Skip to main content
CVE-2026-53226 MEDIUM PATCH This Month

Resource leak and use-after-free in the Linux kernel's gpio-rockchip driver can crash the kernel on systems using Rockchip GPIO hardware. The driver's remove path fails to call irq_domain_remove_generic_chips(), leaving allocated generic chip structures unreleased and dangling on the global gc_list. After driver unbind or module removal, IRQ subsystem suspend, resume, or shutdown callbacks may subsequently dereference the freed memory, producing a use-after-free condition and kernel panic. No public exploit exists and EPSS sits at the 7th percentile, indicating very low real-world exploitation probability; however, the availability of upstream fix commits makes patching straightforward.

Linux Denial Of Service
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53211 MEDIUM PATCH This Month

Kernel stack information disclosure in the Linux kernel's netfilter nft_meta_bridge subsystem leaks 2 bytes of uninitialized stack data to userspace via the IIFHWADDR register. A local attacker with CAP_NET_ADMIN privileges can craft an nftables bridge rule that reads the full 8-byte register span after a memcpy writes only 6 bytes, exposing stale nft_do_chain() stack content. No public exploit exists and EPSS is 0.17%; however, on hardened systems kernel stack leaks can assist KASLR bypass when chained with other primitives.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53197 MEDIUM PATCH This Month

ABBA deadlock in the Linux kernel xfrm iptfs subsystem causes availability loss on SMP systems when iptfs state is destroyed while its timer callbacks are concurrently executing on another CPU. The vulnerability affects the IP Traffic Flow Secrecy (IPTFS) implementation within the kernel's xfrm IPsec framework, specifically during iptfs_destroy_state() - a function that acquires spinlocks before calling hrtimer_cancel(), creating a circular dependency with softirq timer callbacks that attempt to re-acquire those same locks. No public exploit code has been identified and EPSS is 0.17% (7th percentile), indicating this is a low-probability exploitation target; the impact is a kernel deadlock causing a system hang (DoS) with no confidentiality or integrity impact.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53166 MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's futex PI requeue path allows a local low-privileged user to crash the kernel. Triggered via FUTEX_CMP_REQUEUE_PI when a non-top waiter already owns the target PI futex, the deadlock detection path returns -EDEADLK before initializing waiter->task, which remove_waiter() then dereferences unconditionally. Impact is a kernel panic (system-wide denial of service). No public exploit identified at time of analysis and EPSS is at the 7th percentile, but the attack surface is any unprivileged local process on an affected kernel version.

Linux Denial Of Service Null Pointer Dereference
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53163 MEDIUM PATCH This Month

Null pointer dereference in the Linux kernel's real-time mutex (rtmutex) subsystem allows a local low-privileged user to crash the kernel via FUTEX_CMP_REQUEUE_PI, causing a denial of service. Affected stable branches span Linux 6.1 through 7.1-rc5; vendor patches are available via kernel.org stable commits. No public exploit has been identified and EPSS is 0.17% (7th percentile), indicating negligible observed exploitation activity.

Linux Denial Of Service Null Pointer Dereference
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53269 MEDIUM PATCH This Month

Denial-of-service via race condition in the Linux kernel's netfilter synproxy subsystem allows a local low-privileged user to crash the system by triggering concurrent netfilter hook registration. The synproxy infrastructure registers hooks on-demand when iptables targets or nftables expressions are added; without serialization, concurrent additions race on the reference count control blocks, corrupting kernel state. No public exploit exists and EPSS is 7th percentile (0.17%), but any Linux system running a kernel from 5.3 onward with the ability for unprivileged users to manipulate netfilter rules is technically exposed.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53263 MEDIUM PATCH This Month

Kernel stack memory disclosure and multicast address corruption in the Linux kernel's 6lowpan IPHC subsystem affects all deployments running the vulnerable code path from commit 5609c185f24d onward. A local unprivileged user on a system with an active 6lowpan interface can trigger `lowpan_iphc_mcast_ctx_addr_compress()` to transmit uninitialized kernel stack bytes over the 6lowpan link layer while also corrupting the RIID field in compressed multicast addresses, breaking multicast connectivity. No public exploit identified at time of analysis; EPSS is 0.17% (7th percentile), and this is not listed in CISA KEV.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53177 MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel bnxt_en Broadcom NetXtreme Ethernet driver crashes the kernel when PCIe error recovery fires against a closed NIC, causing a denial of service. Affected kernel versions span from 4.17 through multiple LTS and mainline branches up to 7.1-rc4, with patches released across all active stable series. No public exploit exists and EPSS sits at 0.17% (7th percentile), marking this as a reliability and stability concern rather than an actively targeted attack vector.

Linux Denial Of Service Null Pointer Dereference
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53159 MEDIUM PATCH This Month

Integer underflow in the Linux kernel fastrpc misc driver corrupts DMA addresses sent to Qualcomm DSPs, enabling a local low-privileged user to crash the DSP subsystem or induce a kernel panic. The flaw in fastrpc_get_args() affects all major stable kernel branches from 5.15 through 7.1-rc3 and is patched across multiple stable series. No public exploit exists and EPSS probability is 0.17% (7th percentile), indicating low real-world exploitation risk despite broad platform coverage.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53155 MEDIUM PATCH This Month

Corrupted reverse-mapping (rmap) state in the Linux kernel's mm/huge_memory subsystem crashes or destabilizes affected systems through a flag misinterpretation in set_pmd_migration_entry() for device-private PMD entries. On x86-64 with CONFIG_MEM_SOFT_DIRTY enabled, the function incorrectly reads the softdirty bit as a write-permission flag - because _PAGE_SWP_SOFT_DIRTY aliases _PAGE_RW - causing migration entries to be marked writable when they should be read-only, ultimately triggering a VM_WARN assertion in __folio_add_anon_rmap() when an AnonExclusive folio reaches entire_mapcount=2. No public exploit exists and no active exploitation is confirmed; a vendor patch is available as of Linux 7.0.13 and 7.1.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53214 MEDIUM PATCH This Month

Null pointer dereference in the Linux kernel's IPv6 address configuration subsystem crashes the kernel when cleanup_prefix_route() receives the fib6_null_entry sentinel from addrconf_get_prefix_route() and attempts to access its NULL fib6_table pointer without validation. An authenticated local user holding CAP_NET_ADMIN can trigger this by sending a crafted IPv6 DELADDR netlink message, causing a general protection fault and system-wide denial of service. No public exploit or CISA KEV listing exists; EPSS is 0.17% (6th percentile), consistent with a privilege-gated local DoS affecting an extremely widely deployed target.

Linux Canonical Denial Of Service Null Pointer Dereference
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53158 MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's fastrpc misc driver crashes the kernel when a Qualcomm DSP sends a glink message before the fastrpc_rpmsg_probe() initialization routine completes. Systems using the Qualcomm FastRPC subsystem - primarily Android and embedded Qualcomm SoC platforms running Linux 5.1 through unpatched 6.x/7.x stable branches - are vulnerable to a local denial-of-service (kernel panic) at boot. No public exploit exists and EPSS is 0.17% (6th percentile), consistent with a hardware-timing race condition requiring specific Qualcomm DSP hardware rather than generic remote exploitation.

Linux Denial Of Service Null Pointer Dereference
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53154 MEDIUM PATCH This Month

Hugetlb VMA reservation leak in the Linux kernel mm/hugetlb subsystem allows a local authenticated user to trigger SIGBUS on a process at a previously reserved huge-page address. Two code paths - the UFFDIO_COPY resubmission path and the fork-time copy-on-write path - fail to call restore_reserve_on_error() after copy_user_large_folio() returns an error, leaving the per-VMA reservation map entry marked consumed. No public exploit exists and EPSS is 0.17% (6th percentile), but patches are available in multiple stable branches.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53152 MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's dw_mmc-rockchip MMC driver triggers kernel panics on systems running legacy Rockchip SoCs (rk2928, rk3066, rk3188) when the MMC subsystem initializes. Commit ff6f0286c896 introduced a mandatory private-data access path that was never populated for these old controllers - which historically had no UHS support and no parse_dt callback - causing a reproducible kernel crash on affected hardware. No active exploitation is confirmed (absent from CISA KEV), and the EPSS score of 0.17% (6th percentile) reflects negligible real-world exploitation probability; the primary risk is an accidental reliability failure on embedded systems running these legacy SoCs.

Linux Denial Of Service Null Pointer Dereference
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53144 MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's drm/amdkfd subsystem allows a local low-privileged user to trigger a kernel panic by invoking the kfd_ioctl_set_debug_trap() ioctl with a non-zero num_queues value and a NULL queue_array_ptr. The root flaw is that get_queue_ids() returns NULL in this case rather than ERR_PTR(-EINVAL), and both callers check only IS_ERR() - since IS_ERR(NULL) evaluates false, execution proceeds to q_array_invalidate(), which immediately dereferences the NULL pointer while iterating, crashing the kernel. No public exploit has been identified and the EPSS score of 0.17% (6th percentile) confirms low observed exploitation probability, though the trigger path is mechanically simple for any user with /dev/kfd access.

Linux Denial Of Service Null Pointer Dereference
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53140 MEDIUM PATCH This Month

Memory exhaustion via vaddr leak in the Linux kernel's V3D DRM driver allows a local low-privileged user to degrade or deny service on systems equipped with Broadcom V3D GPUs. The function v3d_rewrite_csd_job_wg_counts_from_indirect() maps two buffer objects (indirect buffer and workgroup buffer) but takes an early return path - without releasing the vaddr mappings - whenever any workgroup count read from the indirect buffer is zero, permanently leaking both BO mappings per triggering job submission. No public exploit has been identified and EPSS sits at the 6th percentile (0.17%), consistent with the hardware-specific, local-only attack surface; this vulnerability is not listed in CISA KEV.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53167 MEDIUM PATCH This Month

Uninitialized memory exposure in the Linux kernel FUSE subsystem allows a local attacker to read residual kernel page cache data via the FUSE_NOTIFY_RETRIEVE notification path. The flaw affects systems where folios not marked 'uptodate' are returned to FUSE daemons rather than treated as absent - a condition with direct security impact only on kernels built or booted without automatic page-allocation zeroing (CONFIG_INIT_ON_ALLOC_DEFAULT_ON or init_on_alloc=1). No public exploit has been identified at time of analysis and EPSS sits at 0.17% (6th percentile), reflecting minimal observed exploitation activity.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53164 MEDIUM PATCH This Month

Kernel availability impact in Linux iommu/dma SWIOTLB subsystem allows a local low-privileged user to corrupt IOMMU mappings and trigger a kernel WARN_ON via Thunderbolt NVMe passthrough commands. The iommu_dma_iova_link_swiotlb() function fails to guard against zero-length middle segments in unaligned DMA mappings, causing iommu_map() to receive an illegal zero-size argument; the subsequent error unwind then starts from the wrong offset, corrupting the IOMMU page table state and firing WARN_ON at destruction. No active exploitation is confirmed (not in CISA KEV), and EPSS of 0.17% (6th percentile) signals negligible threat-actor interest, but the bug is reliably reproducible with commodity Thunderbolt NVMe hardware.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53142 MEDIUM PATCH This Month

NULL pointer dereference in the Intel Xe GPU driver (drm/xe) causes a kernel panic during system suspend or shutdown when display hardware is disabled via hardware fuses rather than absent at initial probe. Systems running Linux 6.8 and later with Intel Xe GPUs in fuse-disabled display configurations are affected; a low-privileged local user can trigger an unplanned system crash by initiating suspend or shutdown. No public exploit exists and EPSS is 0.17% (6th percentile), reflecting this as a reliability and local-denial-of-service issue rather than a broad security priority.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53141 MEDIUM PATCH This Month

Reference counting leaks in the Linux kernel's drm/v3d driver allow a local user to exhaust kernel memory and trigger a denial-of-service condition on systems equipped with Broadcom VideoCore VI GPUs (e.g., Raspberry Pi 4/5). The flaw exists across three code paths in the SET_GLOBAL and CLEAR_GLOBAL perfmon ioctls, as well as in the perfmon destroy path, each of which fails to release references acquired by v3d_perfmon_find(). No public exploit or active exploitation has been identified; EPSS probability stands at 0.17%, reflecting negligible automated exploitation interest.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53139 MEDIUM PATCH This Month

The drm/v3d GPU driver in the Linux kernel mishandles indirect Compute Shader Dispatch (CSD) jobs that carry zeroed workgroup dimension counts, allowing a local low-privilege user with GPU compute access to crash the VideoCore VI GPU subsystem. The hardware interprets a zero workgroup count as 65536 - exceeding the user-space-exposed maximum of 65535 - instead of treating the dispatch as a no-op, causing undefined GPU behavior and a denial-of-service condition. Exploitation is constrained to Broadcom VideoCore VI hardware (Raspberry Pi 4/5 ecosystem); EPSS is 0.17% (6th percentile), no public exploit exists, and the vulnerability is absent from CISA KEV.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53271 MEDIUM PATCH This Month

NULL pointer dereference in the ksmbd (in-kernel SMB server) subsystem of the Linux kernel causes a remotely triggerable kernel oops, resulting in denial of service. The race condition in smb2_oplock_break_noti() and smb2_lease_break_noti() allows an authenticated SMB client to crash the kernel by racing an SMB2 LOGOFF against an oplock/lease break notification - setting opinfo->conn to NULL in the window after ci->m_lock is dropped, then dereferencing it in ksmbd_conn_r_count_inc(). No public exploit identified at time of analysis; EPSS is very low at 0.16% (6th percentile), and CISA KEV listing is absent.

Linux Denial Of Service Null Pointer Dereference
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53261 MEDIUM PATCH This Month

Memory leak in the Linux kernel devlink subsystem allows a local low-privileged user to trigger resource exhaustion by inducing a Sub-Function (SF) probe failure, leaving a nested devlink relation unreleased. The flaw occurs because devlink_free() does not clear devlink->rel when an instance fails probe before reaching devl_register(), bypassing the normal cleanup path in devl_unregister(). No public exploit has been identified and EPSS is 0.16% (6th percentile), consistent with a low-real-world-risk kernel memory management defect; patch is available across multiple stable branches.

Linux Information Disclosure
NVD
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53243 MEDIUM PATCH This Month

Uninitialized stack variable use in the Linux kernel's rseq (restartable sequences) subsystem exposes systems to kernel information leak and denial-of-service. The flaw in `rseq_exit_user_update()` arises from a C standard evaluation-order ambiguity in struct initialization, detected by syzbot's KMSAN (Kernel Memory Sanitizer) as a kernel-infoleak. Affected are Linux 7.0.10 through 7.0.12 and 7.1 release candidates rc3-rc6; exploitation requires local low-privilege access, no public exploit exists, and EPSS is very low at 0.16%.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53231 MEDIUM PATCH This Month

Deadlock in the Linux kernel PHY networking subsystem (net/phy) allows a local low-privileged user to freeze the networking stack on systems using the generic PHY driver (genphy) with SFP cage hardware. When genphy triggers PHY probing - which occurs while holding the RTNL lock - it erroneously calls sfp_bus_add_upstream(), which itself attempts to acquire RTNL, producing a self-deadlock confirmed by reproduction. No public exploit exists and EPSS is 0.16% (6th percentile), reflecting that exploitation requires an uncommon hardware and driver combination.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53206 MEDIUM PATCH This Month

Missing bounds validation in the Linux kernel's accel/ivpu Intel VPU accelerator driver allows a local low-privileged user on an affected Intel VPU-equipped system to trigger kernel memory allocation errors or a denial of service by supplying a malformed firmware image header specifying improperly aligned or undersized runtime memory. Affected versions include Linux 6.19 and 7.1-rc1 through rc6; fixed commits are available for both the 7.0.x stable series and the 7.1 branch. No public exploit identified at time of analysis; EPSS is 0.16% (6th percentile), and no CISA KEV listing exists, reflecting minimal real-world exploitation interest.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53258 MEDIUM This Month

Memory leak in the Linux kernel wifi cfg80211 subsystem allows a local low-privileged user to cause gradual kernel memory exhaustion by repeatedly triggering failed 6 GHz split scans. The leaked object is a 512-byte allocation in rdev->int_scan_req that escapes the cleanup path in ___cfg80211_scan_done() because rdev->scan_req is NULL at freeing time, causing an early return. No public exploit has been identified; EPSS of 0.16% (6th percentile) reflects very low real-world exploitation probability, and this vulnerability is not listed in CISA KEV.

Linux Information Disclosure
NVD
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53222 MEDIUM PATCH This Month

Use-after-free in the Linux kernel ptp_ocp driver crashes the kernel during device removal on systems equipped with Open Compute Platform PTP hardware. The teardown function ptp_ocp_detach() frees pin resources before calling ptp_clock_unregister(), which then accesses those freed resources via ptp_disable_all_events(), introduced by commit a60fc3294a37. EPSS is 0.15% (5th percentile) and this vulnerability is not listed in CISA KEV, indicating no public exploitation and very low real-world risk outside specialized environments.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53204 MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's Intel Stratix10 RSU (Remote System Update) firmware driver causes a kernel panic when SMC call timeouts occur during probe initialization. Affected kernels through 7.1-rc7 and 7.0.13 expose a race condition where timeout-driven error paths in stratix10_rsu_probe() free the service channel - setting chan->scl to NULL - but fail to return early, allowing subsequent service kthreads to dereference the now-NULL pointer in their receive callbacks. The vulnerability is a local denial-of-service with no public exploit identified at time of analysis, and EPSS places exploitation probability at only 0.15%.

Linux Denial Of Service Null Pointer Dereference
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53169 MEDIUM PATCH This Month

Unbounded kernel log spam and conditional kernel panic in the Linux kernel's accel/ethosu Arm Ethos-U NPU driver allows any local unprivileged user with DRM device access to exhaust kernel log resources or crash the system. The driver's unimplemented NPU_OP_RESIZE command handler contains an unconditional WARN_ON(1) that fires every time userspace submits this operation via DRM_IOCTL_ETHOSU_GEM_CREATE. On systems where the panic_on_warn kernel parameter is enabled, this becomes a trivial denial-of-service primitive requiring only local DRM device access. No public exploit has been identified at time of analysis, and EPSS sits at the 5th percentile (0.15%), reflecting the niche hardware and non-default configuration requirements.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53257 MEDIUM PATCH This Month

Kernel crash in Linux cfg80211 WiFi subsystem occurs when EHT (Wi-Fi 7 / 802.11be) capability elements are present without matching EHT operation elements, triggering a null pointer dereference in mac80211 and causing a denial of service. Systems running affected kernel versions with Wi-Fi 7 hardware are at risk of a local-privilege kernel panic with no confidentiality or integrity impact. EPSS is extremely low at 0.15% (5th percentile) and no public exploit has been identified; this is not listed in CISA KEV.

Linux Denial Of Service
NVD
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-57452 MEDIUM PATCH This Month

Vim crashes with an out-of-bounds read when opening a maliciously crafted file encrypted with the xchacha20poly1305 cipher (VimCrypt~04! or VimCrypt~05!) whose body is shorter than a libsodium secretstream header. An unsigned integer underflow in the length calculation inside crypt_sodium_buffer_decode() causes the subsequent crypto_secretstream_xchacha20poly1305_pull() call to read far past the end of the input buffer, resulting in a denial-of-service crash. No public exploit code and no CISA KEV listing have been identified at time of analysis; however, the fix commit includes a concrete reproducer test case confirming the crash path.

Buffer Overflow Information Disclosure Vim Suse
NVD GitHub
CVSS 3.1
5.5
EPSS
0.1%
CVE-2026-48722 MEDIUM PATCH GHSA This Month

Insecure default file permissions in Nextflow's `auth login` command expose Seqera Platform OIDC bearer tokens to any local user on shared POSIX systems running affected versions 25.09.2-edge through 26.04.1. The credential file `seqera-auth.config` is written via Java NIO without explicit permission bits, landing at mode 0644 under the typical umask 022, making it world-readable on HPC login nodes, shared workstations, and jump hosts - exactly the infrastructure where Nextflow is most commonly deployed. No public exploit has been identified at time of analysis and this vulnerability is not currently in the CISA KEV catalog, but the attack requires only a standard local account and trivial filesystem read, making it a practical lateral-movement primitive in multi-tenant research computing environments.

Privilege Escalation Java
NVD GitHub
CVSS 3.1
5.5
CVE-2026-55439 MEDIUM PATCH This Month

Path traversal in Halo's backup download endpoint allows authenticated administrators to read arbitrary files from the server filesystem, bypassing directory boundaries. Affected are all Halo deployments prior to version 2.24.3, where the MigrationServiceImpl.download() method invokes Path.resolve() on attacker-supplied filenames without enforcing containment within the designated backups directory. A compounding issue exists in the backup creation endpoint, which fails to sanitize status fields. No public exploit code or CISA KEV listing has been identified at time of analysis, and the PR:H requirement meaningfully constrains the attack surface.

Path Traversal Halo
NVD GitHub
CVSS 3.1
5.5
EPSS
0.3%
CVE-2026-46751 MEDIUM This Month

Lua sandbox escape in Apache Kvrocks exposes the host environment to authenticated users who hold EVAL command privileges. The database fails to strip the `loadstring` function from its Lua scripting environment, which is a standard hardening step in Redis-protocol-compatible systems; retaining it allows a sandboxed Lua script to load and execute arbitrary Lua bytecode dynamically, effectively escaping the intended script isolation. No public exploit code or CISA KEV listing exists at time of analysis; however, sandbox escapes of this class are well-understood and exploitable by any user granted EVAL access.

Path Traversal Buffer Overflow Apache
NVD VulDB
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-10086 MEDIUM PATCH NEWS This Month

Stored cross-site scripting in GitLab Enterprise Edition (all versions from 16.4 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1) lets an authenticated user holding only developer-role permissions inject unsanitized input that executes as JavaScript in a victim's browser session. Because the script runs with scope change in the context of another (potentially higher-privileged) user, an attacker can hijack sessions, exfiltrate data, or act on the victim's behalf. The flaw was reported privately via HackerOne and patched by GitLab; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

XSS Gitlab
NVD VulDB
CVSS 3.1
5.4
EPSS
0.3%
CVE-2026-5309 MEDIUM PATCH This Month

Authorization bypass in GitLab Enterprise Edition's virtual registry cleanup policy feature allows authenticated users to read or modify cleanup policy settings belonging to groups they do not own. Affected versions span all GitLab EE releases from 18.6 through 18.11.5, 19.0 through 19.0.2, and 19.1.0. Exploitation requires a valid GitLab EE account but no elevated privileges; no public exploit code exists and this is not in CISA KEV at time of analysis.

Authentication Bypass Gitlab
NVD VulDB
CVSS 3.1
5.4
EPSS
0.2%
CVE-2026-54025 MEDIUM PATCH This Month

Cross-site scripting in LibreChat's markdown artifact preview pipeline allows an authenticated attacker to inject arbitrary JavaScript into a victim's browser session via crafted image alt text. The marked library v15.0.12 fails to HTML-escape double-quote characters in image alt text when LibreChat's custom image renderer falls through to the built-in renderer, enabling attribute breakout via payloads like `" onload="payload`. The resulting unsanitized HTML is written directly to `innerHTML` inside the Sandpack preview iframe, executing attacker-controlled code in the victim's browser. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; fixed in version 0.8.4-rc1.

XSS Librechat
NVD GitHub
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-56023 MEDIUM This Month

Broken Access Control in the UPI QR Code Payment Gateway for WooCommerce plugin (versions <= 1.6.2) allows authenticated low-privilege WordPress users to perform actions or access endpoints reserved for higher-privileged roles, resulting in unauthorized modification of payment data or disruption of payment processing. The flaw, rooted in missing authorization checks (CWE-862), was disclosed by Patchstack and affects sites running WooCommerce with this Knit Pay plugin installed. No public exploit code has been identified at time of analysis, and it has not been confirmed as actively exploited.

Authentication Bypass WordPress Upi Qr Code Payment Gateway For Woocommerce
NVD
CVSS 3.1
5.4
EPSS
0.2%
CVE-2026-54573 MEDIUM PATCH This Month

API key scope bypass in Outline prior to 1.8.0 allows an authenticated attacker holding a limited-scope API key or OAuth token to perform actions on restricted endpoints by exploiting a URL fragment handling discrepancy. The `AuthenticationHelper.canAccess` function evaluates authorization against the fragment-appended URL path rather than the actual routed endpoint, enabling privilege escalation beyond the key's intended permissions. No public exploit code or active exploitation has been identified at time of analysis, but the low attack complexity (PR:L, AC:L) makes this straightforward to exploit for any valid API key holder.

Authentication Bypass Privilege Escalation Outline
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.3%
CVE-2026-2238 MEDIUM PATCH This Month

Confidential issue references in GitLab CE/EE public projects are exposed to unauthenticated users due to missing authorization checks (CWE-862). Affecting all GitLab versions from 17.5 through 18.11.5, 19.0.0-19.0.2, and 19.1.0, this flaw enables any unauthenticated remote attacker to retrieve references to confidential issues on public projects - potentially revealing issue IDs, titles, or internal metadata that project owners explicitly restricted. No public exploit code or CISA KEV listing exists at time of analysis; however, the unauthenticated, low-complexity network vector makes this trivially automatable for reconnaissance against large GitLab installations.

Authentication Bypass Gitlab
NVD VulDB
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-56772 MEDIUM PATCH This Month

Broken access control in NewsBlur before 14.5.0 exposes any authenticated user's private social notification feed - follows, replies, and social activity - to any other authenticated user. The GET /social/interactions endpoint accepts an arbitrary user_id parameter and returns that user's MInteraction records without verifying the requesting session owns the account, a classic CWE-639 IDOR. No public exploit code has been identified and this is not listed in CISA KEV, but the low attack complexity (any registered account suffices) makes the flaw trivially exploitable by any NewsBlur user against any other.

Authentication Bypass Newsblur
NVD GitHub
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-48945 MEDIUM This Month

Unrestricted file upload in K2 Extension for Joomla (versions 1.0 through 2.26) permits attackers to embed PHP scripts inside zip or tar archives uploaded via the article gallery feature, which are then extracted as-is into the publicly accessible `/media/k2/galleries/<id>/` directory and remain directly executable via HTTP. The extension applies renaming sanitization only to recognized image types, leaving PHP, shell, and other dangerous file types completely unfiltered post-extraction - a textbook CWE-434 flaw. No public exploit has been identified at time of analysis, but the reported CVSS base vector (AV:N/AC:L/PR:N/UI:N) and the nature of the flaw indicate trivial exploitability; notably, the reported CVSS impact metrics (C:L/I:N/A:N) appear to significantly understate the actual consequence of achieving arbitrary PHP code execution on the server.

PHP File Upload K2 Extension For Joomla
NVD
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-11379 MEDIUM PATCH This Month

Incorrect authorization in GitLab Enterprise Edition's DAST site profile management exposes stored secrets to users with the Developer role under certain conditions. Affecting all GitLab EE releases from 13.11 through the recently patched 18.11.6, 19.0.3, and 19.1.1, the flaw allows a lower-privileged authenticated user to read secrets - such as authentication credentials or API tokens - embedded in DAST site profiles they should not have access to. No public exploit code or CISA KEV listing has been identified at time of analysis, and the high attack complexity (AC:H) implies specific conditions must align for exploitation to succeed.

Authentication Bypass Gitlab
NVD VulDB
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-48504 MEDIUM PATCH GHSA This Month

Unbounded resource consumption in the Rust opentelemetry_sdk's BaggagePropagator::extract_with_context allows unauthenticated remote attackers to cause elevated CPU and heap allocation overhead by sending oversized W3C baggage propagation headers to any service using versions 0.32.0 or earlier. The SDK parsed the full header content before applying storage limits, meaning attacker-supplied data was processed and then discarded - wasting resources on every malicious request. A parallel design-level gap affects the Java (GHSA-rcgg-9c38-7xpx) and Go (GHSA-mh2q-q3fh-2475) OpenTelemetry SDKs, suggesting a cross-ecosystem pattern; no public exploit or active exploitation (KEV) has been identified.

Java Denial Of Service RCE Suse
NVD GitHub
CVSS 3.1
5.3
CVE-2026-13225 MEDIUM PATCH This Month

HTML injection on pretix's individual ticket confirmation page allows unsanitized email address content to execute arbitrary HTML - including scripts - in the browser of anyone who views that page. The injection point is the email address field submitted at order creation, which pretix stored and rendered without output encoding on the per-ticket confirmation view. Exploitation requires no authentication (PR:N in CVSS 4.0) but does require a victim to load the affected page (UI:P). No public exploit is identified and the vulnerability is not listed in CISA KEV; a vendor-released patch is available in version 2026.5.2.

XSS Pretix
NVD
CVSS 4.0
5.3
EPSS
0.3%
CVE-2026-6432 MEDIUM PATCH This Month

Improper bounds validation in Silicon Labs EmberZNet SDK versions 9.0.2 and earlier exposes Zigbee-connected devices to crashes and dynamic memory leakage via network-reachable input. Authenticated network attackers can trigger the flaw with low complexity, resulting in denial-of-service conditions or unintended disclosure of heap contents. No public exploit has been identified at time of analysis, and a vendor patch is available via the SISDK GitHub release repository.

Denial Of Service Sisdk
NVD GitHub
CVSS 4.0
5.3
EPSS
0.3%
CVE-2026-42389 MEDIUM PATCH This Month

DNS response manipulation in PowerDNS Recursor 5.4.x allows network-positioned attackers to inject false DNS records through insufficient validation of answers received from authoritative servers, resulting in low-integrity violations in name resolution for downstream clients. The 5.4.x branch received hardening patches per PowerDNS advisory 2026-08 to close this validation gap. No public exploit has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog.

Information Disclosure Recursor Suse
NVD VulDB
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-40211 MEDIUM PATCH This Month

Denial of service in PowerDNS dnsdist's DNS over HTTP/3 (DoH3) handler allows unauthenticated remote attackers to exhaust server memory by opening high volumes of concurrent QUIC streams carrying crafted queries. Each crafted query triggers an exception that defers buffer deallocation until QUIC connection teardown rather than releasing memory promptly, enabling cumulative memory exhaustion across simultaneous streams. No public exploit code or active exploitation has been identified at time of analysis, and the attack surface is limited to instances with DoH3 explicitly enabled.

Denial Of Service Suse
NVD VulDB
CVSS 3.1
5.3
EPSS
0.4%
CVE-2026-40209 MEDIUM PATCH This Month

TCP connection resource leak in PowerDNS dnsdist allows remote unauthenticated attackers to exhaust backend TCP connection capacity by sending IXFR (Incremental Zone Transfer) queries. Affected dnsdist instances fail to promptly release outgoing TCP connections to backends after IXFR processing, leaving them open until OS-level timeout; under sustained query volume this can exhaust the backend's concurrent connection limit or the dnsdist process's file descriptor table. No public exploit has been identified at time of analysis, and no CISA KEV listing exists, but the AV:N/AC:L/PR:N attack surface makes the trigger trivially automatable from the internet.

Denial Of Service Suse
NVD VulDB
CVSS 3.1
5.3
EPSS
0.4%
Prev Page 3 of 4 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy