Skip to main content
CVE-2026-52974 HIGH PATCH This Week

Memory exhaustion (denial of service) in the Linux kernel's TLS device-offload receive path, where a failure during hardware offload setup leaks the strparser anchor socket buffer (skb) and never frees it. Affecting kernels from the introduction of the custom strparser (commit 84c61fe1a75b) onward, repeated triggering of the offload setup-failure path slowly drains kernel memory; CVSS rates availability impact High (7.5) but EPSS is low (0.18%, 8th percentile) and there is no public exploit identified at time of analysis. The regression was introduced by the kTLS-specific strparser rewrite and does not affect kernels using the standard strparser.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-53003 HIGH PATCH This Week

Denial of service in the Linux kernel's PPPoE/PPP driver allows a malicious or broken peer to crash affected hosts by sending PPP frames with a compressed (1-byte) Protocol Field. Because pppd never negotiates Protocol Field Compression for PPPoE yet ppp_input() still accepted compressed frames, the payload is shifted one byte, producing a 4-byte misaligned network header that can raise unaligned-access exceptions on architectures that do not tolerate them. There is no public exploit identified at time of analysis; EPSS is low (0.18%, 7th percentile) and the issue is not in CISA KEV.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-52998 HIGH PATCH This Week

Kernel panic (denial of service) in the Linux kernel netfilter nfnetlink_osf module occurs because nf_osf_ttl() dereferences skb->dev during its TTL check without validating the device pointer, allowing a crafted packet to trigger a NULL pointer dereference on hosts using the OS-fingerprint (osf) match. The flaw affects systems with nftables/iptables rulesets that employ the osf TTL check, and is rated availability-only impact (CVSS 7.5, AV:N/A:H). There is no public exploit identified at time of analysis, EPSS is low (0.18%, 7th percentile), and it is not in CISA KEV; the fix has been merged across multiple stable trees.

Linux Denial Of Service Null Pointer Dereference
NVD VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-52983 HIGH PATCH This Week

Denial-of-service (TX queue stall) in the Linux kernel's Airoha QDMA Ethernet driver affects systems running on Airoha/MediaTek SoCs where airoha_dev_xmit() accounts inflight packets only across AIROHA_NUM_TX_RING queues while the NAPI completion path settles all netdev TX queues, corrupting Byte Queue Limits (BQL) state. The mismatch can wedge transmit queues and degrade or halt network throughput on the device. EPSS is 0.17% (7th percentile) and there is no public exploit identified at time of analysis; an upstream stable fix exists.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-53026 HIGH PATCH This Week

Denial of service in the Linux kernel's NFSD (in-kernel NFSv4 server) arises from an nfs4_file reference-count leak in nfsd4_add_rdaccess_to_wrdeleg, where __nfs4_file_get_access is wrongly called even when another thread has already taken READ access on the file. The leaked fi_access count keeps the backing nfsd_file pinned, so stopping the nfs-server service triggers a kernel BUG in kmem_cache_destroy() because nfsd_file objects remain on cache shutdown. The flaw affects systems running the in-kernel NFS server (fixed in 6.18.33, 7.0.10, and 7.1); there is no public exploit identified at time of analysis and EPSS exploitation probability is low (0.17%).

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-52922 HIGH PATCH This Week

Denial of service in the Linux kernel's batman-adv (B.A.T.M.A.N. Advanced) mesh routing subsystem allows a crash via NULL pointer dereference in the Distributed ARP Table (DAT) forwarding path. The function batadv_dat_forward_data() fails to check the return value of pskb_copy_for_clone() before passing the cloned skb to batadv_send_skb_prepare_unicast_4addr(), so a failed allocation while forwarding to a DHT candidate triggers a kernel oops. Affects systems running batman-adv mesh networking; this is a memory-pressure-dependent crash with no public exploit identified at time of analysis (EPSS 0.17%, 6th percentile), and it is not listed in CISA KEV.

Linux Denial Of Service Null Pointer Dereference
NVD VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-52929 HIGH PATCH This Week

Remote denial-of-service in the Linux kernel SCTP stack arises from incomplete rollback when an ADD_OUT_STREAMS (add outgoing streams) reconfiguration request is denied; the kernel shrinks queued chunks and lowers outcnt but leaves stale stream metadata behind, so a later stream re-add reuses a freed/stale 'ext' object and triggers a NULL-pointer dereference in the scheduler get path. Any remote SCTP peer that can negotiate stream reconfiguration on an established association can crash the host, with no authentication or user interaction required per the CVSS vector (AV:N/AC:L/PR:N/UI:N, A:H). There is no public exploit identified at time of analysis and EPSS is low (0.16%), indicating no observed weaponization.

Linux Null Pointer Dereference Denial Of Service
NVD VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-52960 HIGH PATCH This Week

Denial of service in the Linux kernel's CephFS (ceph) client allows local users with an active CephFS mount to leak kernel memory by triggering the dirty-page writeback path. The flaw stems from a missing reference release on folios that the writeback batch holds but removes as unsuitable, gradually pinning pages and exhausting kernel memory (CVSS 7.5, availability-only). No public exploit identified at time of analysis; EPSS is low at 0.16% (6th percentile), and it is not in CISA KEV.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-52956 HIGH PATCH This Week

Denial of service in the Linux kernel's libceph (Ceph client) component allows a malicious or compromised Ceph peer to crash a connecting host during the CephX authentication handshake. The flaw lives in __ceph_x_decrypt(), which reads a ceph_x_encrypt_header (notably hdr->magic) from a decrypted buffer without first verifying the buffer is large enough - a FRAME_TAG_AUTH_REPLY_MORE frame carrying a ciphertext_len of 8 or fewer bytes triggers an out-of-bounds memory access. CVSS is 7.5 (availability-only); EPSS is low at 0.16% (6th percentile), there is no public exploit identified at time of analysis, and it is not listed in CISA KEV.

Linux Buffer Overflow Information Disclosure
NVD VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-53087 HIGH PATCH This Week

Denial-of-service via resource leak in the Linux kernel's Broadcom GENET (bcmgenet) Ethernet driver allows the transmit buffer-descriptor (BD) pool to be slowly exhausted. When the driver reclaims a TX queue and fast-forwards the write pointer to drop in-flight frames, those dropped frames' buffer descriptors are never returned to the free_bds pool and the netdev is not told the frames were dropped, gradually starving the TX ring until the interface can no longer transmit. There is no public exploit identified at time of analysis, EPSS is low (0.16%, 6th percentile), and a vendor (stable-tree) patch is available; the impact is availability-only (CVSS A:H, C:N/I:N).

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-53069 HIGH PATCH This Week

Denial of service in the Linux kernel network/BPF subsystem allows a NULL-pointer dereference and kernel panic via xdp_master_redirect() when XDP frames are redirected through a bonding master that was never brought up. Because bpf_master_redirect_enabled_key is a global static key, attaching native XDP to any bond device system-wide enables the XDP_TX→xdp_master_redirect() interception for every slave, letting traffic reach bond_rr_gen_slave_id() against a round-robin bond whose per-CPU rr_tx_counter is still NULL (allocated only in bond_open()). Exploitation probability is low (EPSS 0.16%, 6th percentile) and there is no public exploit identified at time of analysis, but the original crash was discovered and reproduced by syzkaller.

Linux Denial Of Service
NVD VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-52932 HIGH PATCH This Week

Memory leak in the Linux kernel's xfrm IPComp (IP Payload Compression) code allows resource exhaustion because the destination scatter-gather page list is not freed when an asynchronous compression (acomp) operation fails. Affecting Linux 6.15 through the fixed stable releases, the flaw lets repeated compression errors progressively consume kernel memory, with CVSS scoring only availability impact (A:H). There is no public exploit identified at time of analysis and EPSS is low at 0.15%.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-13029 HIGH PATCH This Week

Heap corruption in Google Chrome's Web Authentication (WebAuthn) component affects all desktop builds prior to 149.0.7827.197, where a use-after-free (CWE-416) can be triggered by a malicious browser extension. An attacker who first convinces a victim to install a crafted extension can reach the freed object and potentially achieve code execution. Rated High by Chromium with a CVSS 7.5; there is no public exploit identified at time of analysis and CISA SSVC marks exploitation as none.

Memory Corruption Denial Of Service Use After Free Google Red Hat
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-53070 HIGH PATCH This Week

Denial-of-service (packet drops and severe throughput degradation) affects the Linux kernel SCTP-over-UDP encapsulation path, where udp_tunnel_xmit_skb()/udp_tunnel6_xmit_skb() were called without disabling bottom halves. After the xmit recursion-limit change (commit 6f1a9140ecda), the unbalanced per-CPU dev_xmit_recursion_inc/dec pairing can misdetect recursion and drop packets in ip(6)_tunnel_xmit() or __dev_queue_xmit(). CVSS 7.5 (A:H) reflects availability impact only; EPSS is low (0.14%, 4th percentile) and there is no public exploit identified at time of analysis.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-9545 HIGH PATCH This Week

Information disclosure in libcurl (curl 8.11.0 through 8.20.0) allows a network man-in-the-middle to capture sensitive request data when TLS early data (0-RTT) is combined with SSL session ID caching. If an application enables the CURLSSLOPT_EARLYDATA bit and leaves the session cache active, libcurl can transmit a resumed request's bytes on a reconnection before it enforces a certificate verification failure, so an attacker who impersonates the original host without a valid certificate may receive the leaked data. No public exploit identified at time of analysis, and EPSS is low (0.13%), reflecting the non-default configuration and active-MITM prerequisite.

Information Disclosure Curl
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-8932 HIGH This Week

Incorrect mTLS connection reuse in libcurl (curl releases through 8.16.0) causes the library to reuse a pooled TLS connection even after client-certificate options - notably the private key - were changed in a way that should have forced a fresh handshake. Because those client-certificate settings were omitted from the connection-match logic, a later transfer can be sent over a connection authenticated with the wrong client identity, an integrity failure tagged as information disclosure. Rated CVSS 7.5 (C:N/I:H/A:N); EPSS is only 0.13% and there is no public exploit identified at time of analysis, though a HackerOne report (#3733910) drove the private disclosure.

Information Disclosure Curl
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-52945 HIGH PATCH This Week

Denial of service in the Linux kernel's WireGuard module causes the receive/decryption path to permanently stall for an individual peer under heavy network load. Affected stable trees (notably 6.12.34 through 6.12.73, with the same defect originating in 5.15/6.1 where threaded NAPI became default) can have inbound traffic to a specific WireGuard peer halt completely once the per-peer rx_queue fills its 1024-packet backlog and wg_packet_rx_poll is never rescheduled. The condition was reported by multiple production Cilium/Kubernetes operators; there is no public exploit identified at time of analysis and EPSS is very low (0.10%, 1st percentile).

Linux Kubernetes Denial Of Service
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-9778 HIGH This Week

Authenticated remote code execution in ATEN Unizon arises from a directory traversal flaw in the ImportDeviceList method, where a user-supplied file path is used in file operations without proper validation. A high-privileged remote attacker can traverse outside intended directories to write or manipulate files and ultimately execute arbitrary code in the SYSTEM context, fully compromising the host. Discovered and reported via the Zero Day Initiative (ZDI-26-382 / ZDI-CAN-28579); no public exploit identified at time of analysis and it is not listed in CISA KEV.

Path Traversal RCE Unizon
NVD
CVSS 3.0
7.2
EPSS
1.5%
CVE-2026-9777 HIGH This Week

Authenticated remote code execution in ATEN Unizon arises from a directory traversal flaw in the restoreDB method, where a user-supplied path is used in file operations without validation, letting a high-privileged attacker write or restore files outside the intended directory and run code as SYSTEM. The flaw was reported through Trend Micro's Zero Day Initiative (ZDI-CAN-28578 / ZDI-26-381) and carries a CVSS 3.0 base score of 7.2 (PR:H). There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

Path Traversal RCE Unizon
NVD
CVSS 3.0
7.2
EPSS
1.5%
CVE-2026-55759 HIGH PATCH This Week

Authentication bypass in Rocket.Chat's Apple Sign-In handler allows attackers to impersonate any user by replaying a captured Apple identity token. The handler verifies the JWT signature but skips validation of the aud, exp, nbf, and nonce claims, so any Apple-signed token with a non-empty iss is accepted indefinitely with no replay-window expiry. Affected versions are those prior to 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, and 7.10.13; no public exploit identified at time of analysis, and it is not listed in CISA KEV.

Authentication Bypass Apple Rocket Chat
NVD GitHub
CVSS 3.1
7.4
EPSS
0.2%
CVE-2026-9547 HIGH PATCH This Week

Host key verification bypass in libcurl affects applications using the CURLOPT_SSH_KEYFUNCTION callback for SCP:// or SFTP:// transfers, where a server presenting a host key of a different type than the one already recorded in known_hosts is silently accepted instead of rejected. This lets a network-positioned attacker impersonate a trusted SSH server and mount a man-in-the-middle attack, exposing and tampering with transferred data. There is no public exploit identified at time of analysis, and the EPSS probability is low (0.19%, 9th percentile), reflecting the specific application configuration and attacker positioning required.

Information Disclosure Curl
NVD VulDB
CVSS 3.1
7.4
EPSS
0.2%
CVE-2026-9080 HIGH PATCH This Week

Use-after-free in libcurl 8.13.0 through 8.20.0 occurs when an application calls curl_easy_pause() from inside an event-based CURLMOPT_SOCKETFUNCTION callback, causing libcurl to write a flag through a struct pointer whose backing memory was just freed. Affected are applications built on the curl multi interface using event-based socket callbacks; the flaw can lead to memory corruption or limited information disclosure (tagged Information Disclosure) with low confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis, it is not in CISA KEV, and EPSS is low at 0.21% (11th percentile), consistent with a niche triggering pattern rather than mass exploitation.

Information Disclosure Use After Free Memory Corruption Curl
NVD VulDB
CVSS 3.1
7.3
EPSS
0.2%
CVE-2026-12986 HIGH PATCH This Week

Full unauthenticated administrative takeover of Payara Server Full (4.x through 7.2026.x, including 6.2024.x and 6.2025.x) is achievable by chaining a Server-Side Request Forgery in the Admin GUI's DownloadServlet with the absence of CSRF protection (CWE-352). An attacker who lures a logged-in administrator into a crafted request exfiltrates the admin REST session token (gfresttoken) to an attacker-controlled host, then replays it for full domain control and arbitrary code execution via WAR deployment. The CVSS 4.0 vector carries E:P (proof-of-concept maturity), so publicly available exploit code exists; there is no CISA KEV listing and no EPSS score in the provided data.

CSRF SSRF RCE Payara Server
NVD
CVSS 4.0
7.3
EPSS
0.2%
CVE-2026-13201 HIGH This Week

Local privilege boundary bypass in KubeVirt's safepath package lets an attacker who controls a virt-launcher pod trick the privileged virt-handler into applying file ownership or permission changes to unintended host paths. The OpenAtNoFollow safeguard is defeated because downstream helpers re-open the descriptor through /proc/self/fd/N with link-following syscalls, so a symlink at the path leaf is dereferenced. There is no public exploit identified at time of analysis, EPSS is very low (0.12%), and CISA SSVC marks exploitation as none.

Information Disclosure Kubevirt Openshift Virtualization
NVD VulDB
CVSS 3.1
7.3
EPSS
0.1%
CVE-2026-7539 HIGH PATCH This Week

Local privilege escalation and arbitrary code execution in the HP Accessory WMI Provider installer bundled with certain HP Docking Stations allows a low-privileged local user to gain elevated (likely SYSTEM) execution. The root cause is insecure temporary-file/directory permissions used during installation (CWE-379), which an attacker can abuse to introduce or replace executable content that a privileged installer process runs. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; HP has published advisory hpsbhf04129 and is releasing software updates.

HP Privilege Escalation RCE Hp Dock Accessory
NVD
CVSS 4.0
7.3
EPSS
0.1%
CVE-2026-9779 HIGH This Week

Authenticated remote code execution in ATEN Unizon stems from a broken cryptographic signature check in the updateWar method (reachable via doCryptoHugeFileToFile), letting a high-privileged remote attacker push a forged WAR update and run arbitrary code as SYSTEM. The flaw (CWE-347) was reported by Trend Micro ZDI as ZDI-CAN-28590 and carries a CVSS 3.0 base score of 7.2; no public exploit identified at time of analysis.

Jwt Attack RCE Unizon
NVD
CVSS 3.0
7.2
EPSS
0.4%
CVE-2026-10092 HIGH NEWS This Week

Stored cross-site scripting in the Cincopa video and media plug-in for WordPress (versions ≤1.163) allows unauthenticated commenters to inject persistent JavaScript via the [cincopa] shortcode processed by the comment_text filter. Any visitor or administrator viewing the affected post executes the attacker's script in their browser session. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

XSS WordPress Cincopa Video And Media Plug In
NVD
CVSS 3.1
7.2
EPSS
0.3%
CVE-2026-12095 HIGH This Week

Server-side request forgery in the Kargo Takip WordPress plugin (versions through 1.2) allows unauthenticated remote attackers to coerce the site into issuing arbitrary HTTP requests via the 'api_url' parameter and to exfiltrate data from internal services. Because the plugin echoes the value of any 'auth' key from the JSON response back to the attacker, it enables direct retrieval of sensitive responses such as cloud instance metadata credentials. No public exploit identified at time of analysis, and the plugin is not listed in CISA KEV.

SSRF WordPress Kargo Takip
NVD
CVSS 3.1
7.2
EPSS
0.3%
CVE-2026-12100 HIGH This Week

Server-Side Request Forgery in the WordPress URL Preview plugin (all versions through 1.0) allows unauthenticated attackers to coerce the WordPress server into making arbitrary outbound HTTP requests via the 'url' parameter. The flaw, reported by Wordfence and tracked as CWE-918, enables querying or modifying data on internal services reachable from the WordPress host, including cloud metadata endpoints and internal admin panels. No public exploit identified at time of analysis, but the vulnerability is trivially exploitable given AV:N/AC:L/PR:N/UI:N.

SSRF WordPress Url Preview
NVD
CVSS 3.1
7.2
EPSS
0.3%
CVE-2026-10091 HIGH NEWS This Week

Stored cross-site scripting in the Email JavaScript Cloak WordPress plugin (versions ≤1.03) allows authenticated contributors and higher to inject arbitrary JavaScript via unsanitized attributes of the plugin's 'email' shortcode. The payload executes in any visitor's browser that renders the affected page, enabling session theft or site defacement. No public exploit identified at time of analysis, and the plugin is not listed in CISA KEV.

XSS WordPress Email Javascript Cloak
NVD
CVSS 3.1
7.2
EPSS
0.3%
CVE-2026-9643 HIGH This Week

Unauthenticated stored cross-site scripting in the WP Meta SEO WordPress plugin (versions ≤ 4.5.18 by Joomunited) lets remote attackers persist arbitrary JavaScript into the `wp_wpms_links.link_url` database column by sending HTTP requests with a malicious URI to any 404 path. The payload executes in the browser of any administrator who opens the plugin's '404 & Redirects' admin page, enabling session hijacking or admin-on-behalf actions. No public exploit identified at time of analysis; no KEV listing.

PHP XSS WordPress Wp Meta Seo
NVD
CVSS 3.1
7.2
EPSS
0.2%
CVE-2026-3652 HIGH This Week

Stored cross-site scripting in the ARForms WordPress plugin (versions ≤7.1.3) allows unauthenticated remote attackers to inject arbitrary JavaScript via the `value` parameter of the `arf_save_incomplete_form_data` AJAX endpoint, with the payload executing in an administrator's browser when they view the Partial Filled Form Entries dashboard page. No public exploit identified at time of analysis, though Wordfence's disclosure provides enough technical detail to reproduce the injection. Successful exploitation typically leads to admin account takeover and full WordPress site compromise.

XSS WordPress Arforms
NVD VulDB
CVSS 3.1
7.2
EPSS
0.2%
CVE-2026-56231 HIGH PATCH This Week

Cross-tenant build sabotage in Capgo before 12.128.2 allows authenticated users with the app.build_native permission to start or cancel arbitrary builder jobs belonging to other tenants by supplying a victim jobId to the /build/start/:jobId and /build/cancel/:jobId endpoints. The handlers trust the attacker-supplied app_id in the request body and never verify jobId ownership, enabling denial of service, unauthorized compute consumption, and billing impact across tenants. No public exploit identified at time of analysis.

Authentication Bypass Denial Of Service Capgo
NVD GitHub
CVSS 4.0
7.2
EPSS
0.2%
CVE-2026-47110 HIGH PATCH This Week

Persistent denial of service in the Tiptap for PHP library before 2.1.1 lets authenticated users crash the server-side rendering pipeline by submitting Tiptap JSON whose attrs.href is an array rather than a string. The malformed value reaches preg_match() inside Link::isAllowedUri() and triggers an unhandled TypeError; because the bad record is stored, every later attempt to render that content fails for all viewers until the database row is manually fixed. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV; EPSS data was not provided.

Denial Of Service PHP Tiptap Php
NVD GitHub
CVSS 4.0
7.1
EPSS
0.3%
CVE-2026-27708 HIGH PATCH This Week

Insecure direct object reference (IDOR) in FOSSBilling's Servicecustom Client API (versions 0.7.2 and prior) lets any authenticated client retrieve another client's custom service records by supplying a guessed sequential order_id, because the __call method fetches the order without an ownership check. The exposed data includes other clients' PII (name, email, phone, address, company details, VAT number) and service configuration, making this a cross-tenant confidentiality breach. No public exploit identified at time of analysis, and the issue is resolved in version 0.8.0.

Authentication Bypass Fossbilling
NVD GitHub
CVSS 4.0
7.1
EPSS
0.3%
CVE-2026-57303 HIGH This Week

XML external entity (XXE) injection in the Jenkins Assembla Plugin version 1.4 and earlier lets an attacker who can control the HTTP responses of the configured Assembla server read sensitive files and secrets from the Jenkins controller and pivot into internal services via server-side request forgery. Mapped to CWE-918 (SSRF) with a CVSS 3.1 base score of 7.1 (high), there is no public exploit identified at time of analysis and CISA SSVC rates exploitation as 'none' with only partial technical impact. Exploitation requires the attacker to influence what the Assembla endpoint returns, so it is a targeted rather than mass-exploitable condition.

XXE SSRF Jenkins Jenkins Assembla Plugin
NVD VulDB
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-12760 HIGH PATCH This Week

Remote denial-of-service in the TP-Link Tapo C200 v3 home security camera allows an unauthenticated attacker on the adjacent network to crash or destabilize the device by sending malformed IPv4 fragmented packets. Exploitation drives excessive resource consumption (CWE-770) and renders the camera unresponsive, causing intermittent loss of live video monitoring and recording. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV; TP-Link, who reported it, has released a firmware fix.

Denial Of Service Tapo C200 V3
NVD VulDB
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-56257 HIGH PATCH This Week

Authorization bypass in Capgo before 12.128.2 allows authenticated users to directly modify the public.apps.owner_org column via PostgREST, circumventing the intended transfer_app() workflow. Successful exploitation creates a split-brain ownership state where apps.owner_org and app_versions.owner_org diverge, letting the original organization's API keys retain access to version data while the new owning organization controls the app record. No public exploit identified at time of analysis.

Authentication Bypass Capgo
NVD GitHub
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-54070 HIGH POC PATCH GHSA This Week

Stored cross-site scripting in SiYuan personal knowledge management system before 3.7.0 allows a third-party Bazaar package author to execute JavaScript in an Administrator's authenticated workspace origin. The lute sanitizer used by renderPackageREADME relies on a stale event-handler blocklist that omits modern DOM event attributes (onpointerover, onpointerdown, onauxclick, onbeforetoggle, onfocusin, onanimationstart, ontransitionend), and the rendered README HTML is injected via innerHTML with no client-side DOMPurify and no CSP/X-Frame-Options/X-Content-Type-Options headers. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but successful exploitation yields full control of the victim's workspace.

XSS Siyuan
NVD GitHub
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-52968 HIGH PATCH This Week

Out-of-bounds memory access in the Linux kernel's KVM s390 PCI adapter-interrupt-forwarding (AIF) code allows a low-privileged local actor on IBM Z (s390x) hosts to read and corrupt kernel memory. The flaw stems from double-scaled pointer arithmetic when indexing the GAIT table in kvm_s390_pci_aif_enable(), kvm_s390_pci_aif_disable(), and aen_host_forward(), triggered when an adapter interrupt source (aisb) index reaches 32 or higher under ZPCI_NR_DEVICES=512. No public exploit identified at time of analysis, and EPSS exploitation probability is very low (0.18%, 8th percentile).

Buffer Overflow Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-53041 HIGH PATCH This Week

Memory-safety failure in the Linux kernel OCFS2 filesystem's listxattr() path allows a local low-privileged user to crash the kernel (and potentially leak adjacent kernel heap memory) when an OCFS2 inode carries both inline and block-based extended attributes. Introduced by refactor commit 936b8834366e, the bug causes copy_to_user() to be invoked with a length larger than the allocated list buffer, tripping the hardened usercopy check (kernel BUG at mm/usercopy.c:102). EPSS is low (0.18%, 7th percentile), there is no public exploit identified at time of analysis, and it is not in CISA KEV.

Linux Buffer Overflow Memory Corruption
NVD VulDB
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-53040 HIGH PATCH This Week

Out-of-bounds memory read in the Linux kernel's OCFS2 filesystem driver allows a local user to leak kernel memory or crash the system by issuing the OCFS2_IOC_INFO ioctl with the OCFS2_INFO_FL_NON_COHERENT flag against a crafted or malicious OCFS2 image. The non-coherent freefrag scan path trusts the on-disk bg_bits group-descriptor field as a bitmap limit without validation, driving the bitmap walk past the end of the block buffer. No public exploit identified at time of analysis, and EPSS is low (0.18%, 7th percentile), consistent with a local, filesystem-mount-dependent kernel bug rather than a remotely scanned threat.

Linux Buffer Overflow Memory Corruption Use After Free
NVD VulDB
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-52917 HIGH PATCH This Week

Out-of-bounds kernel memory read in the Linux kernel's SCTP sock_diag subsystem allows a local attacker to disclose adjacent kernel memory and potentially crash the system by racing a diag dump against association teardown. The exact sock_diag lookup (dump_one path) can hold a transport reference, block on lock_sock(), and resume after sctp_association_free() has reaped the association and freed its bind-address list, causing inet_diag_msg_sctpasoc_fill() to dereference an emptied bind-address list as a valid sctp_sockaddr_entry. CVSS is 7.1 (local, high confidentiality and availability impact); EPSS is low (0.18%, 7th percentile), there is no public exploit identified at time of analysis, and it is not listed in CISA KEV.

Linux Buffer Overflow Information Disclosure
NVD VulDB
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-52915 HIGH PATCH This Week

Local denial of service and potential information disclosure in the Linux kernel's IPv6 netfilter Hop-by-Hop options match (ip6t_hbh) stems from an off-by-one out-of-bounds array access. A local user able to install xtables rules can supply an oversized optsnr value that the hbh_mt6_check() setup path fails to validate, reading/writing past the fixed 16-entry opts[] array (confirmed via a UBSAN array-index-out-of-bounds report at index 16). There is no public exploit identified at time of analysis and EPSS risk is low (0.18%), but a vendor fix has shipped across multiple stable kernel branches.

Linux Buffer Overflow
NVD VulDB
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-52953 HIGH PATCH This Week

Local denial of service in the Linux kernel's Intel VT-d (iommu/vt-d) driver lets a privileged user crash the host by terminating a QEMU/VFIO guest, triggering a general-protection-fault oops. The flaw lives in domain_remove_dev_pasid(), which dereferences the global static blocked domain - a dummy iommu_domain with no backing dmar_domain - during PASID teardown on device reset. No public exploit is identified at time of analysis; EPSS is low (0.17%, 7th percentile) and it is not in CISA KEV.

Linux Canonical Information Disclosure Buffer Overflow
NVD VulDB
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-52942 HIGH PATCH This Week

Out-of-bounds kernel memory read in the Linux kernel netfilter netdev logger (nf_log_syslog) lets a local low-privileged attacker leak adjacent slab memory into the kernel log and potentially crash the system. The flaw is in dump_mac_header(), whose fallback path tests skb->mac_header != skb->network_header but omits skb_mac_header_was_set(); an unset MAC header (value 0xffff) passes the check and causes a read ~64 KiB past the skb buffer. Fixed in stable kernels (e.g., 6.18.36, 6.12.94, 6.6.143, 6.1.176, 5.15.210, 7.0.13/7.1); no public exploit identified at time of analysis and EPSS is low at 0.17%.

Linux Buffer Overflow Information Disclosure
NVD VulDB
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-53044 HIGH PATCH This Week

Out-of-bounds memory access in the Linux kernel's NVIDIA Tegra Control Backbone (CBB) driver (soc/tegra: cbb) stems from an incorrect ARRAY_SIZE calculation in the fabric lookup tables, which can be triggered during a target timeout lookup on Tegra-based systems. A local, low-privileged attacker on affected Tegra hardware could read out-of-bounds kernel memory (information disclosure) or crash the system (denial of service), with CVSS 7.1. The flaw has been fixed upstream; there is no public exploit identified at time of analysis and EPSS is low at 0.17% (6th percentile).

Linux Buffer Overflow Information Disclosure
NVD VulDB
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-53068 HIGH PATCH This Week

Out-of-bounds memory access in the Linux kernel's Arm Mali 'komeda' DRM display driver allows a local low-privileged user to bypass AFBC framebuffer size validation via an integer overflow, supplying an undersized GEM buffer object that the driver treats as valid. Exploitation requires local access to the DRM device on hardware using the komeda driver, and there is no public exploit identified at time of analysis; EPSS probability is very low (0.16%, 6th percentile). The flaw was found by the Linux Verification Center using SVACE static analysis and is fixed across multiple stable kernel series.

Linux Buffer Overflow
NVD VulDB
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-52988 HIGH PATCH This Week

Kernel-memory disclosure and denial of service in the Linux kernel's netfilter nf_tables subsystem arises from unsafe RCU list traversal: a netlink dump can walk a basechain/flowtable hook list concurrently with a ruleset update, racing on partially-published hooks. The fix publishes new hooks via splice_list_rcu() during the commit phase so RCU readers see a consistent list. EPSS is low (0.16%, 6th percentile) and there is no public exploit identified at time of analysis; the issue is a local race condition affecting privileged ruleset operations rather than a remotely reachable flaw.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-53076 HIGH PATCH This Week

Out-of-bounds kernel memory read in the Linux kernel's eBPF subsystem (pcpu_init_value) lets a local, low-privileged user with BPF access leak adjacent kernel memory and potentially crash the system. The flaw triggers when a per-CPU map is updated from a BPF_MAP_TYPE_CGROUP_STORAGE map whose value_size is not 8-byte aligned (e.g. 4 bytes), causing copy_map_value_long to read past the true source size. The issue is fixed in stable kernels; there is no public exploit identified at time of analysis and EPSS exploitation probability is very low (0.16%, 5th percentile).

Linux Buffer Overflow
NVD VulDB
CVSS 3.1
7.1
EPSS
0.2%
Prev Page 5 of 10 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy