Skip to main content
CVE-2026-53215 CRITICAL PATCH Act Now

Memory corruption in the Linux kernel's Marvell mvpp2 (PPv2) Ethernet driver arises from an incorrect RX buffer-recycling order: when mvpp2_rx_refill() fails after the current buffer has already been handed to XDP or attached to an skb, the driver still returns that buffer to the hardware Buffer Manager (BM) pool, allowing the NIC to DMA into memory the RX ring no longer owns. Systems running Marvell Armada SoCs with the mvpp2 driver and XDP or skb RX processing are affected; the fix reorders the refill to complete before the buffer is handed off. There is no public exploit identified at time of analysis, EPSS is low (0.18%, 8th percentile), and the CVE is not listed in CISA KEV despite the inflated 9.8 NVD score.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-53175 CRITICAL PATCH Act Now

Slab use-after-free in the Linux kernel's IP fragment reassembly (inet frags) layer occurs during network namespace teardown: fqdir_pre_exit() flushes incomplete fragment queues via inet_frag_queue_flush() without clearing q->fragments_tail/last_run_head, so a fragment reassembly already in flight resumes after the flush and dereferences freed skbs. IPv4, IPv6, nf_conntrack_reasm6, and 6lowpan reassembly all share the affected flush path. There is no public exploit identified at time of analysis, and EPSS is low (0.18%, 7th percentile); NVD scores it CVSS 9.8 (AV:N), but the bug is fundamentally a teardown-vs-reassembly race, so the network-unauthenticated framing overstates practical reachability.

Linux Information Disclosure Use After Free Memory Corruption
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-53246 CRITICAL PATCH Act Now

Out-of-bounds memory access in the Linux kernel's SCTP stack lets a remote peer corrupt kernel memory by sending a COOKIE_ECHO chunk whose embedded cached INIT chunk advertises an inflated length, which sctp_unpack_cookie() failed to validate against the remaining COOKIE_ECHO buffer before sctp_process_init() walked its parameters. Any host running an SCTP listening server (kernels from 2.6.12 up to the fixed stable releases) is affected, with the kernel-assigned CVSS rating it 9.8/network-unauthenticated, though EPSS is low (0.17%, 7th percentile) and there is no public exploit identified at time of analysis. Impact ranges from out-of-bounds reads to potential heap corruption during STATE_COOKIE handling and kmemdup() copies.

Linux Buffer Overflow Memory Corruption
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-53151 CRITICAL PATCH Act Now

Out-of-bounds buffer access in the Linux kernel's AF_RXRPC (rxrpc) networking subsystem allows a remote attacker who can send crafted RxRPC-over-UDP traffic to trigger improper reads of the SACK table when an incoming ACK packet is deliberately fragmented. AF_RXRPC wrongly assumes skb_condense() always linearizes the packet before parsing soft-ACKs in rxrpc_input_soft_acks(), but skb_condense() can silently no-op, leading to access of a non-flat buffer and in-place modification of the received skbuff. No public exploit identified at time of analysis; EPSS is low at 0.17% (7th percentile) and this is not in CISA KEV.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-53260 CRITICAL Act Now

Denial of service and potential memory corruption in the Linux kernel TCP stack arises from a refcount underflow / use-after-free in reqsk_queue_hash_req(), affecting kernels built with PREEMPT_RT (real-time preemption). On affected systems a request socket (reqsk) can lose both its ehash and timer reference counts when reqsk_queue_hash_req() is preempted between mod_timer() and refcount_set(), letting reqsk_timer_handler() drop the object twice and trigger a use-after-free flagged by refcount_warn_saturate. The fix was reported via syzbot fuzzing; there is no public weaponized exploit identified at time of analysis and the EPSS score is very low (0.15%, 5th percentile), and despite the NVD 9.8 score real-world exploitability is constrained to PREEMPT_RT kernels and a narrow timing window.

Linux Information Disclosure Google Memory Corruption Use After Free
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2025-60473 MEDIUM POC This Month

NULL pointer dereference in GPAC MP4Box's filter pipeline traversal function crashes the application when processing a specially crafted media file. Affected versions prior to 26.02.0 fail to validate the `pidi->pid` pointer before dereferencing it inside `gf_filter_in_parent_chain` (filter_pid.c:2176), enabling a local attacker to cause a Denial of Service by supplying a malicious input file. No public exploit identification as KEV, but a publicly available proof-of-concept exists on GitHub; EPSS of 0.17% (6th percentile) reflects low observed exploitation probability consistent with the local-only, user-interaction-required attack vector.

Denial Of Service Null Pointer Dereference Gpac
NVD GitHub VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2025-71334 CRITICAL PATCH Act Now

Arbitrary file read and write in FlowiseAI Flowise (versions 2.2.8 through 3.0.5) lets remote unauthenticated attackers traverse the filesystem because the chatflowId and chatId parameters are never validated as UUIDs or numbers. By supplying a path-traversal value such as '../../../../../tmp' as the chatflow id, an attacker can write controlled files via the /api/v1/chatflows endpoint and read arbitrary files via /api/v1/get-upload-file and /api/v1/openai-assistants-file/download - and the file-write primitive can be escalated to remote code execution. A proof-of-concept is published in the GHSA advisory, though there is no public exploit identified as actively used in the wild and the issue is not listed in CISA KEV.

RCE Flowise
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.9%
CVE-2025-71336 CRITICAL PATCH Act Now

Remote code execution in Flowise (versions 2.2.7-patch.1 through pre-3.0.6) lets attackers run arbitrary OS commands by abusing the Custom MCP feature, which is intended to spawn local MCP servers via tools like npx. Because the default installation runs with no authentication (unless FLOWISE_USERNAME/FLOWISE_PASSWORD are set) and lacks role-based access control, an attacker can POST a crafted JSON payload bearing the 'x-request-from: internal' header to /api/v1/node-load-method/customMCP and fully compromise the host container. Publicly available exploit code exists in the GHSA advisory, including a reverse-shell payload via nc.

Command Injection RCE Flowise
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.7%
CVE-2026-53131 CRITICAL PATCH Act Now

Out-of-bounds memory access in the Linux kernel's netfilter subsystem allows attackers to leak adjacent kernel memory or crash the host by sending packets that traverse MAC-based matching paths (`xt_mac`, `ip6t_eui64`, the `bitmap:ip,mac`/`hash:ip,mac`/`hash:mac` ipset types, and `nf_log_syslog`) which call `eth_hdr(skb)` without first confirming the skb carries a full Ethernet header. Affected kernels span the 5.15 through 7.1 stable trees prior to the fixed releases, and the impact is information disclosure and denial of service rather than code execution. There is no public exploit identified at time of analysis, and the EPSS score is low at 0.17% (7th percentile).

Linux Information Disclosure
NVD VulDB
CVSS 3.1
9.4
EPSS
0.2%
CVE-2026-50549 CRITICAL PATCH Act Now

Sandbox escape leading to non-sandboxed remote code execution in Cursor (the AI code editor) prior to version 3.0, where a malicious agent can write files outside the protected workspace. Cursor canonicalizes a Write target to confirm it stays in-workspace, but when canonicalization fails it insecurely falls back to the raw path and writes without approval; an agent can deliberately force this failure via an in-workspace symlink pointing outside the workspace (target missing or read permission stripped) to write arbitrary files under the user's privileges. Overwriting the cursorsandbox helper then causes later commands to run unsandboxed, yielding full RCE with no user interaction beyond a benign prompt. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

RCE Cursor
NVD GitHub
CVSS 4.0
9.3
EPSS
0.5%
CVE-2026-50548 CRITICAL PATCH Act Now

Sandbox escape leading to non-sandboxed remote code execution affects the Cursor AI code editor prior to version 3.0, where agent terminal commands run in a sandbox that grants write access to the command's working directory. By manipulating the working_directory parameter, a malicious or prompt-injected agent can cause the sandbox to expose writable paths outside the intended workspace, then overwrite the cursorsandbox helper so subsequent commands execute outside the sandbox entirely. There is no public exploit identified at time of analysis, but the vendor rates this 9.3 (CVSS 4.0) with high confidentiality, integrity, and availability impact and notes it requires no user interaction beyond a benign prompt.

Path Traversal RCE Cursor
NVD GitHub
CVSS 4.0
9.3
EPSS
0.5%
CVE-2025-71333 CRITICAL Act Now

Unauthenticated arbitrary file upload in Flowise (versions through 2.2.7) lets remote attackers write malicious files to arbitrary locations on the server via the whitelisted /api/v1/attachments endpoint when storageType is set to local (the default). Because the chatId and chatflowId parameters are vulnerable to path traversal, an attacker can escape the intended upload directory and drop a webshell or other executable payload, leading to remote code execution and full server compromise. No public exploit identified at time of analysis, but the flaw is trivially reachable (CVSS 4.0 9.3) and was reported by VulnCheck with a vendor security advisory.

File Upload Path Traversal RCE Flowise
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.5%
CVE-2026-55413 CRITICAL PATCH Act Now

Stored code injection in ToolJet self-hosted (prior to 3.20.178-lts) lets any authenticated builder-role user - available on the free tier - overwrite a globally-shared marketplace plugin with arbitrary JavaScript that runs server-side with full Node.js capabilities (require, process). Because the poisoned plugin executes whenever any user on the instance runs a query that uses it, a single low-privileged account achieves remote code execution and an instance-wide supply-chain compromise. The flaw carries a CVSS 4.0 score of 9.4; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Code Injection Node.js RCE Tooljet
NVD GitHub
CVSS 4.0
9.4
EPSS
0.3%
CVE-2026-41566 CRITICAL Act Now

Privilege bypass in Apache Kvrocks exposes the internal APPLYBATCH command without proper permission enforcement, letting an authenticated low-privilege client write raw batches directly to the underlying RocksDB storage engine and bypass the server's command ACL model. The flaw (CWE-280, improper handling of permissions) carries a CVSS 4.0 base of 9.4 due to high integrity and availability impact and an irrecoverable-damage recovery rating. No public exploit identified at time of analysis, and it is not listed in CISA KEV; it was disclosed pre-NVD via the oss-security mailing list on 2026-06-25 alongside two sibling Kvrocks CVEs.

Path Traversal Apache
NVD VulDB
CVSS 4.0
9.4
EPSS
0.3%
CVE-2025-71327 CRITICAL Act Now

Authentication bypass in Flowise on-premise (npm package 'flowise', version 3.0.1 and earlier) lets unauthenticated remote attackers POST to the /api/v1/account/register endpoint to self-provision arbitrary user accounts and then log in, obtaining full API access without any prior credentials. The endpoint is open by default and the registration request is reusable, so an attacker can repeatedly create privileged ('type':'pro') accounts. A working proof-of-concept exists (publicly available exploit code exists via the VulnCheck/GHSA advisory), and the CVSS 4.0 base score of 9.3 reflects high confidentiality and integrity impact.

Authentication Bypass Flowise
NVD GitHub
CVSS 4.0
9.3
EPSS
0.5%
CVE-2026-56774 MEDIUM POC PATCH This Month

Authenticated session hijacking via IDOR in Kanboard through 1.2.52 allows any low-privilege user to mass-invalidate the persistent 'Remember Me' sessions of arbitrary users, including administrators, by enumerating sequential integer session IDs against the unguarded `removeSession` endpoint. The root-cause fix - scoping `RememberMeSessionModel::remove()` to the requesting user's own `user_id` - is confirmed in commit 928c68a via PR #5831. A publicly available proof-of-concept exists on GitHub (issue #5829); this vulnerability is not currently listed in the CISA KEV catalog, though the trivially low exploitation barrier warrants prompt patching.

Authentication Bypass Denial Of Service Kanboard
NVD GitHub
CVSS 4.0
5.3
EPSS
0.3%
CVE-2026-57521 MEDIUM POC PATCH This Month

Broken access control in Bitwarden Server before 2026.5.0 exposes organization billing data to any authenticated user via an IDOR vulnerability in the PreviewInvoiceController endpoints. The missing ManageOrganizationBillingRequirement authorization check permits a valid session holder to supply an arbitrary organizationId and retrieve Stripe-derived billing details - including tax totals, subscription status, and customer data - for organizations they do not belong to. A public proof-of-concept exploit exists; no active exploitation has been confirmed by CISA KEV at the time of analysis.

Authentication Bypass Server
NVD GitHub
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-56779 MEDIUM POC PATCH This Month

Server-side request forgery in MaxKB before 2.10.0 allows any authenticated user holding the default workspace USER role to coerce the application server into making arbitrary HTTP requests to attacker-controlled destinations via the `downloadCallbackUrl` and `download_url` parameters on ToolSerializer endpoints. An attacker can pivot through the MaxKB host to probe and extract data from internal network services - cloud metadata APIs, internal databases, adjacent microservices - that would otherwise be inaccessible from outside the network perimeter. A public proof-of-concept exists at GitHub issue #6272; this is not confirmed actively exploited (not in CISA KEV).

SSRF Maxkb
NVD GitHub
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-54030 CRITICAL PATCH Act Now

Access-token theft in LibreChat before 0.8.5 lets a malicious MCP (Model Context Protocol) server hijack OAuth tokens minted for a legitimate server, because the client never checks that the RFC 9728 resource parameter matches the configured MCP server URL. Any LibreChat operator who connects their instance to an attacker-controlled MCP server can have the OAuth access tokens intended for a trusted server silently exfiltrated. SSVC rates technical impact as total and a proof-of-concept is referenced, but there is no public exploit weaponization and EPSS exploitation probability is very low (0.11%); it is fixed in 0.8.5.

Information Disclosure Librechat
NVD GitHub VulDB
CVSS 3.1
9.3
EPSS
0.1%
CVE-2026-54088 CRITICAL POC PATCH GHSA Act Now

Pre-authentication remote code execution in File Browser before 2.63.6 lets unauthenticated attackers run arbitrary OS commands when the optional Hook Authentication feature is enabled. Because login credentials are interpolated into an external shell command via os.Expand without sanitization, shell metacharacters placed in the username or password field at the login screen execute on the server before authentication occurs. No public exploit identified at time of analysis, but the GitHub Security Advisory (GHSA-m93h-4hw7-5qcm) confirms the flaw and CVSS 4.0 rates it 9.3 (Critical).

Command Injection Filebrowser
NVD GitHub
CVSS 4.0
9.3
EPSS
0.5%
CVE-2026-54836 CRITICAL Act Now

SQL injection in the YMC Filter (YMC Smart Filter / Filter Grids) WordPress plugin lets remote attackers inject malicious SQL through unsanitized input, affecting all versions up to and including 3.11.5. Per the CVSS vector (PR:N), exploitation is unauthenticated and network-reachable, enabling database content disclosure and a scope change beyond the plugin's own data. No public exploit identified at time of analysis, and no EPSS score was supplied, so real-world exploitation prevalence is currently unmeasured.

SQLi Ymc Filter
NVD
CVSS 3.1
9.3
EPSS
0.2%
CVE-2026-54849 CRITICAL Act Now

SQL injection in the Premmerce Wishlist for WooCommerce WordPress plugin (versions 1.1.11 and earlier) lets remote unauthenticated attackers inject crafted SQL into backend database queries, per the CVSS PR:N vector. Reported by Patchstack and rated 9.3 (CVSS 3.1), it allows extraction of sensitive WordPress/WooCommerce data such as user records and credential hashes. There is no public exploit identified at time of analysis, it is not listed in CISA KEV, and no EPSS score was provided.

WordPress SQLi Premmerce Wishlist For Woocommerce
NVD
CVSS 3.1
9.3
EPSS
0.2%
CVE-2026-54843 CRITICAL Act Now

SQL injection in the WordPress "Meta Data Filter & Taxonomy Filter" (MDTF) plugin by pluginus.net affects all versions up to and including 1.3.7, allowing remote attackers to inject arbitrary SQL into backend queries without authentication. Per the provided CVSS vector (PR:N), exploitation requires no login, and the high CVSS base score of 9.3 reflects network reachability plus a scope change. There is no public exploit identified at time of analysis, no CISA KEV listing, and no EPSS data supplied, so prioritization rests on the CVSS signal alone.

SQLi Mdtf
NVD
CVSS 3.1
9.3
EPSS
0.2%
CVE-2026-53224 CRITICAL PATCH Act Now

Out-of-bounds memory reads in the Linux kernel SCTP stack allow remote attackers to trigger information disclosure and kernel crashes by sending a malformed COOKIE_ECHO chunk. The flaw lives in sctp_unpack_cookie(), which fails to verify that an embedded INIT chunk is large enough for a complete INIT header and does not fully validate raw_addr_list_len, so sctp_process_init() and the address parser read past the cookie payload. EPSS is low (0.21%) and there is no public exploit identified at time of analysis, but the network-reachable, unauthenticated nature (CVSS 9.1) makes it a meaningful patch priority for any host with SCTP in use.

Linux Buffer Overflow Information Disclosure
NVD VulDB
CVSS 3.1
9.1
EPSS
0.2%
CVE-2026-53225 CRITICAL PATCH Act Now

Out-of-bounds uninitialized-memory read in the Linux kernel SCTP stack lets an unauthenticated network peer trigger the receive path to read up to 16 bytes past a truncated ASCONF address parameter. The flaw lives in __sctp_rcv_asconf_lookup() in net/sctp/input.c, which validates only the ADDIP and parameter headers before calling af->from_addr_param(), trusting the parameter's declared length without bounding the full address against the chunk. No public exploit is identified at time of analysis, and EPSS exploitation probability is low at 0.18% (8th percentile); the issue is already patched upstream and classed as information disclosure.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
9.1
EPSS
0.2%
CVE-2026-53186 CRITICAL PATCH Act Now

Out-of-bounds read in the Linux kernel's RDMA/SRP initiator (ib_srp) driver lets a malicious or compromised SRP storage target that an initiator has logged into trigger a kernel memory over-read by returning an SRP_RSP with SRP_RSP_FLAG_SNSVALID and an attacker-controlled 32-bit resp_data_len that is never validated against the bytes actually received. With resp_data_len near 0xFFFFFFFF the sense-copy source lands gigabytes past the receive buffer, faulting the kernel for a denial of service and potentially disclosing adjacent kernel memory into the sense buffer. No public exploit is identified at time of analysis and EPSS is low (0.18%), but exploitation requires the privileged position of a trusted SRP target on the InfiniBand/RoCE fabric.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
9.1
EPSS
0.2%
CVE-2026-54089 CRITICAL POC GHSA Act Now

Authentication bypass and privilege escalation in File Browser (versions 2.0.0-rc.1 and later) lets a remote unauthenticated attacker impersonate any account - including admin - by sending a single forged HTTP header when the server runs with proxy authentication (auth.method=proxy). The same flaw doubles as an unauthorized account-creation primitive, since supplying a non-existent username silently provisions a new user. Scored CVSS 9.1 (CWE-287); no public exploit identified at time of analysis, though the underlying behavior has been openly documented for years.

Authentication Bypass Filebrowser
NVD GitHub
CVSS 3.1
9.1
EPSS
0.3%
CVE-2026-9787 HIGH This Week

Remote code execution in Quest NetVault Backup allows authenticated remote attackers - who can bypass the product's existing authentication mechanism - to run arbitrary OS commands as SYSTEM via the NVBULogDaemon JSON-RPC interface. The flaw stems from unsanitized user-supplied input being passed into a system call (CWE-78), and the credentialed authentication barrier is undermined by an acknowledged bypass, effectively widening exposure. No public exploit has been identified at time of analysis, but the issue was disclosed by Trend Micro ZDI (ZDI-26-376) and carries a CVSS of 8.8.

Command Injection RCE Netvault Backup
NVD
CVSS 3.0
8.8
EPSS
1.4%
CVE-2025-60466 MEDIUM POC This Month

Use-after-free in MP4Box's filter pipeline (gf_filter_pid_get_packet, filter_core/filter_pid.c) crashes the application when processing a crafted media file, resulting in Denial of Service. Affected versions are all GPAC/MP4Box releases prior to 26.02.0. A publicly available proof-of-concept exploit exists, though exploitation requires local access and user interaction - the CVSS vector (AV:L/UI:R) and low EPSS score of 0.17% indicate limited real-world automated exploitation risk. No confirmed active exploitation (CISA KEV not listed).

Memory Corruption Denial Of Service Use After Free Gpac
NVD GitHub VulDB
CVSS 3.1
5.0
EPSS
0.2%
CVE-2026-9155 HIGH PATCH This Week

OS command injection in the Rapid7 InsightConnect Sed Plugin on Linux lets an authenticated operator inject arbitrary shell commands through the plugin's `expression` parameter, which is passed to the underlying `sed` invocation without sufficient sanitization. Because InsightConnect is a SOAR orchestration platform, a low-privileged workflow author or connected user (PR:L) can achieve full code execution in the plugin's runtime context (C:H/I:H/A:H, CVSS 8.8). There is no public exploit identified at time of analysis and the issue is not on CISA KEV.

Command Injection Insightconnect Sed Plugin
NVD VulDB
CVSS 3.1
8.8
EPSS
0.9%
CVE-2026-44622 MEDIUM CISA This Month

Evoke CSMS exposes charging station authentication identifiers through public web-based mapping platforms, allowing unauthenticated network actors to harvest credentials with no special access or interaction. Classified under CWE-522 (Insufficiently Protected Credentials) and reported by ICS-CERT via advisory ICSA-26-176-02, this flaw affects all tracked versions of the Evoke Charging Station Management System across its entire version history per the wildcard CPE. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified, but the zero-prerequisite exposure in an OT/energy infrastructure context represents a meaningful credential leakage risk for affected operators.

Information Disclosure Evoke Csms
NVD GitHub
CVSS 4.0
6.9
EPSS
0.2%
CVE-2026-54479 MEDIUM CISA This Month

Authentication bypass and denial-of-service in Evoke Systems' Evoke CSMS electric-vehicle charging station management system stems from predictable WebSocket session identifiers derived from charging station IDs, with no enforcement against duplicate session reuse. Remote unauthenticated attackers can guess or reuse a session identifier to impersonate another charging station/user, or flood the backend with valid session requests to exhaust resources. Reported to CISA by ICS-CERT (advisory ICSA-26-176-02); no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Authentication Bypass Evoke Csms
NVD GitHub
CVSS 4.0
6.9
EPSS
0.2%
CVE-2026-9718 MEDIUM CISA This Month

Denial-of-service in Schneider Electric PowerLogic P7 power monitoring devices allows an authenticated attacker to crash a network-exposed service by sending a specially crafted request that triggers a reachable assertion (CWE-617), fully disrupting availability. The CVSS 4.0 score of 6.9 reflects the high-privilege prerequisite (PR:H) that constrains exploitation to actors with administrative credentials, while the availability impact is rated high (VA:H) with no confidentiality or integrity consequences. No public exploit code and no active exploitation via CISA KEV have been identified at time of analysis.

Denial Of Service Powerlogic P7
NVD VulDB
CVSS 4.0
6.9
EPSS
0.2%
CVE-2026-8658 HIGH PATCH This Week

OS command injection in Rapid7's InsightConnect Tcpdump Plugin (versions before 2.0.0) on Linux lets an authenticated attacker run arbitrary operating-system commands by injecting shell metacharacters into the 'options' or 'filter' parameters, which are unsafely concatenated into a tcpdump shell invocation. An attacker holding low-privileged access to a SOAR workflow that uses this plugin can fully compromise the orchestrator host (high confidentiality, integrity, and availability impact). There is no public exploit identified at time of analysis and the issue is not on the CISA KEV list; EPSS is modest at 0.73%.

Command Injection Insightconnect Tcpdump Plugin
NVD VulDB
CVSS 3.1
8.8
EPSS
0.7%
CVE-2026-8664 HIGH PATCH This Week

OS command injection in Rapid7's InsightConnect Finger Plugin (versions prior to 1.0.3) on Linux lets an authenticated attacker run arbitrary operating-system commands by injecting shell metacharacters into the user or host parameters, which are passed unsanitized into a constructed shell command (CWE-78). Because the plugin executes within the InsightConnect SOAR orchestrator, successful exploitation yields full read/write and availability impact on the host running the plugin. No public exploit is identified at time of analysis, and EPSS estimates only a 0.73% 30-day exploitation probability.

Command Injection Insightconnect Finger Plugin
NVD VulDB
CVSS 3.1
8.8
EPSS
0.7%
CVE-2026-8659 HIGH PATCH This Week

OS command injection in Rapid7's InsightConnect SQLmap Plugin (versions before 2.0.1) on Linux lets an authenticated InsightConnect user inject arbitrary operating-system commands through the api_host or api_port fields supplied while configuring the plugin's connection. Because the plugin runs inside the InsightConnect orchestration runtime, a successful injection yields code execution in that automation context (CVSS 8.8, CWE-78). No public exploit identified at time of analysis, and SSVC records exploitation status as none; EPSS is modest at 0.73% (50th percentile).

Command Injection Insightconnect Sqlmap Plugin
NVD VulDB
CVSS 3.1
8.8
EPSS
0.7%
CVE-2026-9786 HIGH This Week

Remote code execution in Quest NetVault Backup arises through SQL injection in the NVBUDashboard component's JSON-RPC message handler, letting attackers run arbitrary code in the NETWORK SERVICE context. While the flaw nominally requires authentication, ZDI reports the product's authentication mechanism can be bypassed, materially lowering the access bar. No public exploit is identified at time of analysis and the issue is not listed in CISA KEV, but its CVSS 3.0 base score of 8.8 and full-impact (C:H/I:H/A:H) profile mark it as high priority for any exposed deployment.

SQLi RCE Netvault Backup
NVD VulDB
CVSS 3.0
8.8
EPSS
0.7%
CVE-2026-9785 HIGH This Week

Remote code execution in Quest NetVault Backup arises from a SQL injection flaw in the handling of NVBULibrarySlot JSON-RPC messages, where a user-supplied string is concatenated into a SQL query without validation. Although the JSON-RPC interface nominally requires authentication, ZDI notes the existing authentication mechanism can be bypassed, so a remote attacker can reach the vulnerable code path and execute arbitrary code in the context of the NETWORK SERVICE account. No public exploit has been identified at time of analysis and the issue is not listed in CISA KEV; EPSS data was not provided.

SQLi RCE Netvault Backup
NVD
CVSS 3.0
8.8
EPSS
0.7%
CVE-2026-9784 HIGH This Week

SQL injection in Quest NetVault Backup's NVBULibraryPort JSON-RPC handler allows remote attackers to execute arbitrary code as NETWORK SERVICE on affected installations. While exploitation nominally requires authentication (CVSS PR:L), the ZDI advisory states the existing authentication mechanism can be bypassed, effectively lowering the barrier to remote attackers. There is no public exploit identified at time of analysis and no CISA KEV listing, but the issue was coordinated through Trend Micro's Zero Day Initiative (ZDI-CAN-27631 / ZDI-26-373) and carries a CVSS 3.0 base score of 8.8.

SQLi RCE Netvault Backup
NVD
CVSS 3.0
8.8
EPSS
0.7%
CVE-2026-9783 HIGH This Week

SQL injection leading to remote code execution affects Quest NetVault Backup, where the NVBURemovableMedia component fails to validate a user-supplied string before constructing SQL queries. Although authentication is nominally required, ZDI notes the existing authentication mechanism can be bypassed, effectively lowering the barrier to network-based attackers who can then execute code in the context of the NETWORK SERVICE account. No public exploit identified at time of analysis; the issue was reported privately by Trend Micro's Zero Day Initiative (ZDI-CAN-27632 / ZDI-26-372).

SQLi RCE Netvault Backup
NVD
CVSS 3.0
8.8
EPSS
0.7%
CVE-2026-9782 HIGH This Week

Remote code execution in Quest NetVault Backup arises from SQL injection in the NVBUDeviceDrive JSON-RPC message handler, where a user-supplied string is concatenated into a SQL query without validation (CWE-89). Although the product requires authentication, the existing authentication mechanism can be bypassed, so remote attackers can reach the flaw and execute arbitrary code in the context of the NETWORK SERVICE account. Discovered and reported through Trend Micro's Zero Day Initiative (ZDI-26-371, formerly ZDI-CAN-27633); no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

SQLi RCE Netvault Backup
NVD VulDB
CVSS 3.0
8.8
EPSS
0.7%
CVE-2026-9781 HIGH This Week

Remote code execution in Quest NetVault Backup arises from SQL injection in the NVBURASDevice JSON-RPC message handler, where attacker-controlled input is concatenated into SQL queries. Although authentication is nominally required, ZDI notes the existing authentication mechanism can be bypassed, so attackers can reach the vulnerable endpoint and execute code in the NETWORK SERVICE context. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; it was reported privately via Trend Micro's Zero Day Initiative (ZDI-26-370 / ZDI-CAN-27648).

SQLi RCE Netvault Backup
NVD
CVSS 3.0
8.8
EPSS
0.7%
CVE-2026-7570 HIGH This Week

SQL injection leading to remote code execution in Quest NetVault Backup allows attackers to run arbitrary code as the NETWORK SERVICE account by sending crafted JSON-RPC messages to the NVBUDashboard component. While the JSON-RPC interface nominally requires authentication, ZDI reports the existing authentication mechanism can be bypassed, effectively lowering the access barrier. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, but it was responsibly disclosed through Trend Micro's Zero Day Initiative (ZDI-26-368, formerly ZDI-CAN-27809).

SQLi RCE Netvault Backup
NVD
CVSS 3.0
8.8
EPSS
0.7%
CVE-2026-9780 HIGH This Week

Authentication bypass via cross-site scripting in Quest NetVault Backup's addclient3 webpage allows remote attackers to inject arbitrary script that executes in a victim's authenticated session, bypassing access controls. Disclosed through Trend Micro's Zero Day Initiative (ZDI-26-369, formerly ZDI-CAN-27666), the flaw requires user interaction - the target must visit a malicious page or open a malicious file - and can be chained with other weaknesses to achieve code execution in the SYSTEM context. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, though the high CVSS of 8.8 reflects the serious downstream RCE potential.

Authentication Bypass XSS RCE Netvault Backup
NVD
CVSS 3.0
8.8
EPSS
0.7%
CVE-2026-7569 HIGH This Week

Authentication bypass via cross-site scripting in the Quest NetVault Backup viewclient web interface lets remote attackers inject arbitrary script that, when a victim visits a malicious page or opens a malicious file, runs in the application context and circumvents authentication. Disclosed through Trend Micro's Zero Day Initiative (ZDI-26-377, ZDI-CAN-28202), the flaw can be chained with additional vulnerabilities to achieve code execution as SYSTEM. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the CVSS 8.8 rating reflects the high impact of the auth-bypass-plus-RCE chain.

Authentication Bypass XSS RCE Netvault Backup
NVD
CVSS 3.0
8.8
EPSS
0.7%
CVE-2026-6679 HIGH PATCH This Week

Pre-authentication heap buffer overflow in wolfSSL 5.9.0 and earlier affects builds compiled with DTLS 1.3 support, where an integer truncation in the ACK record-number list length computation (Dtls13GetAckListLength using a word16) allocates an undersized buffer that is then overrun during ACK serialization. Because the flaw is reachable before the connecting peer is authenticated, a remote unauthenticated attacker can trigger memory corruption against a DTLS 1.3 endpoint, with no public exploit identified at time of analysis. The CVSS 4.0 score of 8.8 reflects primarily a high availability (crash/DoS) impact with limited integrity impact.

Memory Corruption Buffer Overflow Wolfssl
NVD GitHub VulDB
CVSS 4.0
8.8
EPSS
0.4%
CVE-2026-53248 HIGH PATCH This Week

Use-after-free in the Linux kernel's Airoha (airoha_eth) network driver allows memory corruption when metadata dst objects are torn down while still referenced by in-flight receive skbs. The airoha_metadata_dst_free() routine called metadata_dst_free()/kfree() directly, bypassing the RCU grace period required by the noref dst pointers set via skb_dst_set_noref() in the RX path, so RCU readers could dereference freed memory. No public exploit identified at time of analysis, and EPSS is low (0.18%, 8th percentile); the issue is patched in current stable kernels.

Authentication Bypass Linux Memory Corruption Use After Free
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-53198 HIGH PATCH This Week

Use-after-free in the Linux kernel's in-kernel SMB server (ksmbd) lets an authenticated SMB client corrupt kernel slab memory by sending a second SMB2_CANCEL for the same AsyncId of a blocking byte-range lock. The first cancel frees the struct file_lock but takes an early-exit that never unlinks the async work or clears its cancel callback, leaving a live cancel_fn pointing at freed memory in the file_lock_cache (size 192) slab; a racing second cancel re-runs smb2_remove_blocked_lock() on the dangling pointer. The flaw was reproduced on mainline with KASAN by an authenticated client, EPSS is low (0.18%), and there is no public exploit identified at time of analysis.

Linux Information Disclosure Use After Free Memory Corruption
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-53277 HIGH PATCH This Week

Local privilege escalation / host compromise risk in the Linux kernel arm64 KVM subsystem arises because __kvm_at_s12() (AT instruction emulation) and __kvm_find_s1_desc_level() invoke the stage-1/nested stage-2 page-table walkers walk_s1() and kvm_walk_nested_s2() without holding kvm->srcu, which those walkers require to guard against concurrent memslot changes. A malicious or compromised guest on an affected arm64 host can race memslot updates against these walks, with CVSS scoring confidentiality, integrity and availability all High under a changed scope (host impact). It is patched in stable trees, EPSS is low (0.17%), and there is no public exploit identified at time of analysis.

Code Injection Linux
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-53240 HIGH PATCH This Week

Use-after-free in the Linux kernel's XFRM IP-TFS (IPsec Traffic Flow Confidentiality, RFC 9347) inbound reassembly path lets a race between __input_process_payload() and a concurrent iptfs_reassem_cont()/drop_timer handler operate on a freed sk_buff in skbuff_head_cache, causing memory corruption. The flaw affects kernels from 6.14 (where IP-TFS was introduced) running an IPsec SA in IP-TFS mode, and is fixed in stable releases including 6.18.36, 7.0.13 and 7.1. There is no public exploit identified at time of analysis and EPSS exploitation probability is very low (0.17%, 7th percentile).

Linux Information Disclosure Use After Free Memory Corruption
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
Prev Page 2 of 10 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy