Skip to main content
CVE-2026-53200 HIGH PATCH This Week

Execute-permission bypass in the Linux kernel's KVM arm64 nested-virtualization (NV) code allows a nested guest to receive unintended execute permissions on stage-2 mappings when the host CPU lacks FEAT_XNX. The root cause is a misuse of FIELD_PREP() on the XN[0] mask after XN had already been shifted out of its bitfield position, which unconditionally grants execute rights instead of conditionally clearing them. There is no public exploit identified at time of analysis, EPSS is low (0.16%, 6th percentile), and the issue is not in CISA KEV, but the assigned CVSS of 8.8 reflects the hypervisor scope-change and potential for a guest to bypass non-executable memory enforcement.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-53232 HIGH PATCH This Week

Use of a dangling pointer in the Linux kernel's phylib/SFP networking subsystem occurs when PHY probing fails but sfp_bus_del_upstream() is never called, leaving the sfp-bus 'upstream' field pointing at freed/torn-down state that can be dereferenced during a later SFP hot-plug event. Affected systems are Linux hosts and appliances using PHY drivers with SFP cage support across kernels from 5.5 up to the fix in commit 48774e87. There is no public exploit identified at time of analysis, the EPSS score is very low (0.16%, 5th percentile), and the issue is not in CISA KEV.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-55487 HIGH PATCH GHSA This Week

Build-script approval bypass in the pnpm package manager (versions before 10.34.2, and 11.0.0 through 11.5.2) lets an attacker-controlled dependency source run lifecycle scripts that a user only approved for a different, legitimate source. The generic peer-suffix normalizer stripped parenthesized text from opaque locators (git, URL, tarball, file), so two distinct sources could normalize to the same allowBuilds key - meaning approval of foo@https://host/pkg.tgz also authorized foo@https://host/pkg.tgz(evil). Publicly available exploit code exists (SSVC: poc) and technical impact is total, though EPSS is low at 0.11% and it is not in CISA KEV.

Information Disclosure Pnpm
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-48508 HIGH PATCH GHSA This Week

Privilege escalation via broken authorization in Netflix Lemur (versions <= 1.9.0) lets any authenticated user - including the shipped lowest-privilege `read-only` role - perform admin-only certificate-management actions. Because the `StrictRolePermission` and `AuthorityCreatorPermission` classes were instantiated with an empty Need set when their config flags were left at the default `False`, Flask-Principal's `allows()` returns True for every identity, removing the only role gate in front of CA creation, certificate upload, notification (SSRF sink) management, and domain registry edits. No public exploit identified at time of analysis and the issue is not in CISA KEV, but exploitation requires only a single low-privilege credential, making it a direct pivot to control of the PKI issuance plane.

Authentication Bypass SSRF Python
NVD GitHub
CVSS 3.1
8.8
CVE-2026-57532 HIGH PATCH This Week

Stored cross-site scripting in Pretix's PDF ticket and badge layout editor allows one backend user to inject JavaScript that executes in another backend user's browser when they open the PDF editor. Affected is the open-source Pretix event-ticketing platform on versions prior to the 2026.5.2 release; the malicious HTML embedded in a layout specification runs because the PDF editor page is one of the few backend pages that lacks a strong Content-Security-Policy. There is no public exploit identified at time of analysis, but the vendor has confirmed and patched the issue.

XSS Pretix
NVD VulDB
CVSS 4.0
8.8
EPSS
0.3%
CVE-2026-56053 HIGH This Week

PHP Object Injection in the EventPrime event-calendar-management WordPress plugin (versions 4.3.4.1 and earlier) allows an authenticated attacker holding only a low-privilege Subscriber account to inject crafted serialized objects into an unsafe deserialization sink. Depending on the PHP gadget chains present in WordPress core, the plugin, or other installed plugins, this can escalate to data tampering, information disclosure, or remote code execution. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; it was reported by Patchstack.

Deserialization PHP Eventprime
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-56768 HIGH PATCH This Week

Authorization bypass in Seahub (the Seafile web frontend) before 13.0.23 lets a holder of a folder share-link token call GET /api/v2.1/share-link-zip-task/ without honoring the SHARE_LINK_LOGIN_REQUIRED policy, obtaining a fileserver zip token to download entire shared directory trees. Classified as CWE-862 (Missing Authorization) and reported by VulnCheck with a vendor patch available; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. EPSS data was not provided in the input.

Authentication Bypass Seahub
NVD GitHub
CVSS 4.0
8.7
EPSS
0.4%
CVE-2026-13311 HIGH This Week

Denial of service in the shell-quote Node.js library (versions prior to 1.8.5) lets remote attackers stall the single-threaded event loop by passing an attacker-controlled string into any code path that calls parse(). The flaw is purely algorithmic - parse() builds its token list with Array.prototype.concat as a reduce accumulator, giving O(n^2) behavior so even a small payload of plain space-separated words causes disproportionate CPU consumption. There is no public exploit identified at time of analysis and no KEV listing; impact is to availability only with no code execution or data disclosure despite the misleading 'RCE' source tag.

Node.js Denial Of Service RCE Shell Quote Red Hat +1
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.4%
CVE-2025-71324 HIGH PATCH This Week

Unauthenticated arbitrary file read in Flowise before 3.0.6 lets remote attackers traverse outside the storage directory via the unvalidated chatId parameter on the /api/v1/get-upload-file and /api/v1/openai-assistants-file/download endpoints, reading sensitive files such as /root/.flowise/database.sqlite and dumping the entire application database in default deployments. The flaw was reported by VulnCheck with a vendor security advisory (GHSA-99pg-hqvx-r4gf), and while no public exploit was identified at time of analysis, the root cause and code path are fully documented in the advisory, lowering the barrier to weaponization. CVSS 4.0 base score is 8.7 (High), reflecting network-reachable, no-authentication, no-interaction exploitation with high confidentiality impact.

Path Traversal Flowise
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-56767 HIGH PATCH This Week

Cross-tenant access in Maxun (the open-source no-code web data extraction/scraping platform) before 0.0.42 allows any authenticated user to read, modify, delete, or run other tenants' robots and to exfiltrate their plaintext Google and Airtable OAuth access tokens by abusing storage and webhook API handlers that never check resource ownership. The flaw stems from API endpoints querying robots by ID alone (e.g. Robot.findAll() with no userId scope), so a low-privileged account on a shared/multi-tenant instance can pivot across the entire tenant base. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the upstream fix is committed and the trivial nature of an IDOR makes it readily reproducible.

Authentication Bypass Google Maxun
NVD GitHub
CVSS 4.0
8.7
EPSS
0.3%
CVE-2025-71328 HIGH PATCH This Week

Account takeover in Flowise (the open-source low-code LLM application builder) before version 3.0.10 stems from the account settings Security section accepting a password change without requiring the current password or any re-verification. Any authenticated user - or an attacker who hijacks or coerces an existing authenticated session - can silently reset the account credential and seize full control of the account. Publicly available exploit code exists (documented PoC with repro steps and screenshot in the GitHub Security Advisory GHSA-fjh6-8679-9pch), but there is no public exploit identified as actively exploited and it is not listed in CISA KEV.

Information Disclosure Flowise
NVD GitHub
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-12245 HIGH PATCH This Week

Remote denial-of-service in NLnet Labs NSD (authoritative DNS name server) version 4.13.0 and later allows an unauthenticated attacker to crash the server process by exploiting a heap use-after-free in the TLS error-logging path. By sending a DNS query over a DNS-over-TLS (DoT) connection and closing the socket before reading the response, an attacker triggers the freed-memory access trivially; no public exploit identified at time of analysis, and the issue is not in CISA KEV. The CVSS 4.0 score of 8.7 reflects high availability impact with no confidentiality or integrity exposure.

Memory Corruption Denial Of Service Use After Free Nsd Red Hat +1
NVD VulDB
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-12244 HIGH PATCH This Week

Heap overflow in NLnet Labs NSD allows a malicious or compromised zone primary to corrupt memory on a secondary (slave) NSD instance by sending an AXFR transfer containing a crafted SVCB resource record. An rdata size of 65512 causes a uint16_t length variable used for RR allocation to wrap (total size exceeds 65535), producing an undersized buffer and a controlled out-of-bounds write of up to 65509 bytes - an RCE-class primitive (CWE-190 integer overflow leading to heap overflow). No public exploit identified at time of analysis, but the controlled write and remote network vector (CVSS 4.0 base 8.7) make this a high-priority patch for any operator running NSD as a secondary.

Integer Overflow Denial Of Service Nsd Red Hat Suse
NVD VulDB
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-11310 HIGH PATCH This Week

X.509 trust-chain bypass in wolfSSL's OpenSSL compatibility certificate verifier (wolfSSL_X509_verify_cert/X509_verify_cert) allows an attacker to have an attacker-controlled certificate accepted as valid by presenting a chain that never reaches a configured trust anchor. The flaw affects only builds compiled with --enable-opensslextra whose applications perform certificate validation via the OpenSSL-compat X509_verify_cert() API using caller-supplied untrusted intermediates; for those deployments it is critical (CVSS 4.0 base 8.7, integrity impact only). There is no public exploit identified at time of analysis and it is not on CISA KEV, but an upstream fix is available via wolfSSL PR #10674.

Authentication Bypass OpenSSL Wolfssl
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.2%
CVE-2026-53230 HIGH PATCH This Week

Out-of-bounds kernel memory read in the Linux mlx5_core driver's mlx5_query_nic_vport_mac_list() function allows a slab-out-of-bounds access when querying a VF vport whose configured MAC-list maximum exceeds the PF's log_max_current_uc/mc_list capability. The driver sizes its firmware command buffer using the PF capabilities rather than the vport's own HCA caps, so an oversized firmware response overflows the buffer during eswitch vport-change handling. This affects systems running NVIDIA/Mellanox ConnectX (mlx5) NICs in SR-IOV/switchdev mode; no public exploit identified at time of analysis and EPSS exploitation probability is low (0.18%, 7th percentile).

Linux Buffer Overflow Information Disclosure
NVD VulDB
CVSS 3.1
8.7
EPSS
0.2%
CVE-2025-71335 HIGH PATCH This Week

Persistent session hijacking in Flowise 3.0.7 and earlier (fixed in 3.0.10) lets an attacker retain authenticated access to a victim's account even after the victim changes their password, because the application never invalidates pre-existing sessions or session tokens on credential rotation (CWE-613). Anyone holding a stolen token or a device left logged in keeps full access, defeating the primary remediation users rely on after a suspected compromise. A working proof-of-concept is published in the vendor's GHSA advisory; publicly available exploit code exists, but there is no public exploit identified as actively exploited in the wild and it is not on the CISA KEV list.

Information Disclosure Flowise
NVD GitHub
CVSS 4.0
8.6
EPSS
0.3%
CVE-2026-53217 HIGH PATCH This Week

Information disclosure and frame corruption in the Linux kernel's Marvell mvpp2 network driver allows stale cache contents to be read into received packets on non-coherent DMA systems. Because the driver synced the RX buffer starting at the raw DMA address rather than at the hardware packet offset (MVPP2_SKB_HEADROOM), it synchronized unused headroom and missed an equal number of bytes at the packet tail, leaving the CPU to read stale cache lines for the end of each frame. EPSS is low (0.18%), there is no public exploit identified at time of analysis, and the issue is bounded to specific Marvell Armada-class hardware rather than general-purpose servers.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
8.6
EPSS
0.2%
CVE-2026-12975 HIGH This Week

Server-side request forgery and denial of service in Red Hat Build of Apicurio Registry 3 stem from unsafe XML parsing in the ContentTypeUtil.isParsableXml() method, which builds a SAXParserFactory without secure processing or external-entity restrictions (CWE-611, XXE). An attacker with artifact-write permission - or any unauthenticated client when the registry runs in its default configuration - can upload a crafted XML artifact whose external DTD/entity references force the server to fetch attacker-chosen URLs (blind SSRF into internal networks) or expand nested entities for resource-exhaustion DoS. CVSS is 8.5 (scope-changed, high availability impact); no public exploit identified at time of analysis.

XXE SSRF Denial Of Service Red Hat Build Of Apicurio Registry 3
NVD
CVSS 3.1
8.5
EPSS
0.2%
CVE-2026-56049 HIGH This Week

Remote code execution in the Post Snippets WordPress plugin (versions 4.0.19 and earlier) lets an authenticated user with only Contributor-level privileges inject and execute arbitrary PHP/code on the server via the plugin's snippet-handling functionality (CWE-94). Because a low-privilege role can pivot to full server compromise with a scope change (S:C), this is a privilege-escalation-to-RCE flaw reported by Patchstack; no public exploit has been identified at time of analysis and it is not listed in CISA KEV.

Code Injection RCE Post Snippets
NVD
CVSS 3.1
8.5
EPSS
0.4%
CVE-2026-54838 HIGH This Week

SQL injection in the WC Vendors Marketplace WordPress plugin (versions <= 2.6.8) allows authenticated users holding only a low-privilege Subscriber-level account to inject arbitrary SQL into backend queries. Reported by Patchstack and tracked as CVE-2026-54838 (CWE-89), the flaw carries a CVSS 8.5 with a scope change, reflecting that a minimally-privileged marketplace account can read sensitive data across the WordPress database. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

SQLi Wc Vendors Marketplace
NVD
CVSS 3.1
8.5
EPSS
0.3%
CVE-2026-54822 HIGH This Week

SQL injection in the WordPress SALESmanago & Leadoo plugin (versions 3.11.2 and earlier) lets authenticated users holding only Subscriber-level privileges inject arbitrary SQL into backend database queries, enabling extraction of sensitive data from the WordPress database. Reported by Patchstack and rated CVSS 8.5, it is dangerous because Subscriber is the lowest authenticated role and is frequently self-registerable on WordPress sites. There is no public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.

SQLi Salesmanago Leadoo
NVD
CVSS 3.1
8.5
EPSS
0.3%
CVE-2026-57456 HIGH PATCH This Week

Arbitrary Python code execution in Vim before 9.2.0699 occurs when a victim triggers Python omni-completion (omnifunc) inside a malicious buffer; the python3complete.vim and legacy pythoncomplete.vim runtime plugins reconstruct in-buffer function and class definitions and run them through Python's exec(), inserting each scope's docstring verbatim between triple quotes. Because the docstring is never escaped, a crafted docstring can close the triple-quoted literal and inject attacker-controlled Python that runs with the user's privileges. There is no public exploit identified at time of analysis and the issue is not in CISA KEV, but a regression test bundled with the fix demonstrates the breakout, confirming exploitability; EPSS data was not provided.

Code Injection Python RCE Vim Suse
NVD GitHub
CVSS 4.0
8.4
EPSS
0.1%
CVE-2026-12897 HIGH PATCH CISA This Week

Out-of-bounds read in Horner Automation Cscape prior to 10.2 SP3 lets an attacker who supplies a malicious CSP project file disclose memory contents and, per the advisory, achieve arbitrary code execution within the engineering workstation. Cscape is the configuration/programming environment for Horner OCS controllers, so the target is the engineer's PC rather than the PLC itself. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

RCE Buffer Overflow Information Disclosure Cscape
NVD
CVSS 4.0
8.4
EPSS
0.1%
CVE-2026-2815 HIGH PATCH This Week

Predictable cryptographic key generation in Silicon Labs EFR32xG27 wireless SoCs stems from incorrect use of the on-chip PUF (Physical Unclonable Function) when deriving user keys, allowing an adjacent attacker to anticipate or reconstruct keys that should be unique and secret. Affected firmware built with the Silicon Labs SiSDK loses the confidentiality and authentication guarantees of derived keys. No public exploit identified at time of analysis; the issue was self-reported by Silicon Labs and a vendor patch is available.

Information Disclosure Sisdk
NVD GitHub
CVSS 4.0
8.4
EPSS
0.2%
CVE-2026-55958 HIGH PATCH This Week

Remote denial of service in wolfSSL's Renesas TSIP TLS 1.3 client port (WOLFSSL_RENESAS_TSIP_TLS on Renesas MCUs with TSIP hardware) arises from an out-of-bounds heap write in tsip_StoreMessage(), where the capacity check guarding the fixed 8 KB message bag sets an error code but omits the return, letting execution fall through to an XMEMCPY that overruns the buffer once the accumulated handshake transcript exceeds 8 KB. A malicious or man-in-the-middle TLS 1.3 server (or an unusually large but legitimate certificate chain) can trigger heap corruption and crash the client. There is no public exploit identified at time of analysis, it is not on CISA KEV, and the upstream fix is available as wolfSSL PR #10705.

Memory Corruption Denial Of Service Buffer Overflow Wolfssl
NVD GitHub VulDB
CVSS 4.0
8.3
EPSS
0.3%
CVE-2026-13281 HIGH PATCH This Week

Integer overflow in Mojo in Google Chrome prior to 149.0.7827.201 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a malicious file. (Chromium security severity: High)

Buffer Overflow Google Suse Red Hat
NVD VulDB
CVSS 3.1
8.3
EPSS
0.2%
CVE-2026-10097 HIGH This Week

Cryptographic decapsulation flaw in wolfSSL's ML-KEM-1024 (Kyber) x86-64 AVX2 code path (versions 5.7.0 through 5.9.1) breaks IND-CCA2 security by failing to compare the final 32-byte block of the 1568-byte ciphertext during the constant-time check, so the Fujisaki-Okamoto transform's mandatory implicit rejection is bypassed. An attacker acting as a chosen-ciphertext oracle can submit ciphertexts altered only in those trailing bytes and have decapsulation return the genuine shared secret rather than a rejection value. There is no public exploit identified at time of analysis, the EPSS score is very low (0.15%, 5th percentile), and CISA SSVC rates exploitation as none with partial technical impact.

Information Disclosure Wolfssl
NVD GitHub
CVSS 4.0
8.3
EPSS
0.2%
CVE-2026-55412 HIGH PATCH This Week

Server-side request forgery in ToolJet's RestAPI data source (versions prior to 3.20.178-lts) allows a low-privileged platform user to reach internal network endpoints because the private-IP filter validates only the hostname string rather than the resolved IP. By supplying a DNS name such as 169.254.169.254.nip.io, an attacker bypasses the filter and forces the server to query the Azure IMDS link-local endpoint, enabling theft of managed-identity tokens for the backing AKS production cluster. No public exploit identified at time of analysis and the issue is not in CISA KEV, but the cloud-credential impact makes it a high-value SSRF.

SSRF Microsoft Tooljet
NVD GitHub
CVSS 3.1
8.3
EPSS
0.2%
CVE-2026-54848 HIGH This Week

Sensitive data exposure in the APIExperts Square for WooCommerce WordPress plugin (also known as woosquare) through version 4.7.3 allows remote attackers to retrieve embedded sensitive information that the plugin inserts into data it sends. Reported by Patchstack and rated CVSS 8.3, the flaw stems from CWE-201 (Insertion of Sensitive Information Into Sent Data) and is exploitable without authentication or user interaction per its CVSS vector. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

WordPress Information Disclosure Apiexperts Square For Woocommerce
NVD
CVSS 3.1
8.3
EPSS
0.2%
CVE-2026-55960 HIGH PATCH This Week

Certificate validation bypass in wolfSSL (builds compiled with HAVE_RPK) allows a peer to present an un-negotiated Raw Public Key (RFC 7250) in place of a full X.509 certificate, defeating chain-of-trust validation. Because a raw public key carries no certificate chain, ParseCertRelative() accepts it without performing any trust verification, so an attacker presenting a bare key can impersonate a server (or client) when neither side actually negotiated the RPK certificate type. No public exploit identified at time of analysis and the issue is not in CISA KEV; the high CVSS (8.2, CVSS 4.0) reflects a full authentication/integrity bypass, but exploitation is gated by the non-default HAVE_RPK build option.

Authentication Bypass Wolfssl
NVD GitHub VulDB
CVSS 4.0
8.2
EPSS
0.2%
CVE-2026-11999 HIGH PATCH This Week

Certificate trust-chain bypass in wolfSSL allows attackers to have an attacker-controlled certificate accepted as valid, but only in builds compiled with --enable-opensslextra where the application calls the OpenSSL-compatibility X509_verify_cert() with caller-supplied untrusted intermediates. The verifier returned success based on the last verified link instead of confirming the chain reaches a configured trust anchor, so a chain deeper than the maximum path depth (default 100) is accepted without ever validating against a trusted root. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; native wolfSSL TLS/DTLS and the default WOLFSSL_VERIFY_PEER handshake are unaffected.

Authentication Bypass OpenSSL Wolfssl
NVD GitHub VulDB
CVSS 4.0
8.2
EPSS
0.2%
CVE-2026-53268 HIGH PATCH This Week

Out-of-bounds read in the Linux kernel's netfilter IRC connection-tracking helper (nf_conntrack_irc) lets remote attackers leak adjacent kernel memory or crash the host when the parser fails to bail out after matching a DCC command string. The CVSS 3.1 vector (AV:N/PR:N) describes unauthenticated remote reachability with low confidentiality impact and high availability impact, but exploitation is gated on the legacy IRC conntrack helper being loaded and assigned to traffic - a non-default condition on most modern systems. There is no public exploit identified at time of analysis, EPSS is low (0.17%, 7th percentile), and the issue is not on CISA KEV.

Linux Buffer Overflow Information Disclosure
NVD VulDB
CVSS 3.1
8.2
EPSS
0.2%
CVE-2026-12490 HIGH PATCH This Week

Zone-transfer authentication bypass in NLnet Labs NSD allows unauthorized secondaries to obtain full zone contents without presenting the required TLS client certificate. Although a provide-xfr rule specifies a tls-auth-name (mandating client-certificate authentication), NSD only enforces this on the dedicated tls-auth-port; requests arriving over plain TCP on the regular port or over TLS on the regular tls-port are served when the remaining provide-xfr conditions match, defeating mutual-TLS access control. Reported by NLnet Labs with CVSS 4.0 8.2; no public exploit identified at time of analysis and not listed in CISA KEV.

Authentication Bypass Nsd Red Hat Suse
NVD VulDB
CVSS 4.0
8.2
EPSS
0.1%
CVE-2026-55961 HIGH PATCH This Week

Signature-verification bypass in wolfSSL's OpenSSL compatibility layer allows a degenerate (certs-only) PKCS#7 object - one with empty signerInfos and no actual signature - to be falsely reported as verified by wolfSSL_PKCS7_verify(). Applications using the PKCS7_verify() compat API to authenticate attacker-supplied PKCS#7/CMS bundles can be tricked into treating unsigned content as authentic, undermining integrity guarantees. There is no public exploit identified at time of analysis and it is not in CISA KEV, but the underlying defect is a classic improper-signature-verification (CWE-347) issue with a CVSS 4.0 base score of 8.2.

Jwt Attack OpenSSL Information Disclosure Wolfssl
NVD GitHub VulDB
CVSS 4.0
8.2
EPSS
0.1%
CVE-2026-55667 HIGH PATCH This Week

Arbitrary file deletion in File Browser before 2.63.16 lets a scoped, non-admin user holding only the Create permission destroy files outside their assigned scope - including other tenants' data and the application's own database. The flaw lives in the failed-upload cleanup path, where ScopedFs.RemoveAll is the single dereferencing operation that omits the symlink guard enforced everywhere else, so an attacker who plants an escaping directory symlink inside their scope can delete out-of-scope targets while only authenticated as a create-only user. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, so this is a disclosed-but-not-yet-exploited integrity and availability risk.

Path Traversal Filebrowser
NVD GitHub
CVSS 3.1
8.2
EPSS
0.4%
CVE-2026-22879 HIGH This Week

Heap-based buffer overflow in the vtk-dicom library's vtkDICOMItem::NewDataElement routine allows remote attackers to corrupt heap memory and potentially achieve arbitrary code execution by supplying a maliciously crafted DICOM data element. The flaw affects vtk-dicom (a DICOM I/O module commonly paired with the Visualization Toolkit) and was reported by Cisco Talos (TALOS-2026-2366), carrying a CVSS 3.1 base score of 8.1 with full confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Buffer Overflow Vtk Suse
NVD VulDB
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-9800 HIGH PATCH This Week

Authorization bypass in the Keycloak Policy Enforcer allows any authenticated user to circumvent all enforced access controls - role, scope, and User-Managed Access (UMA) permission checks - by embedding the configured access-denied page path inside a request URL as a path segment or query parameter. The affected component ships in the Red Hat Build of Keycloak, and successful exploitation grants unauthorized access to protected resources. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Authentication Bypass Red Hat Build Of Keycloak
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-11800 HIGH PATCH This Week

Signature-verification bypass in Keycloak (and Red Hat's Keycloak-based products such as Red Hat Single Sign-On 7 and Red Hat Build of Keycloak 26.6/26.6.4) lets an attacker holding valid client credentials abuse a JWT algorithm-confusion weakness in the JWT Authorization Grant flow to forge client assertions and mint unauthorized access tokens. The forged tokens allow impersonation of any federated user tied to the affected Identity Provider, yielding unauthorized access and potential privilege escalation. There is no public exploit identified at time of analysis and the issue is not on CISA KEV; Red Hat rates it 8.1 (High).

Privilege Escalation Jwt Attack Authentication Bypass Red Hat Build Of Keycloak 26 6 Red Hat Build Of Keycloak 26 6 4 +4
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-54036 HIGH PATCH This Week

Two-factor authentication takeover in LibreChat before 0.8.4-rc1 lets any authenticated user — or an attacker wielding a stolen session token — call the GET /api/auth/2fa/enable endpoint to silently overwrite an account's existing TOTP secret, regenerate backup codes, and flip twoFactorEnabled to false, all without TOTP or backup-code verification. The flaw destroys the victim's working second factor and can lock the legitimate owner out of their own 2FA. Publicly available exploit code exists (SSVC: PoC), but EPSS is low (0.18%, 8th percentile) and it is not listed in CISA KEV.

Authentication Bypass Librechat
NVD GitHub
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-53254 HIGH PATCH This Week

Out-of-bounds read in the Linux kernel's Bluetooth RFCOMM stack allows a malicious paired or in-range remote device to leak adjacent kernel memory or crash the host by sending truncated MCC (Multiplexer Control Channel) frames. The RFCOMM MCC handlers cast skb->data to protocol structs without first checking skb->len, so short frames cause reads past the buffer; impact is confidentiality and availability loss (CVSS 8.1). There is no public exploit identified at time of analysis and EPSS estimates exploitation probability at just 0.18%.

Linux Buffer Overflow Information Disclosure
NVD VulDB
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-53147 HIGH PATCH This Week

Out-of-bounds memory read in the Linux kernel's Thunderbolt (thunderbolt) XDomain driver allows an adjacent peer connected over a Thunderbolt link to leak kernel heap memory or crash the host. The flaw lives in tb_xdp_handle_request(), which casts a received XDomain packet to protocol-specific structs without confirming the kmemdup allocation is large enough, so a deliberately undersized packet that still passes the generic header-length check triggers reads past the buffer. There is no public exploit identified at time of analysis, EPSS is low (0.18%), and it is not CISA KEV-listed.

Linux Information Disclosure Buffer Overflow
NVD VulDB
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-53178 HIGH PATCH This Week

Memory-safety flaw in the Linux kernel's staging rtl8723bs Realtek SDIO Wi-Fi driver allows an adjacent (radio-range) attacker to trigger an unsigned-integer underflow in the rtw_mlme information-element parsing path, leading to out-of-bounds reads that can disclose kernel memory or crash the system. The bug occurs because ie_length was not validated before fixed IE offsets were subtracted from it. EPSS is low (0.16%, 6th percentile) and there is no public exploit identified at time of analysis, but a vendor (upstream kernel) fix is available.

Linux Information Disclosure Integer Overflow
NVD VulDB
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-50573 HIGH PATCH GHSA This Week

Lockfile integrity bypass in the pnpm package manager (versions below 10.34.0, and 11.0.0 through 11.4.0) lets a malicious or compromised registry override a package version's previously recorded hash. On a plain `pnpm install` in non-frozen mode, pnpm detects the tarball-vs-lockfile integrity mismatch, warns, then silently performs a 'resolution repair' that accepts the registry's new integrity, rewrites pnpm-lock.yaml, and installs the substituted content while exiting 0. Publicly available exploit code exists (a full reproduction scenario is published in the GitHub advisory), but there is no public exploit identified as used in active attacks; EPSS is low at 0.11%.

Information Disclosure Pnpm
NVD GitHub
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-54842 HIGH This Week

Broken access control in the Royal MCP WordPress plugin (versions up to and including 1.4.25) lets authenticated low-privilege users reach functionality that should be restricted, due to a missing authorization check. With a CVSS of 8.1 and high confidentiality and integrity impact, an attacker holding even a basic account can read and alter data they should not be able to touch. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Authentication Bypass Royal Mcp
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-54845 HIGH This Week

Unauthenticated local file inclusion in the WordPress 'Meta Data and Taxonomy Filter' (MDTF) plugin by pluginus.net affects all versions up to and including 1.3.8, allowing remote attackers without credentials to coerce the PHP application into including arbitrary local files. Per its CVSS:3.1 vector (AV:N/PR:N), exploitation is network-reachable and unauthenticated, though the high attack complexity (AC:H) implies non-trivial preconditions. This is classified as information disclosure but rated 8.1 with full C/I/A impact; there is no public exploit identified at time of analysis and it is not on the CISA KEV list.

LFI Information Disclosure PHP Mdtf
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-53256 HIGH PATCH This Week

Use-after-free in the Linux kernel's Bluetooth RFCOMM subsystem allows an attacker within Bluetooth range to corrupt kernel memory by racing an incoming RFCOMM connection against the close of a listener socket. The flaw lives in rfcomm_connect_ind(), which uses a listener socket returned by rfcomm_get_sock_by_channel() after the protecting list lock is dropped and without taking a reference, so a concurrent rfcomm_sock_release() can free the parent socket before it is locked and a child is enqueued. KASAN confirmed a slab-use-after-free in lock_sock_nested(); EPSS is low (0.17%, 7th percentile), there is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Linux Information Disclosure Memory Corruption Use After Free
NVD VulDB
CVSS 3.1
8.0
EPSS
0.2%
CVE-2026-54917 HIGH PATCH This Week

Cross-bucket read/write in SeaweedFS before 4.30 lets remote attackers escape a bucket's namespace because the S3 API gateway and the Iceberg REST catalog gateway build their gorilla/mux routers with SkipClean(true), letting a literal '..' segment survive routing before downstream path joins collapse it server-side. A request like 'GET /bucket-A/../evil-bucket/key' is routed as bucket=bucket-A but resolves to evil-bucket, allowing an actor to read or write objects in buckets they should not reach. There is no public exploit identified at time of analysis; the issue is fixed in 4.30 via PR #9687.

Path Traversal Seaweedfs
NVD GitHub
CVSS 4.0
7.8
EPSS
0.3%
CVE-2026-53137 HIGH PATCH This Week

Out-of-bounds kernel heap write in the AMD Display (amdgpu) driver's HDMI HDCP 2.x repeater authentication path affects Linux kernels from 5.6 through the 7.1 release candidates. When reading a downstream sink's RxStatus register, the driver in mod_hdcp_read_rx_id_list() uses an attacker-influenced 10-bit message-size field (up to 1023 bytes) as the I2C read length without bounding it to the 177-byte rx_id_list buffer, so a malicious HDMI repeater can force a write past the buffer and corrupt kernel memory. There is no public exploit identified at time of analysis and EPSS is low (0.21%, 11th percentile); it is not listed in CISA KEV.

Memory Corruption Linux Amd Buffer Overflow
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-53195 HIGH PATCH This Week

Kernel-level heap buffer overflow (out-of-bounds write) in the Linux kernel's io_ti USB-serial driver (used by Digi Edgeport TI-based USB serial adapters) allows a local low-privileged attacker or a malicious/crafted firmware image to corrupt kernel heap memory. The flaw lives in build_i2c_fw_hdr(), which copies an attacker-influenced 16-bit Length field (up to 65535) from the firmware image into a fixed-size buffer without validating it fits the remaining space after the ti_i2c_firmware_rec header. There is no public exploit identified at time of analysis, EPSS is low (0.20%, 10th percentile), and it is not on the CISA KEV list, so exploitation is theoretical rather than observed.

Memory Corruption Linux Buffer Overflow
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-53194 HIGH PATCH This Week

Heap out-of-bounds write in the Linux kernel's USB serial driver for KL5KUSB105-based adapters (kl5kusb105) lets a write to an attached tty corrupt slab memory two bytes past a 64-byte bulk-out buffer. The flaw is in klsi_105_prepare_write_buffer(), which reserves a two-byte length header but still copies the full buffer size from the write FIFO, overrunning the allocation by KLSI_HDR_LEN (2) bytes. EPSS is low (0.19%, 9th percentile) and there is no public exploit identified at time of analysis; the issue was found via KASAN using emulated hardware (dummy_hcd/raw-gadget), not in-the-wild exploitation.

Linux Buffer Overflow Memory Corruption
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
Prev Page 2 of 5 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy