Skip to main content
CVE-2026-50016 HIGH POC PATCH GHSA This Week

Path traversal in pnpm before 10.34.0 and 11.4.0 lets a malicious registry package smuggle '../' segments inside a transitive dependency alias, which pnpm then trusts as a filesystem path while linking dependency nodes. During a normal install - even with `pnpm install --ignore-scripts` - this allows a published package to replace paths inside the victim's project with symlinks pointing at attacker-controlled dependency directories, corrupting project integrity and enabling downstream code execution. No public exploit is identified at time of analysis; risk is amplified because the bug fires without lifecycle scripts, defeating the `--ignore-scripts` safety habit.

Path Traversal Pnpm
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-55698 HIGH POC PATCH GHSA This Week

Arbitrary code execution in the pnpm package manager (versions prior to 10.34.2 and 11.5.3) lets a malicious repository hijack pnpm's automatic version-switching mechanism. By committing crafted package-manager bootstrap metadata in the first YAML document of pnpm-lock.yaml - including matching pnpm and @pnpm/exe versions plus package records and snapshots - an attacker bypasses fresh package-manager resolution and causes pnpm to install and execute attacker-selected bytes when a developer runs pnpm in the cloned repo. No public exploit identified at time of analysis; the high CVSS of 8.8 reflects full confidentiality, integrity, and availability impact, gated only by the user running pnpm against the poisoned repository.

Authentication Bypass Pnpm
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-55697 HIGH POC PATCH GHSA This Week

Arbitrary command execution in pnpm before 10.34.2 and 11.5.3 allows a malicious repository to run attacker-chosen native binaries as the developer or CI user during a routine install. The flaw stems from pnpm processing configDependencies in pnpm-workspace.yaml before command dispatch: a repo could declare pacquet/@pnpm/pacquet as a config dependency, causing pnpm to resolve a platform-specific @pacquet/<platform>-<arch>/pacquet binary from node_modules/.pnpm-config and spawn it. Publicly available exploit code exists, though EPSS is low (0.12%, 2nd percentile) and it is not in CISA KEV.

Command Injection Pnpm
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-5305 HIGH POC PATCH This Week

Stored cross-site scripting in the Email Address Encoder WordPress plugin (free, before 1.0.25) and its Email Encoder Premium counterpart (before 0.3.12) lets unauthenticated visitors inject persistent JavaScript through the plugin's flawed email-replacement handling. Publicly available exploit code exists (disclosed by WPScan) and a vendor patch is available, but it is not in CISA KEV, so there is no public exploit identified as actively used in the wild. Successful exploitation executes attacker script in the browser of any user who later renders the affected page, typically an authenticated administrator.

WordPress XSS Email Address Encoder Email Encoder Premium
NVD WPScan VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-56770 HIGH POC This Week

Denial of service in libais through version 0.15 lets remote unauthenticated attackers crash AIS-processing services and vessel systems by sending malformed AIVDM sentences. The VdmStream::AddLine routine treats an unchecked sentinel value as a vector index when a sentence carries an empty or out-of-range sequential message ID, producing an out-of-bounds vector access (CWE-129) and potential memory corruption. Publicly available exploit code exists and the issue was reported by VulnCheck, though it is not listed in CISA KEV.

Denial Of Service Libais
NVD GitHub
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-56122 HIGH POC This Week

Arbitrary file read in Winstone Servlet Engine (versions through 0.9.10) lets unauthenticated remote attackers retrieve any file readable by the servlet process by embedding dot-dot-slash sequences in HTTP GET request paths to the static-file handler. The flaw stems from missing path sanitization when resolving requests against the configured webroot, and publicly available exploit code exists (reported by VulnCheck), though it is not listed in CISA KEV. Impact is confidentiality-only but high, escalating to disclosure of OS-level secrets when the engine runs with elevated privileges.

Path Traversal Winstone Servlet Container
NVD GitHub
CVSS 4.0
8.7
EPSS
0.4%
CVE-2026-56766 HIGH POC PATCH This Week

Remote code execution in THC Hydra through 9.7 allows a malicious or attacker-controlled server to compromise the machine running the Hydra brute-force client during NTLM authentication. When Hydra connects to such a server across its SMTP, POP3, IMAP, NNTP, HTTP, HTTP-Proxy, or HTTP-Proxy-Urlenum modules, a crafted NTLM Type-2 challenge with an overlong domain string causes the base64-encoded response to overflow a 500-byte stack buffer by 18 to 330 bytes, enabling code execution on hosts lacking stack protection. No public exploit identified at time of analysis, but a vendor patch (commit 9cc84c2) is available, and the issue inverts the usual threat model - the operator of the offensive tool becomes the victim.

Buffer Overflow Stack Overflow RCE Thc Hydra
NVD GitHub VulDB Exploit-DB
CVSS 4.0
8.6
EPSS
0.5%
CVE-2026-50021 HIGH POC PATCH GHSA This Week

Integrity-check bypass in the pnpm package manager (versions before 10.34.0/10.34.1 and 11.0.0-11.3.x) lets tampered packages install silently because the tarball extraction worker skips hash verification whenever the lockfile resolution has no `integrity` field. An attacker who can both edit `pnpm-lock.yaml` to drop the `integrity:` line and cause the referenced registry URL to serve altered content can push a malicious package through `pnpm install --frozen-lockfile` without any integrity error - a fail-open gap that npm's `npm ci` does not share. Publicly available exploit code exists; EPSS is low (0.12%, 2nd percentile) and the issue is not in CISA KEV.

Node.js Information Disclosure Pnpm
NVD GitHub
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-60464 HIGH POC This Week

Denial of service in GPAC's MP4Box multimedia tool (versions before 26.02.0) arises from a use-after-free in the gf_sei_load_from_state_internal function of the SEI loader filter (src/filters/sei_load.c). Processing a maliciously crafted MPEG-2 Transport Stream file causes the parser to dereference a dangling pointer, crashing the application. Publicly available exploit code (a PoC test case and write-up) exists, though the issue is not listed in CISA KEV and carries a low EPSS exploitation probability (0.17%, 6th percentile).

Memory Corruption Denial Of Service Use After Free N A
NVD GitHub VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-38640 HIGH POC This Week

Denial of service in relibc (the Redox OS C standard library implementation, commit 61f42d) lets attackers crash a process by supplying a crafted string that reaches a panicking `unwrap()` inside the `__assert_fail` function in /assert/mod.rs. Any program linked against the affected relibc that routes attacker-influenced data through an assertion failure path can be forced to abort. Publicly available exploit code exists, but the issue is not listed in CISA KEV and EPSS is low (0.17%, 6th percentile), indicating no observed widespread exploitation.

Denial Of Service N A
NVD GitHub
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-38637 HIGH POC This Week

An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of Service (DoS) via a crafted input.

Denial Of Service N A
NVD GitHub
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-9702 HIGH POC PATCH This Week

Order shipping-destination tampering in the InPost PL WooCommerce plugin (versions before 1.9.1) lets unauthenticated remote attackers silently change the parcel-locker delivery point of any order still in 'pending' or 'processing' status, because the plugin never verifies the request comes from the legitimate buyer. Publicly available exploit code exists and a vendor patch has been released, though this is not listed in CISA KEV (no public exploit identified as actively exploited at time of analysis beyond the published POC). With CVSS 7.5 and an integrity-only impact, the practical risk is shipment redirection / parcel theft rather than data disclosure.

WordPress Information Disclosure Inpost Pl
NVD WPScan VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-50015 HIGH POC PATCH GHSA This Week

Arbitrary file write and deletion in pnpm package manager (versions prior to 10.34.0 and 11.4.0) lets a malicious contributor abuse the @pnpm/patch-package pipeline, which applies `.patch` files without validating the file paths in their `diff --git` headers. Because patch diff headers are opaque to most code reviewers, an attacker can slip `../../` traversal sequences into a pull request and, when a maintainer runs `pnpm install`, write attacker-controlled content to or delete arbitrary files with the privileges of the installing user. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV; the moderate-to-high CVSS of 7.3 reflects high integrity and availability impact gated by required user interaction.

Path Traversal Pnpm
NVD GitHub VulDB
CVSS 3.1
7.3
EPSS
0.2%
CVE-2026-50014 HIGH POC PATCH GHSA This Week

Arbitrary command execution in pnpm before 10.34.0 and 11.4.0 allows a malicious lockfile to run code on a developer's machine during `pnpm install`. Because pnpm passes the lockfile-controlled `resolution.commit` to `git fetch`/`git checkout` without a `--` separator or 40-hex-character validation, an attacker can substitute the expected commit hash with a Git option such as `--upload-pack=<command>`, which Git executes for SSH and local (file://) transports. Publicly available exploit code exists (POC), but there is no public exploit identified as actively exploited; EPSS is low (0.17%, 7th percentile), consistent with a developer-targeted supply-chain vector rather than mass internet scanning.

Information Disclosure Pnpm
NVD GitHub VulDB
CVSS 3.1
7.3
EPSS
0.2%
CVE-2026-45233 HIGH POC This Week

Arbitrary file relocation in HTMLy CMS through version 3.1.1 allows low-privileged authenticated users to move any web-server-writable file by injecting directory traversal sequences into the oldfile parameter of the admin autosave endpoint. Reported by VulnCheck with publicly available exploit code, the flaw stems from passing unsanitized input directly to file_exists() and rename() in admin.php. It is not listed in CISA KEV, so there is no public exploit identified as actively exploited at time of analysis despite the available POC.

Path Traversal PHP Htmly
NVD GitHub
CVSS 4.0
7.2
EPSS
0.6%
CVE-2026-57520 HIGH POC PATCH This Week

Privilege escalation in self-hosted Bitwarden Server before 2026.5.0 lets an authenticated organization member holding a Custom role with the ManageUsers permission delete Admin accounts from the organization, undermining administrative control. The flaw stems from the bulk user-remove (DELETE) endpoint omitting the role-hierarchy guard that the single-user removal path enforces, so a lower-privileged user can strip Admins by submitting their organization-user IDs in a batch request. Publicly available exploit code exists (VulnCheck/researcher write-up), it is not listed in CISA KEV, and no EPSS score was provided in the input.

Authentication Bypass Privilege Escalation Server
NVD GitHub
CVSS 4.0
7.1
EPSS
0.3%
CVE-2026-55700 HIGH POC PATCH GHSA This Week

Path traversal in pnpm's `pnpm stage download` command (versions 11.3.0 through 11.5.2) lets a malicious or compromised registry overwrite arbitrary files reachable by the user running the command. The tool built a local tarball filename directly from registry-controlled package name and version fields, so a crafted manifest (e.g. a version like `1.0.0/../../evil`) escaped the intended download directory. This is fixed in 11.5.3; no public exploit identified at time of analysis, though the fixing PR (#12303) includes proof-of-traversal test cases.

Path Traversal Pnpm
NVD GitHub VulDB
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-56789 HIGH POC This Week

Denial-of-service memory corruption in RTKLIB through version 2.4.3 lets an attacker crash GNSS post-processing applications such as rnx2rtkp and RTKPOST by supplying a malicious RINEX observation file. The readrnxobsb function in src/rinex.c fails to clamp the satellite-count value read from RINEX epoch headers, so a file declaring more than 64 satellites per epoch triggers a heap buffer overflow write and out-of-bounds stack reads. Publicly available exploit code exists (VulnCheck/GitHub issue #796); there is no public exploit identified as actively exploited, and the CVSS 4.0 impact is limited to availability (VA:H).

Heap Overflow Buffer Overflow Rtklib
NVD GitHub
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-56790 HIGH POC PATCH This Week

Denial of service in CANBoat (the open-source NMEA 2000/CAN bus analyzer) through version 6.22 allows attackers to crash the analyzer by delivering a crafted NMEA-2000 message containing an out-of-range PGN value. The flaw is an off-by-one global buffer overflow in the searchForPgn() binary-search routine in analyzer/pgn.c, where an out-of-range PGN causes a one-element read past the end of the pgnList[] table. Publicly available exploit code exists (FuzzingLabs PoC value 393216 via issue #644), and a vendor patch is available; there is no public exploit identified as actively exploited.

Denial Of Service Buffer Overflow Canboat
NVD GitHub
CVSS 4.0
7.0
EPSS
0.2%
CVE-2026-56445 HIGH CISA Act Now

Arbitrary file write in the pynetdicom library's qrscp storage SCP application allows a remote, unauthenticated attacker to plant files at attacker-chosen paths on the receiving host. The qrscp C-STORE handler trusts a value taken from an incoming DICOM dataset and passes it into os.path.join() without sanitization, so a crafted instance identifier containing path-traversal sequences escapes the intended storage directory. No public exploit has been identified at time of analysis, but the CVSS 4.0 base score of 8.8 and unauthenticated network reachability make this a high-priority issue for any exposed DICOM endpoint.

Path Traversal Pynetdicom Library
NVD GitHub
CVSS 4.0
8.8
EPSS
0.4%
CVE-2026-9717 HIGH CISA Act Now

Authenticated command injection in Schneider Electric PowerLogic P7 power metering devices allows a privileged user to execute arbitrary OS commands with elevated privileges over a network-exposed service, fully compromising device integrity, confidentiality, and availability. The flaw (CWE-78) stems from improper neutralization of special elements passed to an underlying OS command. No public exploit identified at time of analysis, and the device is not listed in CISA KEV; EPSS data was not provided.

Command Injection Powerlogic P7
NVD VulDB
CVSS 4.0
8.6
EPSS
1.0%
CVE-2026-50176 HIGH CISA Act Now

Denial-of-service and credential brute-force exposure in Evoke Systems' Evoke CSMS (an EV charging station management system) stems from its WebSocket API enforcing no rate limit on authentication requests, letting a remote, network-positioned attacker flood the authentication endpoint to exhaust resources or rapidly guess credentials for unauthorized access. CISA's ICS-CERT (advisory ICSA-26-176-02) coordinated this issue, which carries a CVSS 4.0 base of 8.7 driven by high availability impact. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV.

Authentication Bypass Evoke Csms
NVD GitHub
CVSS 4.0
8.7
EPSS
0.4%
CVE-2026-9716 HIGH CISA Act Now

Denial-of-service in Schneider Electric PowerLogic P7 power metering devices allows remote, unauthenticated attackers to crash the device's HMI and configuration functionality by sending malformed requests to exposed network interfaces. The flaw stems from a NULL pointer dereference (CWE-476) that renders local management and configuration unavailable until recovery. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; the CVSS 4.0 base score of 8.7 reflects a high availability impact with no confidentiality or integrity exposure.

Denial Of Service Null Pointer Dereference Powerlogic P7
NVD VulDB
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-9650 HIGH CISA Act Now

Credential exposure in Schneider Electric EasyLogic T150 (formerly Saitel DR) and Saitel DP Remote Terminal Units & Controllers allows an unauthenticated attacker to recover credentials that are insufficiently protected within device firmware or system files (CWE-522). The recovered credentials can then be used to fully compromise the device when the attacker also has physical access. No public exploit identified at time of analysis and the issue is not listed in CISA KEV; vendor advisory SEVD-2026-160-02 covers the affected OT products.

Authentication Bypass Easylogic T150 Formerly Saitel Dr Remote Terminal Unit Controller Saitel Dp Remote Terminal Unit Controller
NVD
CVSS 4.0
8.7
EPSS
0.2%
CVE-2026-12921 HIGH CISA Act Now

Arbitrary code execution in AzeoTech DAQFactory (versions 21.1 and prior) arises from a use-after-free flaw triggered when the application parses a maliciously crafted .ctl project/control file. An attacker who can convince an operator to open a booby-trapped .ctl file can corrupt memory and run code in the context of the DAQFactory process on the engineering or HMI workstation. No public exploit is identified at time of analysis and the CVE is not in CISA KEV, but it carries a high CVSS 4.0 base score of 8.4 driven by full confidentiality, integrity, and availability impact.

Memory Corruption Denial Of Service Use After Free RCE Daqfactory
NVD
CVSS 4.0
8.4
EPSS
0.1%
CVE-2026-12473 HIGH CISA Act Now

Server-side request forgery in the Open Health Imaging Foundation (OHIF) DICOM Web Viewer Framework lets an attacker exfiltrate an authenticated user's OIDC Bearer token by abusing the default-enabled DICOMWebProxy and DICOMJSON data sources, which fetch an attacker-supplied URL without validation while OHIF's global auth service silently attaches the victim's token to the outbound request. Any authenticated user lured into loading a malicious viewer link sends their live credential to an attacker-controlled host, enabling identity takeover against the PACS or backend. No public exploit identified at time of analysis and the issue is not on CISA KEV, but the high-impact token leakage and default-configuration exposure make it a meaningful credential-theft risk.

SSRF Dicom Web Viewer Framework
NVD GitHub
CVSS 4.0
8.3
EPSS
0.2%
CVE-2026-9787 HIGH This Week

Remote code execution in Quest NetVault Backup allows authenticated remote attackers - who can bypass the product's existing authentication mechanism - to run arbitrary OS commands as SYSTEM via the NVBULogDaemon JSON-RPC interface. The flaw stems from unsanitized user-supplied input being passed into a system call (CWE-78), and the credentialed authentication barrier is undermined by an acknowledged bypass, effectively widening exposure. No public exploit has been identified at time of analysis, but the issue was disclosed by Trend Micro ZDI (ZDI-26-376) and carries a CVSS of 8.8.

Command Injection RCE Netvault Backup
NVD
CVSS 3.0
8.8
EPSS
1.4%
CVE-2026-9155 HIGH PATCH This Week

OS command injection in the Rapid7 InsightConnect Sed Plugin on Linux lets an authenticated operator inject arbitrary shell commands through the plugin's `expression` parameter, which is passed to the underlying `sed` invocation without sufficient sanitization. Because InsightConnect is a SOAR orchestration platform, a low-privileged workflow author or connected user (PR:L) can achieve full code execution in the plugin's runtime context (C:H/I:H/A:H, CVSS 8.8). There is no public exploit identified at time of analysis and the issue is not on CISA KEV.

Command Injection Insightconnect Sed Plugin
NVD VulDB
CVSS 3.1
8.8
EPSS
0.9%
CVE-2026-8658 HIGH PATCH This Week

OS command injection in Rapid7's InsightConnect Tcpdump Plugin (versions before 2.0.0) on Linux lets an authenticated attacker run arbitrary operating-system commands by injecting shell metacharacters into the 'options' or 'filter' parameters, which are unsafely concatenated into a tcpdump shell invocation. An attacker holding low-privileged access to a SOAR workflow that uses this plugin can fully compromise the orchestrator host (high confidentiality, integrity, and availability impact). There is no public exploit identified at time of analysis and the issue is not on the CISA KEV list; EPSS is modest at 0.73%.

Command Injection Insightconnect Tcpdump Plugin
NVD VulDB
CVSS 3.1
8.8
EPSS
0.7%
CVE-2026-8664 HIGH PATCH This Week

OS command injection in Rapid7's InsightConnect Finger Plugin (versions prior to 1.0.3) on Linux lets an authenticated attacker run arbitrary operating-system commands by injecting shell metacharacters into the user or host parameters, which are passed unsanitized into a constructed shell command (CWE-78). Because the plugin executes within the InsightConnect SOAR orchestrator, successful exploitation yields full read/write and availability impact on the host running the plugin. No public exploit is identified at time of analysis, and EPSS estimates only a 0.73% 30-day exploitation probability.

Command Injection Insightconnect Finger Plugin
NVD VulDB
CVSS 3.1
8.8
EPSS
0.7%
CVE-2026-8659 HIGH PATCH This Week

OS command injection in Rapid7's InsightConnect SQLmap Plugin (versions before 2.0.1) on Linux lets an authenticated InsightConnect user inject arbitrary operating-system commands through the api_host or api_port fields supplied while configuring the plugin's connection. Because the plugin runs inside the InsightConnect orchestration runtime, a successful injection yields code execution in that automation context (CVSS 8.8, CWE-78). No public exploit identified at time of analysis, and SSVC records exploitation status as none; EPSS is modest at 0.73% (50th percentile).

Command Injection Insightconnect Sqlmap Plugin
NVD VulDB
CVSS 3.1
8.8
EPSS
0.7%
CVE-2026-9786 HIGH This Week

Remote code execution in Quest NetVault Backup arises through SQL injection in the NVBUDashboard component's JSON-RPC message handler, letting attackers run arbitrary code in the NETWORK SERVICE context. While the flaw nominally requires authentication, ZDI reports the product's authentication mechanism can be bypassed, materially lowering the access bar. No public exploit is identified at time of analysis and the issue is not listed in CISA KEV, but its CVSS 3.0 base score of 8.8 and full-impact (C:H/I:H/A:H) profile mark it as high priority for any exposed deployment.

SQLi RCE Netvault Backup
NVD VulDB
CVSS 3.0
8.8
EPSS
0.7%
CVE-2026-9785 HIGH This Week

Remote code execution in Quest NetVault Backup arises from a SQL injection flaw in the handling of NVBULibrarySlot JSON-RPC messages, where a user-supplied string is concatenated into a SQL query without validation. Although the JSON-RPC interface nominally requires authentication, ZDI notes the existing authentication mechanism can be bypassed, so a remote attacker can reach the vulnerable code path and execute arbitrary code in the context of the NETWORK SERVICE account. No public exploit has been identified at time of analysis and the issue is not listed in CISA KEV; EPSS data was not provided.

SQLi RCE Netvault Backup
NVD
CVSS 3.0
8.8
EPSS
0.7%
CVE-2026-9784 HIGH This Week

SQL injection in Quest NetVault Backup's NVBULibraryPort JSON-RPC handler allows remote attackers to execute arbitrary code as NETWORK SERVICE on affected installations. While exploitation nominally requires authentication (CVSS PR:L), the ZDI advisory states the existing authentication mechanism can be bypassed, effectively lowering the barrier to remote attackers. There is no public exploit identified at time of analysis and no CISA KEV listing, but the issue was coordinated through Trend Micro's Zero Day Initiative (ZDI-CAN-27631 / ZDI-26-373) and carries a CVSS 3.0 base score of 8.8.

SQLi RCE Netvault Backup
NVD
CVSS 3.0
8.8
EPSS
0.7%
CVE-2026-9783 HIGH This Week

SQL injection leading to remote code execution affects Quest NetVault Backup, where the NVBURemovableMedia component fails to validate a user-supplied string before constructing SQL queries. Although authentication is nominally required, ZDI notes the existing authentication mechanism can be bypassed, effectively lowering the barrier to network-based attackers who can then execute code in the context of the NETWORK SERVICE account. No public exploit identified at time of analysis; the issue was reported privately by Trend Micro's Zero Day Initiative (ZDI-CAN-27632 / ZDI-26-372).

SQLi RCE Netvault Backup
NVD
CVSS 3.0
8.8
EPSS
0.7%
CVE-2026-9782 HIGH This Week

Remote code execution in Quest NetVault Backup arises from SQL injection in the NVBUDeviceDrive JSON-RPC message handler, where a user-supplied string is concatenated into a SQL query without validation (CWE-89). Although the product requires authentication, the existing authentication mechanism can be bypassed, so remote attackers can reach the flaw and execute arbitrary code in the context of the NETWORK SERVICE account. Discovered and reported through Trend Micro's Zero Day Initiative (ZDI-26-371, formerly ZDI-CAN-27633); no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

SQLi RCE Netvault Backup
NVD VulDB
CVSS 3.0
8.8
EPSS
0.7%
CVE-2026-9781 HIGH This Week

Remote code execution in Quest NetVault Backup arises from SQL injection in the NVBURASDevice JSON-RPC message handler, where attacker-controlled input is concatenated into SQL queries. Although authentication is nominally required, ZDI notes the existing authentication mechanism can be bypassed, so attackers can reach the vulnerable endpoint and execute code in the NETWORK SERVICE context. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; it was reported privately via Trend Micro's Zero Day Initiative (ZDI-26-370 / ZDI-CAN-27648).

SQLi RCE Netvault Backup
NVD
CVSS 3.0
8.8
EPSS
0.7%
CVE-2026-7570 HIGH This Week

SQL injection leading to remote code execution in Quest NetVault Backup allows attackers to run arbitrary code as the NETWORK SERVICE account by sending crafted JSON-RPC messages to the NVBUDashboard component. While the JSON-RPC interface nominally requires authentication, ZDI reports the existing authentication mechanism can be bypassed, effectively lowering the access barrier. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, but it was responsibly disclosed through Trend Micro's Zero Day Initiative (ZDI-26-368, formerly ZDI-CAN-27809).

SQLi RCE Netvault Backup
NVD
CVSS 3.0
8.8
EPSS
0.7%
CVE-2026-9780 HIGH This Week

Authentication bypass via cross-site scripting in Quest NetVault Backup's addclient3 webpage allows remote attackers to inject arbitrary script that executes in a victim's authenticated session, bypassing access controls. Disclosed through Trend Micro's Zero Day Initiative (ZDI-26-369, formerly ZDI-CAN-27666), the flaw requires user interaction - the target must visit a malicious page or open a malicious file - and can be chained with other weaknesses to achieve code execution in the SYSTEM context. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, though the high CVSS of 8.8 reflects the serious downstream RCE potential.

Authentication Bypass XSS RCE Netvault Backup
NVD
CVSS 3.0
8.8
EPSS
0.7%
CVE-2026-7569 HIGH This Week

Authentication bypass via cross-site scripting in the Quest NetVault Backup viewclient web interface lets remote attackers inject arbitrary script that, when a victim visits a malicious page or opens a malicious file, runs in the application context and circumvents authentication. Disclosed through Trend Micro's Zero Day Initiative (ZDI-26-377, ZDI-CAN-28202), the flaw can be chained with additional vulnerabilities to achieve code execution as SYSTEM. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the CVSS 8.8 rating reflects the high impact of the auth-bypass-plus-RCE chain.

Authentication Bypass XSS RCE Netvault Backup
NVD
CVSS 3.0
8.8
EPSS
0.7%
CVE-2026-6679 HIGH PATCH This Week

Pre-authentication heap buffer overflow in wolfSSL 5.9.0 and earlier affects builds compiled with DTLS 1.3 support, where an integer truncation in the ACK record-number list length computation (Dtls13GetAckListLength using a word16) allocates an undersized buffer that is then overrun during ACK serialization. Because the flaw is reachable before the connecting peer is authenticated, a remote unauthenticated attacker can trigger memory corruption against a DTLS 1.3 endpoint, with no public exploit identified at time of analysis. The CVSS 4.0 score of 8.8 reflects primarily a high availability (crash/DoS) impact with limited integrity impact.

Memory Corruption Buffer Overflow Wolfssl
NVD GitHub VulDB
CVSS 4.0
8.8
EPSS
0.4%
CVE-2026-53248 HIGH PATCH This Week

Use-after-free in the Linux kernel's Airoha (airoha_eth) network driver allows memory corruption when metadata dst objects are torn down while still referenced by in-flight receive skbs. The airoha_metadata_dst_free() routine called metadata_dst_free()/kfree() directly, bypassing the RCU grace period required by the noref dst pointers set via skb_dst_set_noref() in the RX path, so RCU readers could dereference freed memory. No public exploit identified at time of analysis, and EPSS is low (0.18%, 8th percentile); the issue is patched in current stable kernels.

Authentication Bypass Linux Memory Corruption Use After Free
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-53198 HIGH PATCH This Week

Use-after-free in the Linux kernel's in-kernel SMB server (ksmbd) lets an authenticated SMB client corrupt kernel slab memory by sending a second SMB2_CANCEL for the same AsyncId of a blocking byte-range lock. The first cancel frees the struct file_lock but takes an early-exit that never unlinks the async work or clears its cancel callback, leaving a live cancel_fn pointing at freed memory in the file_lock_cache (size 192) slab; a racing second cancel re-runs smb2_remove_blocked_lock() on the dangling pointer. The flaw was reproduced on mainline with KASAN by an authenticated client, EPSS is low (0.18%), and there is no public exploit identified at time of analysis.

Linux Information Disclosure Use After Free Memory Corruption
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-53277 HIGH PATCH This Week

Local privilege escalation / host compromise risk in the Linux kernel arm64 KVM subsystem arises because __kvm_at_s12() (AT instruction emulation) and __kvm_find_s1_desc_level() invoke the stage-1/nested stage-2 page-table walkers walk_s1() and kvm_walk_nested_s2() without holding kvm->srcu, which those walkers require to guard against concurrent memslot changes. A malicious or compromised guest on an affected arm64 host can race memslot updates against these walks, with CVSS scoring confidentiality, integrity and availability all High under a changed scope (host impact). It is patched in stable trees, EPSS is low (0.17%), and there is no public exploit identified at time of analysis.

Code Injection Linux
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-53240 HIGH PATCH This Week

Use-after-free in the Linux kernel's XFRM IP-TFS (IPsec Traffic Flow Confidentiality, RFC 9347) inbound reassembly path lets a race between __input_process_payload() and a concurrent iptfs_reassem_cont()/drop_timer handler operate on a freed sk_buff in skbuff_head_cache, causing memory corruption. The flaw affects kernels from 6.14 (where IP-TFS was introduced) running an IPsec SA in IP-TFS mode, and is fixed in stable releases including 6.18.36, 7.0.13 and 7.1. There is no public exploit identified at time of analysis and EPSS exploitation probability is very low (0.17%, 7th percentile).

Linux Information Disclosure Use After Free Memory Corruption
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-53188 HIGH PATCH This Week

Privilege/capability boundary bypass in the Linux kernel RDMA/core subsystem (ib_get_ucaps) lets a local low-privileged user masquerade as an authentic user-capability (ucap) character-device file descriptor. Because char and block devices share the dev_t namespace, the kernel previously validated only the device number, so a block device with a matching dev_t could be passed to ib_get_ucaps() to impersonate a legitimate ucap cdev and obtain RDMA capabilities the user should not hold. The fix validates the file's f_ops to accept only genuine cdevs. EPSS is low (0.17%, 7th percentile) and there is no public exploit identified at time of analysis; a stable-tree vendor patch is available.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-53266 HIGH PATCH This Week

Out-of-bounds/illegitimate write in the Linux kernel's bridge netfilter ebtables SNAT target (ebt_snat) lets the optional ARP sender-hardware-address rewrite copy a MAC address into a non-linear skb fragment that is still backed by a splice-imported file page, corrupting memory the kernel should not write to. The flaw affects systems using the bridge ebtables SNAT target with ARP rewrite enabled; the fix makes the ARP SHA range writable via skb_ensure_writable() before skb_store_bits() runs. There is no public exploit identified at time of analysis and EPSS is low (0.17%), but CVSS is rated 8.8 with a scope change reflecting the cross-context write.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-53171 HIGH PATCH This Week

Local privilege escalation and kernel memory corruption in the Linux kernel's Arm Ethos-U NPU accelerator driver (accel/ethosu) arises from unchecked arithmetic in dma_length(), allowing a local user with access to the accelerator device to submit a crafted command stream that wraps around integer math and under-reports DMA region sizes. Because region_size[] is later used by ethosu_job.c to validate command-stream accesses against GEM buffer sizes, the wraparound bypasses bounds checking and permits out-of-bounds DMA access (CVSS 3.1 8.8). No public exploit identified at time of analysis, and EPSS is low (0.17%, 7th percentile).

Linux Buffer Overflow
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-53170 HIGH This Week

Local privilege escalation and host memory compromise is possible in the Linux kernel's Arm Ethos-U NPU accelerator driver (accel/ethosu) because DMA commands with an uninitialized length sentinel (U64_MAX) bypass the driver's bounds checks. A local user permitted to submit jobs to the NPU can omit the NPU_SET_DMA0_LEN command before NPU_OP_DMA_START, triggering an integer wrap in dma_length() that returns 0, zeroing region_size[] and letting the hardware execute DMA against stale physical addresses. There is no public exploit identified at time of analysis, EPSS is low (0.17%), and the issue is not in CISA KEV, but the rated CVSS of 8.8 reflects full host memory read/write potential via the DMA engine.

Linux Buffer Overflow
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-53275 HIGH PATCH This Week

Use-after-free in the Linux kernel's IPv6 multicast (MLD) query processing path allows an adjacent-network attacker to corrupt or read freed kernel slab memory by sending a crafted MLD query. The flaw stems from a stale pointer to the multicast group address being dereferenced in __mld_query_work() after pskb_may_pull() reallocated the skb header, confirmed by a KASAN slab-use-after-free report. Carries an 8.8 CVSS (adjacent vector); no public exploit identified at time of analysis and EPSS is low at 0.17% (6th percentile).

Linux Information Disclosure Memory Corruption Use After Free
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
Page 1 of 5 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy