Skip to main content
CVE-2026-52738 MEDIUM PATCH GHSA This Month

Persistent denial-of-service in zebrad (Zcash Foundation's Zcash node) up to and including v4.4.1 allows an attacker with mining capability and approximately 1,100-2,100 ZEC to permanently halt all Zebra nodes on the network by mining a single consensus-valid block. The block exploits a credit-before-debit processing order in the finalized transparent state writer, causing an intermediate per-address balance to overflow the MAX_MONEY cap and trigger a Rust panic-abort. Because the triggering block is consensus-valid, the panic recurs on every restart, creating an unrecoverable halt until the node is patched. No public exploit or KEV listing has been identified at time of analysis.

Buffer Overflow
NVD GitHub
CVE-2026-52735 CRITICAL PATCH GHSA Act Now

Consensus divergence in the Zcash Foundation's Zebra node (zebrad up to and including v4.4.1) lets a remote, unauthenticated attacker force a chain split between Zebra and zcashd validators without any mining capability. Zebra's P2SH signature-operation counter runs a pure-Rust path that short-circuits on disabled opcodes and undercounts sigops, so Zebra accepts blocks that zcashd rejects once the 20,000 block-sigop limit is straddled. There is no public exploit identified at time of analysis, but the advisory includes a concrete crafted redeem script demonstrating the divergence, and all default configurations are affected.

Authentication Bypass
NVD GitHub
CVE-2026-52736 HIGH PATCH GHSA This Week

Remote denial-of-service in Zebra (zebrad ≤ v4.4.1), the Zcash Foundation's Rust node, lets an unauthenticated P2P peer permanently stall a targeted node at a chosen block height. By exploiting ZIP-244 transaction malleability, an attacker crafts a poisoned block body sharing the same header hash as a valid canonical block; Zebra caches the hash before validation and never evicts it on failure, so the legitimate block is later rejected as a duplicate. This is a real availability threat against default configurations, though there is no public exploit identified at time of analysis and it is not listed in CISA KEV; the flaw was independently reproduced end-to-end by two researchers.

Information Disclosure Canonical Checkpoint
NVD GitHub
CVE-2026-49254 LOW POC PATCH GHSA Monitor

Unauthenticated OAuth client secret disclosure in Dragonfly Manager (dragonflyoss/dragonfly <= v2.4.3) exposes GitHub and Google OAuth client_secret values to any host that can reach the Manager REST API port. The GET /api/v1/oauth and GET /api/v1/oauth/:id handlers omit the jwt.MiddlewareFunc() and RBAC middleware enforced on every other admin route group in the same router file - including the write methods (POST, DELETE, PATCH) in the same /oauth group - and the models.Oauth struct serializes ClientSecret without redaction. A detailed proof-of-concept with captured output is included in the advisory; no CISA KEV listing is present and EPSS data is unavailable.

Google Authentication Bypass Redis Docker Information Disclosure
NVD GitHub
CVE-2026-49250 HIGH PATCH GHSA This Week

Denial of service in Conform's `parseSubmission` future API allows remote attackers to exhaust server CPU by submitting FormData or URLSearchParams payloads containing many unique field names. Affecting the @conform-to/dom npm package used in React/Remix form-handling stacks, the flaw stems from the parser repeatedly scanning submitted entries during name-based value lookups, producing worst-case super-linear (effectively quadratic) synchronous work per request. There is no public exploit identified at time of analysis and no CISA KEV listing; impact is availability degradation rather than data exposure, despite the input's mislabeled 'Information Disclosure' tag.

Information Disclosure
NVD GitHub
CVE-2026-49852 HIGH POC PATCH GHSA This Week

Authentication bypass in the joserfc Python library (PyPI, versions <= 1.6.7) lets remote attackers forge valid HS256/HS384/HS512 JWTs whenever the application's verification secret resolves to an empty string or None. Because HMACAlgorithm.verify feeds the zero-length key straight into hmac.new(b'', ...) and OctKey.import_key only warns (never rejects) empty material, an attacker with no secret knowledge recomputes the identical HMAC digest and joserfc.jwt.decode accepts arbitrary forged claims (sub, admin, scopes, exp). A full working proof-of-concept is published in the advisory, though the flaw is gated on an operator-side misconfiguration (a secret sourced from an unset env var, missing DB/Redis row, or a '' fallback) rather than a default-config defect.

Authentication Bypass Python Canonical Redis
NVD GitHub VulDB
CVE-2026-50290 MEDIUM PATCH GHSA This Month

CSS injection sanitization bypass in SpecifyJS's server-side render-to-string function exposes applications to cross-site scripting when the library processes attacker-controlled CSS values. The sanitizer in core/src/server/render-to-string.ts (lines 307-311) used naive regex to block patterns like 'expression(' and 'url(javascript:' without first normalizing the input, allowing bypass via CSS unicode escapes (e.g., \65xpression()), null bytes, or CSS comments (e.g., exp/**/ression()). Critically, the XSS payload only executes in legacy browsers (IE6-IE10), which substantially limits real-world impact. No public exploit or CISA KEV listing has been identified at time of analysis.

XSS
NVD GitHub
CVE-2026-50288 HIGH PATCH GHSA This Week

HTTPS-enforcement bypass in the @asymmetric-effort/specifyjs Node.js library (fixed in v0.2.136) allows the internal assertSecureUrl guard to be defeated: when new URL() throws a parse error, the function returned silently instead of throwing, letting an unvalidated request proceed without the intended HTTPS/SSRF check. Attackers who can influence the URL passed into secure-fetch can supply a malformed value to skip validation, enabling server-side request forgery or protocol downgrade. This is a defense-control-bypass flaw with no CVSS score assigned and no public exploit identified at time of analysis.

SSRF
NVD GitHub
CVE-2026-50192 MEDIUM POC PATCH GHSA This Month

{}` that carries no `CheckRedirect` policy. Because Go's `net/http` strips only the standard `Authorization`, `Cookie`, and `WWW-Authenticate` headers on cross-host redirects - not arbitrary custom headers - any 30x redirect issued by the configured `HubURI` causes both keys to be forwarded verbatim to the redirect destination. A proof-of-concept confirming the leak has been provided by the reporter; no public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Open Redirect Information Disclosure
NVD GitHub
CVE-2026-50185 MEDIUM POC PATCH GHSA This Month

Incorrect conditional-move output in the RustCrypto `cmov` crate's aarch64 backend causes cryptographic constant-time operations to silently produce wrong results on aarch64 platforms. The inline assembly implementations of `Cmov` and `CmovEq` compare full 32-bit register contents instead of the intended narrowed type widths when evaluating conditions, because Rust's inline assembly specification explicitly leaves upper register bits undefined for inputs smaller than the register size. A proof-of-concept demonstrating the failure is included in the advisory; the vulnerability is not listed in CISA KEV and no active exploitation has been reported.

Information Disclosure
NVD GitHub
CVE-2026-53358 PATCH Awaiting Data

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: use chan timer to close channels in cleanup_listen() l2cap_chan_close() removes the channel from conn->chan_l, which must be done under conn->lock. cleanup_listen() runs under the parent sk_lock, so acquiring conn->lock would invert the established conn->lock -> chan->lock -> sk_lock order. Instead of calling l2cap_chan_close() directly, schedule l2cap_chan_timeout with delay 0 to close the channel asynchronously. The timeout handler already acquires conn->lock and chan->lock in the correct order. The timer is only armed when chan->conn is still set: if it is already NULL, l2cap_conn_del() has already processed this channel (l2cap_chan_del + l2cap_sock_teardown_cb + l2cap_sock_close_cb), so there is nothing left to do. If l2cap_conn_del() races in after the timer is armed, __clear_chan_timer() inside l2cap_chan_del() cancels it; if the timer has already fired, the handler returns harmlessly because chan->conn was cleared.

Linux Information Disclosure
NVD VulDB
EPSS
0.2%
CVE-2026-13117 PATCH Awaiting Data

Pre-NVD disclosure via GitHub release 'v2.7.5' (openvpn/openvpn). ### Security fixes: - openvpnserv (windows): fix DNS SearchList state pollution on (dis)connect. specific combinations of `--dns` config entries plus local DNS config could lead to corruption of pre-openvpn DNS config ([CVE-2026-13379](https://www.cve.org/CVERecord?id=CVE-2026-13379)) Bug found by 章鱼哥 (www.aipyaipy.com). - Fix use-after-free bug in ack_write_buf(), triggerable by a well-timed sequence of control channel + authentication packets ([CVE-2026-12996](https://www

Microsoft Information Disclosure
NVD GitHub
CVE-2026-13379 PATCH Awaiting Data

Pre-NVD disclosure via GitHub release 'v2.7.5' (openvpn/openvpn). ### Security fixes: - openvpnserv (windows): fix DNS SearchList state pollution on (dis)connect. specific combinations of `--dns` config entries plus local DNS config could lead to corruption of pre-openvpn DNS config ([CVE-2026-13379](https://www.cve.org/CVERecord?id=CVE-2026-13379)) Bug found by 章鱼哥 (www.aipyaipy.com). - Fix use-after-free bug in ack_write_buf(), triggerable by a well-timed sequence of control channel + authentication packets ([CVE-2026-12996](https://www

Microsoft Information Disclosure
NVD GitHub
CVE-2026-11771 PATCH Awaiting Data

Pre-NVD disclosure via GitHub release 'v2.7.5' (openvpn/openvpn). ### Security fixes: - openvpnserv (windows): fix DNS SearchList state pollution on (dis)connect. specific combinations of `--dns` config entries plus local DNS config could lead to corruption of pre-openvpn DNS config ([CVE-2026-13379](https://www.cve.org/CVERecord?id=CVE-2026-13379)) Bug found by 章鱼哥 (www.aipyaipy.com). - Fix use-after-free bug in ack_write_buf(), triggerable by a well-timed sequence of control channel + authentication packets ([CVE-2026-12996](https://www

Microsoft Information Disclosure
NVD GitHub
CVE-2026-12932 PATCH Awaiting Data

Pre-NVD disclosure via GitHub release 'v2.7.5' (openvpn/openvpn). ### Security fixes: - openvpnserv (windows): fix DNS SearchList state pollution on (dis)connect. specific combinations of `--dns` config entries plus local DNS config could lead to corruption of pre-openvpn DNS config ([CVE-2026-13379](https://www.cve.org/CVERecord?id=CVE-2026-13379)) Bug found by 章鱼哥 (www.aipyaipy.com). - Fix use-after-free bug in ack_write_buf(), triggerable by a well-timed sequence of control channel + authentication packets ([CVE-2026-12996](https://www

Microsoft Information Disclosure
NVD GitHub
CVE-2026-12996 PATCH Awaiting Data

Pre-NVD disclosure via GitHub release 'v2.7.5' (openvpn/openvpn). ### Security fixes: - openvpnserv (windows): fix DNS SearchList state pollution on (dis)connect. specific combinations of `--dns` config entries plus local DNS config could lead to corruption of pre-openvpn DNS config ([CVE-2026-13379](https://www.cve.org/CVERecord?id=CVE-2026-13379)) Bug found by 章鱼哥 (www.aipyaipy.com). - Fix use-after-free bug in ack_write_buf(), triggerable by a well-timed sequence of control channel + authentication packets ([CVE-2026-12996](https://www

Microsoft Information Disclosure
NVD GitHub
CVE-2026-47251 MEDIUM This Month

Insufficient data exists to characterize this vulnerability. CVE-2026-47251 was reported by Ubuntu but carries no description, CVSS score, CVSS vector, CWE classification, or reference links at the time of this analysis. No impact, affected product, or exploitation mechanism can be determined from the available intelligence. Security teams should treat this as unresolved pending vendor disclosure.

Information Disclosure
NVD
CVE-2026-47709 MEDIUM PATCH This Month

Insufficient intelligence to synthesize. CVE-2026-47709 description is marked unknown, CVSS vector is not available, CWE is not available, and no product name or affected versions are specified - only that Ubuntu reported it. Comprehensive vulnerability analysis requires description, CVSS vector, affected product details, and remediation data.

Information Disclosure
NVD
CVE-2026-47254 MEDIUM PATCH This Month

Insufficient data to analyze. CVE-2026-47254 is reported by Ubuntu but no description, CVSS score, vector, or CWE information is available. Cannot determine attack vector, affected product, version, or real-world impact without vulnerability details.

Information Disclosure
NVD
CVE-2026-48029 MEDIUM PATCH This Month

Insufficient data to produce analysis. CVE-2026-48029 description is marked as unknown; no CVSS, CWE, EPSS, KEV status, or technical details provided. Only source is vendor:ubuntu attribution.

Information Disclosure
NVD
CVE-2026-47247 MEDIUM This Month

CVE-2026-47247 has been reported by Ubuntu but carries no public description, CVSS score, CWE classification, or technical details at time of analysis. The affected product, vulnerability class, and impact are entirely unknown. No meaningful synthesis is possible from available data - this CVE should be treated as a placeholder or pre-disclosure record pending vendor publication.

Information Disclosure
NVD
CVE-2026-47714 MEDIUM PATCH This Month

CVE-2026-47714 is a vulnerability reported by Ubuntu with no public description, CVSS score, CWE classification, or technical details available at time of analysis. The affected product, vulnerability class, and impact cannot be determined from the available intelligence. No exploitation status, patch availability, or affected version range has been confirmed.

Information Disclosure
NVD
Prev Page 7 of 7

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy