for Linux. When wslview cannot open a URL, Warp falls back to a Windows command processor (cmd.exe /c start), so a malicious URL emitted into terminal output executes attacker-controlled Windows commands once the user clicks the link. No public exploit identified at time of analysis and the issue is not in CISA KEV, but the fix commit clearly documents the injection path.

Command Injection Microsoft Warp
NVD GitHub
CVSS 3.1
7.7
EPSS
0.4%
CVE-2026-33235 HIGH PATCH This Week

Uncontrolled resource consumption in the AutoGPT platform (versions before 0.6.52) lets an authenticated user crash the server through the Fill Text Template block. The block's Jinja2 SandboxedEnvironment blocks dangerous attribute access but enforces no CPU, memory, or execution-time limits, so a crafted expression can exhaust server resources and hang or crash the host. There is no public exploit identified at time of analysis and the issue is not in CISA KEV, but the bug is straightforward to trigger and the vendor has shipped a fix in 0.6.52.

Python Denial Of Service
NVD GitHub
CVSS 3.1
7.7
EPSS
0.3%
CVE-2025-71361 HIGH PATCH This Week

Detection bypass in picklescan before 0.0.29 allows malicious pickle files to evade scanning by abusing the undetected idlelib.calltip.Calltip.fetch_tip function, enabling arbitrary code execution when the file is later loaded via pickle.load(). Affects ML supply chains relying on picklescan to vet PyTorch models; publicly available exploit code exists in the GHSA advisory, but no public exploit identified in active campaigns at time of analysis.

Code Injection RCE Picklescan
NVD GitHub
CVSS 4.0
7.6
EPSS
0.3%
CVE-2025-71354 HIGH PATCH This Week

Detection bypass in picklescan before 0.0.29 allows attackers to craft malicious pickle files using idlelib.debugobj.ObjectTreeItem.SetText in __reduce__ methods that evade the scanner's dangerous-function checks, resulting in arbitrary command execution when the victim subsequently calls pickle.load(). The flaw turns picklescan from a security control into a false-assurance tool for ML pipelines that consume untrusted PyTorch models. Publicly available exploit code exists via the GHSA advisory, though no public exploit identified in active campaigns at time of analysis.

Deserialization Picklescan
NVD GitHub
CVSS 4.0
7.6
EPSS
0.3%
CVE-2026-56052 HIGH This Week

Blind SQL injection in FunnelKit Funnel Builder for WordPress (versions up to and including 3.15.0.5) allows authenticated attackers with high privileges to inject arbitrary SQL queries against the underlying database. The flaw is reported by Patchstack and tracked as CWE-89; no public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV. The CVSS scope change combined with confidentiality impact indicates database contents beyond the plugin context can be exfiltrated one bit at a time via blind techniques.

SQLi Funnel Builder By Funnelkit
NVD VulDB
CVSS 3.1
7.6
EPSS
0.2%
CVE-2026-11998 HIGH This Week

Arbitrary JavaScript execution in AngularJS (all versions from 1.2.0-rc.3 onward) arises from a flaw in Strict Contextual Escaping (SCE) where resource-URL allowlist regular expressions are matched against URLs as partial rather than whole-string matches, letting attacker-controlled values slip past trusted-URL policies. A successful bypass runs script in the victim's browser session (script src, iframe documents, route templates), enabling client-side compromise; the framework is End-of-Life with no upstream fix, and a CodePen demonstration of the bypass is publicly available. No CISA KEV listing and no evidence of active exploitation were provided.

Information Disclosure
NVD HeroDevs VulDB
CVSS 3.1
7.6
EPSS
0.2%
CVE-2026-55583 HIGH PATCH This Week

Cross-workspace data disclosure in Twenty CRM before 2.9.0 lets any authenticated user holding the AI settings flag (a workspace owner by default) read another tenant's AI agent chat history and trigger LLM evaluations against the victim's data on the same instance. By supplying a victim's agentId or turnId to the agentTurns query or evaluateAgentTurn mutation, an attacker retrieves raw chat text, tool calls, and tool outputs that belong to a different workspace. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV.

Authentication Bypass Twenty
NVD GitHub
CVSS 3.1
7.6
EPSS
0.2%
CVE-2026-8705 HIGH This Week

Unauthenticated SQL injection in the ClearSale Total WordPress plugin (all versions through 3.4.2) allows remote attackers to extract sensitive database contents via the pagseguro[metodo] POST parameter of the clearsale_total_push AJAX action. The flaw is reachable without authentication because the nopriv AJAX handler ships with a commented-out die() in the nonce-failure branch, and on PHP < 8.0 loose type juggling bypasses the switch/case integer guard. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

SQLi PHP WordPress Clearsale Total
NVD
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-57281 HIGH This Week

Jenkins Script Security Plugin 1402.v94c9ce464861 and earlier does not reject Groovy AST transformation annotations carrying an extensions member, allowing attackers able to run sandboxed Groovy scripts to execute code outside the sandbox if a suitable script is present on the classpath of the component that evaluates the script.

Jenkins Information Disclosure Jenkins Script Security Plugin
NVD VulDB
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-9179 HIGH This Week

SQL injection in the WP Forms Connector WordPress plugin (versions up to and including 1.8) allows unauthenticated remote attackers to extract sensitive database contents via the 'order' parameter of the /wp-json/wp/v3/post/list REST endpoint. The endpoint is exposed with permission_callback '__return_true' and only validates a 'Username' header against an administrator account without verifying the corresponding 'Password', making the authentication check trivially bypassable. No public exploit identified at time of analysis, but the trivial bypass and unsanitized ORDER BY concatenation make weaponization straightforward.

SQLi WordPress Wp Forms Connector
NVD
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-9178 HIGH This Week

Information disclosure in the WP Forms Connector WordPress plugin (versions through 1.8) allows unauthenticated remote attackers to retrieve any user's password hash and email address via the wp/v3/user/list/<id> REST route. The endpoint's permission_callback is hard-coded to __return_true and the bespoke auth check verifies only that the Username header maps to an administrator (typically 'admin') without ever calling wp_check_password() to validate the supplied Password header. No public exploit identified at time of analysis, but the trivial nature of the bypass and the exposure of user_pass hashes make this a credible account-takeover vector.

Information Disclosure Authentication Bypass WordPress Wp Forms Connector
NVD VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-11352 HIGH PATCH This Week

Remote denial of service in curl and libcurl (versions 8.18.0 through 8.20.0) lets a malicious or compromised HTTP/3 server indefinitely stall a connecting client. The flaw lives in curl's QUIC UDP receive path, where zero-length UDP datagrams are discarded before they are counted against the per-call packet budget, so a peer that streams a continuous flood of empty datagrams keeps the receive loop spinning without ever making progress. There is no public exploit identified at time of analysis, EPSS risk is low (0.28%, 20th percentile), and impact is availability-only (no data compromise).

Denial Of Service Curl Red Hat
NVD VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-52794 HIGH PATCH This Week

Denial of service in Sentry's self-hosted/SaaS event ingestion pipeline (versions 24.4.0 through 26.5.1) lets remote actors who can submit events stall worker CPU via a Regular Expression Denial of Service (ReDoS). A loosely-written hostname-detection regex in the grouping parameterization stage (parameterization.py) backtracks catastrophically on crafted attacker-controlled event fields, exhausting CPU and degrading or halting event processing. No public exploit identified at time of analysis and it is not in CISA KEV, but the fix (26.5.2) and the triggering regex are publicly disclosed in the GitHub advisory and PR #116587, lowering the bar to reproduce.

Denial Of Service Sentry
NVD GitHub
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-50129 HIGH PATCH This Week

Denial of service in Mastodon affects all self-hosted instances prior to 4.5.11, 4.4.18, and 4.3.24, where the math content sanitizer fails to handle exceptions raised while processing malformed `<math>` nodes (MathML). A remote attacker can craft content containing broken math markup that propagates an uncaught exception, crashing whole-server services or disrupting service for targeted users depending on which component processes the malformed node. No public exploit has been identified at time of analysis, and the issue is not in CISA KEV; CVSS is 7.5 with availability-only impact.

Information Disclosure Mastodon
NVD GitHub
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-12064 HIGH PATCH This Week

SSH host-key verification bypass in curl/libcurl (versions through 8.20.0) lets a network man-in-the-middle silently impersonate an SFTP/SCP server when a user invokes curl with a schemeless URL plus '--proto-default sftp' (or scp). In this specific invocation the command-line tool layer misidentifies the scheme and skips setting CURLOPT_SSH_HOST_PUBLIC_KEY_SHA256 and CURLOPT_SSH_KNOWNHOSTS, while libcurl still honors CURLOPT_DEFAULT_PROTOCOL and completes the connection, so curl connects to an unverified host without any error. Tagged an Authentication Bypass; EPSS is low (0.21%, 11th percentile) and no public exploit was identified at time of analysis.

Authentication Bypass Curl Red Hat
NVD VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-9546 HIGH This Week

Information disclosure in libcurl (versions 8.18.0 through 8.20.0) causes the HTTP Referer header to persist on a reused easy handle even after an application explicitly clears it by passing NULL to CURLOPT_REFERER. Because the internal referrer state is not reset, a previously set referrer string is silently re-sent on later requests, potentially leaking sensitive URL data (paths, tokens, or query parameters) to unintended destination servers. There is no public exploit identified at time of analysis, EPSS risk is low (0.21%, 11th percentile), and it is not listed in CISA KEV.

Information Disclosure Curl
NVD VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-11586 HIGH PATCH This Week

Denial of service in curl 8.16.0 through 8.20.0 lets a malicious WebSocket server exhaust all client memory by flooding it with rapid, sequential PING frames. Because curl auto-responds to PINGs by default and imposes no upper bound on memory buffered for unacknowledged frames, the queue of pending PONG responses grows unbounded until the process is OOM-killed. EPSS is low (0.21%, 11th percentile) and there is no public exploit identified at time of analysis, consistent with an availability-only issue affecting the subset of deployments that actually use curl's WebSocket support.

Denial Of Service Curl Red Hat
NVD VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-53950 HIGH PATCH This Week

Cross-site scripting (JavaScript injection) in Ghost's ActivityPub client (@tryghost/activitypub) prior to version 3.1.0 allows a malicious federated server to embed attacker-controlled script in shared posts that executes in the browser of a victim Ghost user who views the content. The flaw stems from improper sanitization of post content received over ActivityPub federation, enabling session theft or actions performed in the victim's authenticated context. There is no public exploit identified at the time of analysis, and the issue is not listed in CISA KEV.

XSS Ghost
NVD GitHub
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-52981 HIGH PATCH This Week

Memory exhaustion in the Linux kernel networking stack stems from a socket buffer (SKB) leak in neigh_xmit(): when the function is called against an uninitialized neighbour table - for example NEIGH_ND_TABLE while IPv6 is disabled - it returns -EAFNOSUPPORT and bypasses its out_kfree_skb path, leaking the packet buffer because callers (originally MPLS) rely on neigh_xmit() to take ownership of the skb. Repeated triggering slowly exhausts kernel memory, leading to denial of service (CVSS 7.5, A:H). There is no public exploit identified at time of analysis, and EPSS is low (0.19%, 9th percentile); the upstream fix makes neigh_xmit() assume full ownership and free the skb on every path.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-52957 HIGH PATCH This Week

Denial of service in the Linux kernel's libceph client allows a malicious or corrupted Ceph cluster to crash the kernel via a null pointer dereference in decode_choose_args(). When processing a CEPH_MSG_OSD_MAP message, a crafted CRUSH map containing choose_args with a bucket_index that points to a NULL (unallocated) bucket triggers the crash, because the code validated only that the index stayed within max_buckets, not that the target bucket was non-NULL. There is no public exploit identified at time of analysis, EPSS exploitation probability is low (0.18%, 8th percentile), and the issue is patched upstream.

Linux Denial Of Service Null Pointer Dereference
NVD VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-52954 HIGH PATCH This Week

Denial of service in the Linux kernel's libceph (Ceph client) subsystem allows a malicious or compromised Ceph monitor/OSD to crash a connected client by sending a crafted CEPH_MSG_OSD_MAP whose embedded CRUSH map carries two choose_args maps sharing the same choose_args_index. The duplicate index trips an assertion in insert_choose_arg_map() during decode_choose_args(), triggering a kernel BUG and panic. CVSS is 7.5 (availability-only); there is no public exploit identified at time of analysis and EPSS is low at 0.18% (8th percentile).

Linux Denial Of Service
NVD VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-52946 HIGH PATCH This Week

Remote denial of service in the Linux kernel arises from a SOFTIRQ-safe to SOFTIRQ-unsafe lock-ordering deadlock in the fasync signaling path (fs/fcntl), where send_sigio() and send_sigurg() take read_lock(&tasklist_lock) from softirq context while traversing a process group (PIDTYPE_PGID). When this collides with a writer spinning on tasklist_lock during fork()/exit(), the CPU can deadlock and hang. The flaw is reachable remotely via TCP URG packets (send_sigurg through NET_RX_SOFTIRQ), affects multiple stable branches, and is fixed by switching the traversal to RCU. There is no public exploit identified at time of analysis and EPSS is low (0.18%).

Code Injection Linux
NVD VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-52974 HIGH PATCH This Week

Memory exhaustion (denial of service) in the Linux kernel's TLS device-offload receive path, where a failure during hardware offload setup leaks the strparser anchor socket buffer (skb) and never frees it. Affecting kernels from the introduction of the custom strparser (commit 84c61fe1a75b) onward, repeated triggering of the offload setup-failure path slowly drains kernel memory; CVSS rates availability impact High (7.5) but EPSS is low (0.18%, 8th percentile) and there is no public exploit identified at time of analysis. The regression was introduced by the kTLS-specific strparser rewrite and does not affect kernels using the standard strparser.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-53003 HIGH PATCH This Week

Denial of service in the Linux kernel's PPPoE/PPP driver allows a malicious or broken peer to crash affected hosts by sending PPP frames with a compressed (1-byte) Protocol Field. Because pppd never negotiates Protocol Field Compression for PPPoE yet ppp_input() still accepted compressed frames, the payload is shifted one byte, producing a 4-byte misaligned network header that can raise unaligned-access exceptions on architectures that do not tolerate them. There is no public exploit identified at time of analysis; EPSS is low (0.18%, 7th percentile) and the issue is not in CISA KEV.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-52998 HIGH PATCH This Week

Kernel panic (denial of service) in the Linux kernel netfilter nfnetlink_osf module occurs because nf_osf_ttl() dereferences skb->dev during its TTL check without validating the device pointer, allowing a crafted packet to trigger a NULL pointer dereference on hosts using the OS-fingerprint (osf) match. The flaw affects systems with nftables/iptables rulesets that employ the osf TTL check, and is rated availability-only impact (CVSS 7.5, AV:N/A:H). There is no public exploit identified at time of analysis, EPSS is low (0.18%, 7th percentile), and it is not in CISA KEV; the fix has been merged across multiple stable trees.

Linux Denial Of Service Null Pointer Dereference
NVD VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-52983 HIGH PATCH This Week

Denial-of-service (TX queue stall) in the Linux kernel's Airoha QDMA Ethernet driver affects systems running on Airoha/MediaTek SoCs where airoha_dev_xmit() accounts inflight packets only across AIROHA_NUM_TX_RING queues while the NAPI completion path settles all netdev TX queues, corrupting Byte Queue Limits (BQL) state. The mismatch can wedge transmit queues and degrade or halt network throughput on the device. EPSS is 0.17% (7th percentile) and there is no public exploit identified at time of analysis; an upstream stable fix exists.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-53026 HIGH PATCH This Week

Denial of service in the Linux kernel's NFSD (in-kernel NFSv4 server) arises from an nfs4_file reference-count leak in nfsd4_add_rdaccess_to_wrdeleg, where __nfs4_file_get_access is wrongly called even when another thread has already taken READ access on the file. The leaked fi_access count keeps the backing nfsd_file pinned, so stopping the nfs-server service triggers a kernel BUG in kmem_cache_destroy() because nfsd_file objects remain on cache shutdown. The flaw affects systems running the in-kernel NFS server (fixed in 6.18.33, 7.0.10, and 7.1); there is no public exploit identified at time of analysis and EPSS exploitation probability is low (0.17%).

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-52922 HIGH PATCH This Week

Denial of service in the Linux kernel's batman-adv (B.A.T.M.A.N. Advanced) mesh routing subsystem allows a crash via NULL pointer dereference in the Distributed ARP Table (DAT) forwarding path. The function batadv_dat_forward_data() fails to check the return value of pskb_copy_for_clone() before passing the cloned skb to batadv_send_skb_prepare_unicast_4addr(), so a failed allocation while forwarding to a DHT candidate triggers a kernel oops. Affects systems running batman-adv mesh networking; this is a memory-pressure-dependent crash with no public exploit identified at time of analysis (EPSS 0.17%, 6th percentile), and it is not listed in CISA KEV.

Linux Denial Of Service Null Pointer Dereference
NVD VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-52929 HIGH PATCH This Week

Remote denial-of-service in the Linux kernel SCTP stack arises from incomplete rollback when an ADD_OUT_STREAMS (add outgoing streams) reconfiguration request is denied; the kernel shrinks queued chunks and lowers outcnt but leaves stale stream metadata behind, so a later stream re-add reuses a freed/stale 'ext' object and triggers a NULL-pointer dereference in the scheduler get path. Any remote SCTP peer that can negotiate stream reconfiguration on an established association can crash the host, with no authentication or user interaction required per the CVSS vector (AV:N/AC:L/PR:N/UI:N, A:H). There is no public exploit identified at time of analysis and EPSS is low (0.16%), indicating no observed weaponization.

Linux Null Pointer Dereference Denial Of Service
NVD VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-52960 HIGH PATCH This Week

Denial of service in the Linux kernel's CephFS (ceph) client allows local users with an active CephFS mount to leak kernel memory by triggering the dirty-page writeback path. The flaw stems from a missing reference release on folios that the writeback batch holds but removes as unsuitable, gradually pinning pages and exhausting kernel memory (CVSS 7.5, availability-only). No public exploit identified at time of analysis; EPSS is low at 0.16% (6th percentile), and it is not in CISA KEV.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-52956 HIGH PATCH This Week

Denial of service in the Linux kernel's libceph (Ceph client) component allows a malicious or compromised Ceph peer to crash a connecting host during the CephX authentication handshake. The flaw lives in __ceph_x_decrypt(), which reads a ceph_x_encrypt_header (notably hdr->magic) from a decrypted buffer without first verifying the buffer is large enough - a FRAME_TAG_AUTH_REPLY_MORE frame carrying a ciphertext_len of 8 or fewer bytes triggers an out-of-bounds memory access. CVSS is 7.5 (availability-only); EPSS is low at 0.16% (6th percentile), there is no public exploit identified at time of analysis, and it is not listed in CISA KEV.

Linux Buffer Overflow Information Disclosure
NVD VulDB
CVSS 3.1
7.5
EPSS
0.2%
Prev Page 3 of 4 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy