Skip to main content
CVE-2026-21368 MEDIUM This Month

Out-of-bounds write in Qualcomm Snapdragon's JPEG command parser exposes local low-privilege users to memory corruption via crafted JPEG input. Validation checks within the parser fail to account for extra buffer writes, overwriting adjacent memory and enabling a scope change beyond the vulnerable component's boundary - consistent with Snapdragon's isolated subsystem architecture (DSP, camera ISP). Qualcomm disclosed this in its July 2026 Security Bulletin; no public exploit identified at time of analysis.

Memory Corruption Buffer Overflow Snapdragon
NVD VulDB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-21384 MEDIUM This Month

Memory corruption in Qualcomm Snapdragon firmware triggers an out-of-bounds write (CWE-787) when prepared commands are updated using invalid port indices supplied from user space that exceed supported read client limits. The vulnerability spans an exceptionally broad portfolio of Snapdragon chipsets covering mobile, automotive, XR/AR, and connectivity platforms. No public exploit has been identified at time of analysis, and CISA SSVC assessment rates exploitation as none and the flaw as non-automatable, though the changed scope (S:C) in the CVSS vector indicates impact can propagate beyond the directly vulnerable firmware component.

Memory Corruption Buffer Overflow Snapdragon
NVD VulDB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-58402 MEDIUM PATCH This Month

Stored XSS in Hugo's default code-block renderer allows an attacker with Markdown contribution rights to inject arbitrary JavaScript into generated static pages. Hugo versions 0.60.0 through 0.163.2 write the code-fence info-string (language identifier) directly into HTML attribute values without escaping, so a crafted info-string containing a quote character and script payload breaks out of the attribute context. No public exploit or KEV listing exists at time of analysis; the CVSS 4.0 score of 5.1 reflects the requirement for prior write access and victim interaction.

XSS Hugo
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.3%
CVE-2026-34167 MEDIUM PATCH This Month

Insecure Direct Object Reference (IDOR) in Coolify's ActivityMonitor Livewire component allows any authenticated user to enumerate and read activity records belonging to other teams, including full SSH process command outputs that may contain secrets, credentials, and infrastructure configuration details. Affected are all Coolify self-hosted deployments prior to version 4.0.0-beta.471. No special privileges beyond a valid user account are required, and auto-incrementing integer activity IDs make enumeration trivial. No public exploit code has been identified at time of analysis and this CVE is not in CISA KEV, but the low attack complexity and sensitive data exposure make this a meaningful risk for multi-tenant Coolify deployments.

Authentication Bypass Coolify
NVD GitHub VulDB
CVSS 3.1
5.0
EPSS
0.2%
CVE-2026-59152 MEDIUM PATCH This Month

Path traversal in LangSmith Client SDK's TracingMiddleware (versions prior to 0.8.18) enables a trust-boundary crossing where any party with LangSmith workspace trace-read access can exfiltrate arbitrary files from servers running the middleware. An attacker sends a crafted HTTP request to a TracingMiddleware-instrumented server, causing it to read a local filesystem path and upload the contents to LangSmith as a trace attachment, which the attacker then retrieves via their workspace access. No public exploit has been identified at time of analysis, but the low complexity and broadly scoped file read make this a meaningful risk for any multi-tenant or contractor-accessible LangSmith deployment.

Path Traversal Langsmith Sdk
NVD GitHub
CVSS 3.1
5.0
EPSS
0.2%
CVE-2026-53641 MEDIUM This Month

Stored XSS in FOSSBilling 0.6.0-0.7.2 allows an authenticated admin to inject persistent JavaScript payloads into email HTML content that execute in client browsers when victims view their email history. The root cause is use of the `|raw` Twig filter to embed `content_html` directly into a JavaScript template literal, bypassing all output escaping. No active exploitation or public proof-of-concept has been identified at time of analysis; EPSS data was not provided in source intelligence.

XSS Fossbilling
NVD GitHub VulDB
CVSS 4.0
4.8
EPSS
0.3%
CVE-2026-1433 MEDIUM This Month

Information disclosure in uniFLOW Universal Login Manager (ULM) Standalone exposes sensitive SMTP and LDAP integration configuration data to authenticated administrators via the Remote User Interface (RUI). The flaw, classified under CWE-522 (Insufficiently Protected Credentials), applies exclusively to Standalone ULM deployments - environments integrated with uniFLOW Server or uniFLOW Online are explicitly confirmed unaffected. No public exploit code has been identified at time of analysis, and exploitation requires high-privilege access on an adjacent network, substantially limiting real-world risk.

Information Disclosure Uniflow Ulm Universal Login Manager Standalone
NVD
CVSS 4.0
4.8
EPSS
0.2%
CVE-2026-53624 MEDIUM PATCH GHSA This Month

HSTS header delivery is permanently broken in gofiber/fiber's helmet middleware due to a logic error that compares the HTTP protocol version string ('HTTP/1.1', 'HTTP/2.0') against the literal string 'https' - a comparison that is always false in any real deployment, making the entire HSTS conditional block dead code. Applications using Fiber that configure HSTSMaxAge expecting HSTS protection receive none, silently eliminating a security control that operators believe is active. A maintainer-runnable POC confirming the bug has been published with the advisory; no CISA KEV listing exists, but any application relying on helmet for HSTS protection has had that protection stripped since the erroneous code was introduced.

Information Disclosure
NVD GitHub VulDB
CVSS 3.1
4.8
EPSS
0.2%
CVE-2026-14801 MEDIUM PATCH This Month

Divide-by-zero in GPAC's TeXML file handler crashes the process when a crafted file carries a zero or invalid txml_timescale value, triggering an unhandled arithmetic exception in txtin_probe_duration. The affected version is the development snapshot 26.03-DEV-rev342-g80071f700-master; exploitation is constrained to local users able to supply malicious input files, with impact limited to a process-level denial of service. No active exploitation or public proof-of-concept has been identified; an upstream fix commit is available on GitHub but no patched stable release has been independently confirmed.

Information Disclosure Gpac
NVD VulDB GitHub
CVSS 4.0
4.8
EPSS
0.1%
CVE-2026-54432 MEDIUM PATCH This Month

CVE-2026-54432 is a vulnerability reported by Ubuntu with no description, CVSS score, CWE classification, or technical detail available in the provided intelligence data. The affected product is inferred as Ubuntu Linux based solely on the vendor reporter tag. No impact, attack vector, or exploitability information can be determined from the current data set.

XSS
NVD VulDB
CVSS 3.1
4.7
EPSS
0.2%
CVE-2026-58404 MEDIUM PATCH This Month

Build-time SSRF in Hugo static site generator (v0.162.0-v0.163.0) allows bypass of the `security.http.urls` IP-block policy by supplying loopback or cloud-metadata addresses in alternate IPv4 encodings - integer, hex, or octal - that the deny rule does not recognize but the cgo system resolver silently normalizes and resolves. Templates invoking `resources.GetRemote` with attacker-influenced or data-derived URLs can reach internal services and cloud-metadata endpoints (e.g., AWS IMDSv1) at build time, a particularly acute risk in CI pipelines and hosted build services where instance credentials are accessible. No public exploit has been identified and the vulnerability is not listed in CISA KEV, but the fix is available in v0.163.1.

SSRF Hugo
NVD GitHub VulDB
CVSS 4.0
4.6
EPSS
0.2%
CVE-2026-55798 MEDIUM PATCH This Month

Command injection in Pillow's WindowsViewer component (all versions prior to 12.3.0) allows arbitrary cmd.exe command execution when a user opens an image with a crafted filename containing shell metacharacters. The root cause is in WindowsViewer.get_command(), which embeds an unsanitized file path directly into an f-string and passes the result to subprocess.Popen with shell=True on Windows. No public exploit has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Command Injection Python Pillow
NVD GitHub VulDB
CVSS 3.1
4.5
EPSS
0.1%
CVE-2026-38973 MEDIUM This Month

mrubyc through release3.4.1 was found to contain an out-of-bounds read in builtin missing-method lookup inside mrbc_find_method().

Buffer Overflow N A Information Disclosure
NVD GitHub
CVSS 3.1
4.4
EPSS
0.2%
CVE-2026-58214 MEDIUM PATCH This Month

Insufficient data exists to characterize this vulnerability. CVE-2026-58214 was reported by Ubuntu (vendor source) but carries no description, CVSS score, vector, or CWE at time of analysis. The affected component, attack vector, and impact are all unknown. Security teams should monitor the Ubuntu Security Notices (USN) feed and the NVD entry for this CVE for forthcoming details.

Authentication Bypass Nats Server
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.4%
CVE-2026-58209 MEDIUM PATCH This Month

Insufficient data exists to characterize CVE-2026-58209 beyond its association with an Ubuntu vendor report. The CVE description is absent, no CVSS score or vector has been assigned, no CWE root cause is identified, and no additional intelligence sources were provided. Security teams should treat this as an unresolved reservation requiring active follow-up with Ubuntu Security Notices (USN) or the NVD pending full disclosure.

Authentication Bypass Nats Server
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.3%
CVE-2026-49439 MEDIUM POC PATCH GHSA This Month

{realm}/asset/predicted/{assetId}/{attributeName}) incorrectly authorizes write operations by checking READ_ASSETS permission instead of WRITE_ASSETS, enabling any authenticated user with read:assets privileges to persist arbitrary predicted datapoint values to the database. This privilege escalation exposes IoT asset prediction data to tampering by low-privileged or compromised accounts. A working proof-of-concept is embedded in the public GitHub Security Advisory GHSA-xj53-j257-hxvg; no active exploitation has been identified in CISA KEV.

Authentication Bypass Java
NVD GitHub
CVSS 3.1
4.3
CVE-2026-54637 MEDIUM PATCH GHSA This Month

Unauthenticated SSRF in Dragonfly's scheduler v1 gRPC service allows any remote client to force the scheduler to issue HTTP GET requests to arbitrary internal addresses, including loopback (127.0.0.1), cloud metadata endpoints (169.254.0.0/16), and RFC1918 ranges. The scheduler's `DownloadTinyFile()` function constructs HTTP requests from attacker-controlled `PeerHost.Ip` and `PeerHost.DownPort` gRPC fields with no destination address validation, and stores up to 128 bytes of each fetched response in `Task.DirectPiece`, which is subsequently served to other peers. The input tag of 'RCE' in the source intelligence is incorrect - this is a read-SSRF with a limited exfiltration path, not remote code execution. A fully confirmed proof-of-concept exists against v2.4.4-rc.2; no patched release version has been identified at time of analysis.

SSRF RCE
NVD GitHub
CVE-2026-58212 MEDIUM This Month

CVE-2026-58212 is reported by Ubuntu with no publicly available description, CVSS score, CWE classification, or technical detail at time of analysis. The sole intelligence signal is attribution to the Ubuntu vendor source, leaving the affected component, vulnerability class, and impact entirely uncharacterized. No meaningful risk assessment is possible without additional data from Ubuntu's security tracker or an upstream advisory.

Information Disclosure
NVD
CVE-2026-12893 MEDIUM This Month

NULL pointer dereference in the error handler of gstavdemux.c within gstreamer1-libav can crash the GStreamer pipeline process when it encounters a malformed or crafted media stream during AV demuxing. The flaw resides specifically in error recovery logic - the code path meant to handle failures itself dereferences a NULL pointer, producing a denial-of-service condition in any application relying on this plugin for media playback or processing. No public exploit code or active exploitation has been identified at time of analysis; this appears to be a stability/reliability bug reported through Ubuntu's vendor channel.

Denial Of Service Red Hat
NVD
Prev Page 2 of 2

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy