Persistent denial-of-service in zebrad (Zcash Foundation's Zcash node) up to and including v4.4.1 allows an attacker with mining capability and approximately 1,100-2,100 ZEC to permanently halt all Zebra nodes on the network by mining a single consensus-valid block. The block exploits a credit-before-debit processing order in the finalized transparent state writer, causing an intermediate per-address balance to overflow the MAX_MONEY cap and trigger a Rust panic-abort. Because the triggering block is consensus-valid, the panic recurs on every restart, creating an unrecoverable halt until the node is patched. No public exploit or KEV listing has been identified at time of analysis.
Consensus divergence in the Zcash Foundation's Zebra node (zebrad up to and including v4.4.1) lets a remote, unauthenticated attacker force a chain split between Zebra and zcashd validators without any mining capability. Zebra's P2SH signature-operation counter runs a pure-Rust path that short-circuits on disabled opcodes and undercounts sigops, so Zebra accepts blocks that zcashd rejects once the 20,000 block-sigop limit is straddled. There is no public exploit identified at time of analysis, but the advisory includes a concrete crafted redeem script demonstrating the divergence, and all default configurations are affected.
Remote denial-of-service in Zebra (zebrad ≤ v4.4.1), the Zcash Foundation's Rust node, lets an unauthenticated P2P peer permanently stall a targeted node at a chosen block height. By exploiting ZIP-244 transaction malleability, an attacker crafts a poisoned block body sharing the same header hash as a valid canonical block; Zebra caches the hash before validation and never evicts it on failure, so the legitimate block is later rejected as a duplicate. This is a real availability threat against default configurations, though there is no public exploit identified at time of analysis and it is not listed in CISA KEV; the flaw was independently reproduced end-to-end by two researchers.
Unauthenticated OAuth client secret disclosure in Dragonfly Manager (dragonflyoss/dragonfly <= v2.4.3) exposes GitHub and Google OAuth client_secret values to any host that can reach the Manager REST API port. The GET /api/v1/oauth and GET /api/v1/oauth/:id handlers omit the jwt.MiddlewareFunc() and RBAC middleware enforced on every other admin route group in the same router file - including the write methods (POST, DELETE, PATCH) in the same /oauth group - and the models.Oauth struct serializes ClientSecret without redaction. A detailed proof-of-concept with captured output is included in the advisory; no CISA KEV listing is present and EPSS data is unavailable.
Denial of service in Conform's `parseSubmission` future API allows remote attackers to exhaust server CPU by submitting FormData or URLSearchParams payloads containing many unique field names. Affecting the @conform-to/dom npm package used in React/Remix form-handling stacks, the flaw stems from the parser repeatedly scanning submitted entries during name-based value lookups, producing worst-case super-linear (effectively quadratic) synchronous work per request. There is no public exploit identified at time of analysis and no CISA KEV listing; impact is availability degradation rather than data exposure, despite the input's mislabeled 'Information Disclosure' tag.
Authentication bypass in the joserfc Python library (PyPI, versions <= 1.6.7) lets remote attackers forge valid HS256/HS384/HS512 JWTs whenever the application's verification secret resolves to an empty string or None. Because HMACAlgorithm.verify feeds the zero-length key straight into hmac.new(b'', ...) and OctKey.import_key only warns (never rejects) empty material, an attacker with no secret knowledge recomputes the identical HMAC digest and joserfc.jwt.decode accepts arbitrary forged claims (sub, admin, scopes, exp). A full working proof-of-concept is published in the advisory, though the flaw is gated on an operator-side misconfiguration (a secret sourced from an unset env var, missing DB/Redis row, or a '' fallback) rather than a default-config defect.
CSS injection sanitization bypass in SpecifyJS's server-side render-to-string function exposes applications to cross-site scripting when the library processes attacker-controlled CSS values. The sanitizer in core/src/server/render-to-string.ts (lines 307-311) used naive regex to block patterns like 'expression(' and 'url(javascript:' without first normalizing the input, allowing bypass via CSS unicode escapes (e.g., \65xpression()), null bytes, or CSS comments (e.g., exp/**/ression()). Critically, the XSS payload only executes in legacy browsers (IE6-IE10), which substantially limits real-world impact. No public exploit or CISA KEV listing has been identified at time of analysis.
HTTPS-enforcement bypass in the @asymmetric-effort/specifyjs Node.js library (fixed in v0.2.136) allows the internal assertSecureUrl guard to be defeated: when new URL() throws a parse error, the function returned silently instead of throwing, letting an unvalidated request proceed without the intended HTTPS/SSRF check. Attackers who can influence the URL passed into secure-fetch can supply a malformed value to skip validation, enabling server-side request forgery or protocol downgrade. This is a defense-control-bypass flaw with no CVSS score assigned and no public exploit identified at time of analysis.
{}` that carries no `CheckRedirect` policy. Because Go's `net/http` strips only the standard `Authorization`, `Cookie`, and `WWW-Authenticate` headers on cross-host redirects - not arbitrary custom headers - any 30x redirect issued by the configured `HubURI` causes both keys to be forwarded verbatim to the redirect destination. A proof-of-concept confirming the leak has been provided by the reporter; no public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Incorrect conditional-move output in the RustCrypto `cmov` crate's aarch64 backend causes cryptographic constant-time operations to silently produce wrong results on aarch64 platforms. The inline assembly implementations of `Cmov` and `CmovEq` compare full 32-bit register contents instead of the intended narrowed type widths when evaluating conditions, because Rust's inline assembly specification explicitly leaves upper register bits undefined for inputs smaller than the register size. A proof-of-concept demonstrating the failure is included in the advisory; the vulnerability is not listed in CISA KEV and no active exploitation has been reported.
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: use chan timer to close channels in cleanup_listen() l2cap_chan_close() removes the channel from conn->chan_l, which must be done under conn->lock. cleanup_listen() runs under the parent sk_lock, so acquiring conn->lock would invert the established conn->lock -> chan->lock -> sk_lock order. Instead of calling l2cap_chan_close() directly, schedule l2cap_chan_timeout with delay 0 to close the channel asynchronously. The timeout handler already acquires conn->lock and chan->lock in the correct order. The timer is only armed when chan->conn is still set: if it is already NULL, l2cap_conn_del() has already processed this channel (l2cap_chan_del + l2cap_sock_teardown_cb + l2cap_sock_close_cb), so there is nothing left to do. If l2cap_conn_del() races in after the timer is armed, __clear_chan_timer() inside l2cap_chan_del() cancels it; if the timer has already fired, the handler returns harmlessly because chan->conn was cleared.
Pre-NVD disclosure via GitHub release 'v2.7.5' (openvpn/openvpn). ### Security fixes: - openvpnserv (windows): fix DNS SearchList state pollution on (dis)connect. specific combinations of `--dns` config entries plus local DNS config could lead to corruption of pre-openvpn DNS config ([CVE-2026-13379](https://www.cve.org/CVERecord?id=CVE-2026-13379)) Bug found by 章鱼哥 (www.aipyaipy.com). - Fix use-after-free bug in ack_write_buf(), triggerable by a well-timed sequence of control channel + authentication packets ([CVE-2026-12996](https://www
Pre-NVD disclosure via GitHub release 'v2.7.5' (openvpn/openvpn). ### Security fixes: - openvpnserv (windows): fix DNS SearchList state pollution on (dis)connect. specific combinations of `--dns` config entries plus local DNS config could lead to corruption of pre-openvpn DNS config ([CVE-2026-13379](https://www.cve.org/CVERecord?id=CVE-2026-13379)) Bug found by 章鱼哥 (www.aipyaipy.com). - Fix use-after-free bug in ack_write_buf(), triggerable by a well-timed sequence of control channel + authentication packets ([CVE-2026-12996](https://www
Pre-NVD disclosure via GitHub release 'v2.7.5' (openvpn/openvpn). ### Security fixes: - openvpnserv (windows): fix DNS SearchList state pollution on (dis)connect. specific combinations of `--dns` config entries plus local DNS config could lead to corruption of pre-openvpn DNS config ([CVE-2026-13379](https://www.cve.org/CVERecord?id=CVE-2026-13379)) Bug found by 章鱼哥 (www.aipyaipy.com). - Fix use-after-free bug in ack_write_buf(), triggerable by a well-timed sequence of control channel + authentication packets ([CVE-2026-12996](https://www
Pre-NVD disclosure via GitHub release 'v2.7.5' (openvpn/openvpn). ### Security fixes: - openvpnserv (windows): fix DNS SearchList state pollution on (dis)connect. specific combinations of `--dns` config entries plus local DNS config could lead to corruption of pre-openvpn DNS config ([CVE-2026-13379](https://www.cve.org/CVERecord?id=CVE-2026-13379)) Bug found by 章鱼哥 (www.aipyaipy.com). - Fix use-after-free bug in ack_write_buf(), triggerable by a well-timed sequence of control channel + authentication packets ([CVE-2026-12996](https://www
Pre-NVD disclosure via GitHub release 'v2.7.5' (openvpn/openvpn). ### Security fixes: - openvpnserv (windows): fix DNS SearchList state pollution on (dis)connect. specific combinations of `--dns` config entries plus local DNS config could lead to corruption of pre-openvpn DNS config ([CVE-2026-13379](https://www.cve.org/CVERecord?id=CVE-2026-13379)) Bug found by 章鱼哥 (www.aipyaipy.com). - Fix use-after-free bug in ack_write_buf(), triggerable by a well-timed sequence of control channel + authentication packets ([CVE-2026-12996](https://www
Insufficient data exists to characterize this vulnerability. CVE-2026-47251 was reported by Ubuntu but carries no description, CVSS score, CVSS vector, CWE classification, or reference links at the time of this analysis. No impact, affected product, or exploitation mechanism can be determined from the available intelligence. Security teams should treat this as unresolved pending vendor disclosure.
Insufficient intelligence to synthesize. CVE-2026-47709 description is marked unknown, CVSS vector is not available, CWE is not available, and no product name or affected versions are specified - only that Ubuntu reported it. Comprehensive vulnerability analysis requires description, CVSS vector, affected product details, and remediation data.
Insufficient data to analyze. CVE-2026-47254 is reported by Ubuntu but no description, CVSS score, vector, or CWE information is available. Cannot determine attack vector, affected product, version, or real-world impact without vulnerability details.
Insufficient data to produce analysis. CVE-2026-48029 description is marked as unknown; no CVSS, CWE, EPSS, KEV status, or technical details provided. Only source is vendor:ubuntu attribution.
CVE-2026-47247 has been reported by Ubuntu but carries no public description, CVSS score, CWE classification, or technical details at time of analysis. The affected product, vulnerability class, and impact are entirely unknown. No meaningful synthesis is possible from available data - this CVE should be treated as a placeholder or pre-disclosure record pending vendor publication.
CVE-2026-47714 is a vulnerability reported by Ubuntu with no public description, CVSS score, CWE classification, or technical details available at time of analysis. The affected product, vulnerability class, and impact cannot be determined from the available intelligence. No exploitation status, patch availability, or affected version range has been confirmed.