Skip to main content
CVE-2026-49173 HIGH PATCH Exploit Unlikely This Week

Local privilege escalation in the Microsoft Windows Kernel (Windows 11 version 26H1) lets an already-authenticated low-privileged user corrupt kernel memory through a use-after-free condition and gain SYSTEM-level control. Microsoft self-reported the flaw and has shipped a patch; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The CVSS 7.8 (High) score reflects full confidentiality, integrity, and availability compromise achievable entirely from a local, low-privilege foothold with no user interaction.

Use After Free Memory Corruption Denial Of Service Microsoft Windows 11 Version 26H1
NVD
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-49176 HIGH PATCH Exploit Unlikely This Week

Local privilege escalation in Microsoft Windows WalletService allows an authenticated low-privileged attacker to gain SYSTEM-level rights on the host, per CVSS:3.1 AV:L/AC:L/PR:L (7.8, High). The flaw stems from improper privilege management (CWE-269) in the WalletService component and affects a broad range of Windows client and server builds. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but a vendor patch from Microsoft is available.

Microsoft Privilege Escalation Windows 10 Version 1607 Windows 10 Version 1809 Windows 10 Version 21H2 +11
NVD
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-10669 HIGH PATCH This Week

Local privilege escalation and kernel memory corruption in Zephyr RTOS on Xtensa SoCs (v3.7.0 through v4.4.0) built with CONFIG_XTENSA_MPU and CONFIG_USERSPACE, where arch_buffer_validate() fails open on an integer-overflow edge case, letting an unprivileged user thread trick the kernel into reading or writing arbitrary kernel/partition memory on its behalf. The flaw stems from a default-permit return value combined with a ROUND_UP address-space wrap that skips the MPU probe loop entirely, and it is not caught by the existing syscall-layer overflow guards. Vendor patch is available; no public exploit identified at time of analysis, and this is not in CISA KEV.

Denial Of Service Privilege Escalation Information Disclosure Buffer Overflow Memory Corruption +1
NVD GitHub
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-15392 HIGH PATCH This Week

Arbitrary file read/write in Perl's DBD::File before 1.651 lets callers of file-based DBI drivers escape the configured data directory via a symbolic link placed inside it. Because the complete_table_name method resolved the absolute table-file path without validating whether the entry was a symlink, a link within f_dir could point to any path on the filesystem, breaking the directory sandbox for both reads and writes. No public exploit has been identified at time of analysis, and the flaw is not in CISA KEV; a vendor patch (DBI 1.651) is available.

Path Traversal Dbd
NVD GitHub VulDB
CVSS 3.1
7.7
EPSS
0.2%
CVE-2026-48348 HIGH This Week

Arbitrary code execution in Adobe Animate 2023 and 2024 arises from an Incorrect Authorization flaw (CWE-863) that lets a maliciously crafted file run code in the context of the current user. Exploitation requires the victim to open the attacker-supplied file and depends on conditions beyond the attacker's control, and there is no public exploit identified at time of analysis. Adobe self-reported the issue and published fixes in advisory APSB26-83.

Authentication Bypass RCE Adobe Animate 2023 Adobe Animate 2024
NVD
CVSS 3.1
7.7
EPSS
0.2%
CVE-2026-50647 HIGH PATCH Exploit Unlikely This Week

Denial of service in Microsoft Active Directory Federation Services (AD FS) allows an unauthenticated, remote attacker to send crafted network requests that drive a request-handling routine into an infinite loop (CWE-835), exhausting CPU and rendering the federation service unavailable. All supported Windows Server releases hosting the AD FS role are impacted, and because the flaw requires no authentication and no user interaction (CVSS 7.5, AV:N/AC:L/PR:N/UI:N), it can knock out single sign-on for every relying-party application. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, so this is a patch-priority availability issue rather than a confirmed active-exploitation event.

Denial Of Service Windows 10 Version 1607 Windows 10 Version 1809 Windows 10 Version 21H2 Windows 10 Version 22H2 +14
NVD
CVSS 3.1
7.5
EPSS
1.1%
CVE-2026-50355 HIGH PATCH Exploit Unlikely This Week

Denial of service in Microsoft Active Directory Federation Services (AD FS) allows a remote, unauthenticated attacker to crash or render the federation service unavailable by triggering a stack-based buffer overflow over the network. The flaw affects the AD FS role across Windows Server 2012 through 2025 (including Server Core installations) and carries a CVSS 7.5 rating driven entirely by availability impact. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but a vendor patch is available.

Buffer Overflow Stack Overflow Windows 10 Version 1607 Windows 10 Version 1809 Windows Server 2012 +10
NVD
CVSS 3.1
7.5
EPSS
1.1%
CVE-2026-50304 HIGH PATCH This Week

Denial of service in Microsoft Active Directory Federation Services (AD FS) lets a remote, unauthenticated attacker crash the service by triggering a stack-based buffer overflow (CWE-121) over the network. Because AD FS commonly fronts single sign-on for Microsoft 365, SaaS, and internal web applications, a successful crash can knock out federated authentication for an entire organization. No public exploit identified at time of analysis, and the flaw is availability-only — confidentiality and integrity are not impacted per the CVSS vector.

Buffer Overflow Stack Overflow Windows 10 Version 1607 Windows 10 Version 1809 Windows Server 2012 +10
NVD
CVSS 3.1
7.5
EPSS
1.1%
CVE-2026-50158 HIGH PATCH GHSA This Week

Arbitrary file write in yutu, a Go-based YouTube CLI and MCP server, lets any caller of the built-in `caption-download` MCP tool place attacker-controlled bytes at any filesystem path the yutu process can write to. The vulnerable `Caption.Download()` calls `os.Create()` on the caller-supplied `file` parameter, bypassing the `YUTU_ROOT` (`pkg.Root`/`os.OpenRoot`) confinement that every other caption write path enforces. Publicly available exploit code exists (a self-contained Docker PoC ships with the advisory); the flaw is not in CISA KEV and no active exploitation is reported, and the vendor has released a fixed version (0.10.9-dev1).

Denial Of Service Debian Python Docker RCE
NVD GitHub
CVSS 3.1
7.7
CVE-2026-14903 HIGH This Week

Arbitrary file disclosure in Ivanti Xtraction before 2026.2.1 lets a remote, authenticated attacker traverse outside the application's web root and read sensitive files from the underlying host. The CVSS 3.1 score of 7.7 reflects a scope change (S:C), meaning the impact reaches beyond the web application into the host filesystem, though only confidentiality is affected. There is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV; no EPSS score was provided.

Path Traversal Ivanti Xtraction
NVD
CVSS 3.1
7.7
EPSS
1.0%
CVE-2026-54116 MEDIUM PATCH Exploit Unlikely This Month

Type confusion (CWE-843) in Microsoft SQL Server 2025 enables authenticated, low-privileged network attackers to disclose sensitive server-side information. The CVSS vector (AV:N/PR:L/C:H) confirms that any authorized database user - regardless of their data access permissions - can potentially trigger the flaw remotely with no user interaction required. No public exploit code or CISA KEV listing exists at time of analysis, but the high confidentiality impact and low access complexity make patching a meaningful priority for organizations running SQL Server 2025.

Memory Corruption Information Disclosure Microsoft Sql Server 2025 Cu 6 Microsoft Sql Server 2025 For X64 Based Systems Gdr
NVD
CVSS 3.1
6.5
EPSS
1.0%
CVE-2026-58627 HIGH PATCH This Week

Denial of service in the Microsoft Windows DHCP Server role allows a remote, unauthenticated attacker to exhaust server resources and knock the service offline over the network. The flaw affects a broad range of supported Windows Server releases (2012 through 2025, including Server Core installations) and carries a CVSS 7.5 rating driven entirely by availability impact. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV.

Microsoft Denial Of Service Windows 10 Version 1607 Windows 10 Version 1809 Windows Server 2012 +10
NVD
CVSS 3.1
7.5
EPSS
0.9%
CVE-2026-58539 HIGH PATCH This Week

Out-of-bounds read in Windows RDP allows an unauthorized attacker to disclose information over a network.

Buffer Overflow Microsoft Information Disclosure Windows 10 Version 1607 Windows 10 Version 1809 +16
NVD
CVSS 3.1
7.5
EPSS
0.9%
CVE-2026-40378 HIGH PATCH Exploit Unlikely This Week

Denial of service in the Windows Local Security Authority Subsystem Service (LSASS) allows a remote, unauthenticated attacker to crash the service and disrupt authentication across all supported Windows client and server releases from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through Server 2025. The flaw stems from an excessive-size memory allocation (CWE-789) triggerable over the network with no privileges or user interaction, and while a vendor patch is available, there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Impact is limited to availability (A:H) with no confidentiality or integrity loss, but LSASS failure can force system instability or reboots, affecting domain authentication and logon.

Authentication Bypass Microsoft Windows 10 Version 1607 Windows 10 Version 1809 Windows 10 Version 21H2 +16
NVD VulDB
CVSS 3.1
7.5
EPSS
0.8%
CVE-2026-54119 HIGH PATCH This Week

Denial of service in Windows Active Directory (spanning Windows 10, Windows 11, and Windows Server 2012 through 2025) lets a remote, unauthenticated attacker send crafted network traffic that drives an AD service into an infinite loop, exhausting CPU and rendering domain services unavailable. Because the CVSS vector is AV:N/AC:L/PR:N/UI:N with high availability impact and no confidentiality or integrity loss, this is a pure availability threat against domain controllers. Microsoft has released a patch; there is no public exploit identified at time of analysis and no CISA KEV listing.

Microsoft Denial Of Service Windows 10 Version 1607 Windows 10 Version 1809 Windows 10 Version 21H2 +15
NVD
CVSS 3.1
7.5
EPSS
0.8%
CVE-2026-50696 HIGH PATCH This Week

Network denial of service in the Windows Internet Key Exchange (IKE) protocol implementation allows an unauthenticated remote attacker to crash affected systems by triggering a heap-based buffer overflow. All impact is to availability only (CVSS 7.5, A:H, no confidentiality or integrity loss), making this a reliability/uptime threat against IPsec/VPN-facing Windows 10, Windows 11, and Windows Server hosts rather than a code-execution vulnerability. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the low attack complexity and lack of authentication make it a meaningful patching priority for internet-exposed IPsec endpoints.

Heap Overflow Buffer Overflow Microsoft Windows 10 Version 1809 Windows 10 Version 21H2 +9
NVD
CVSS 3.1
7.5
EPSS
0.8%
CVE-2026-50695 HIGH PATCH This Week

Denial of service in Microsoft Active Directory Federation Services (AD FS) allows a remote, unauthenticated attacker to crash the service by triggering a stack-based buffer overflow over the network (CVSS 7.5, availability-only impact). Because AD FS brokers single sign-on and federated authentication, a successful attack can knock out login for every downstream application that relies on it. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV.

Buffer Overflow Stack Overflow Windows 10 Version 1607 Windows 10 Version 1809 Windows 10 Version 21H2 +15
NVD
CVSS 3.1
7.5
EPSS
0.8%
CVE-2026-50411 HIGH PATCH Exploit Unlikely This Week

Denial of service in Microsoft Active Directory Federation Services (AD FS) allows a remote, unauthenticated attacker to crash the service by sending crafted network input that overflows a stack buffer (CWE-121). Because AD FS commonly fronts single sign-on for Microsoft 365, Azure AD, and federated web applications, an outage cascades into loss of authentication for every relying-party application. There is no public exploit identified at time of analysis and the flaw is not in CISA KEV; a Microsoft patch is available, and the CVSS 3.1 score is 7.5 (availability-only impact).

Buffer Overflow Stack Overflow Windows 10 Version 1607 Windows 10 Version 1809 Windows 10 Version 21H2 +15
NVD
CVSS 3.1
7.5
EPSS
0.8%
CVE-2026-50368 HIGH PATCH This Week

Remote denial of service in Microsoft Active Directory Federation Services (ADFS) allows an unauthenticated network attacker to crash the service via a stack-based buffer overflow (CWE-121). The flaw affects the ADFS role across Windows Server 2012 through 2025 (and the underlying Windows 10 1607/1809 servicing components), carries a CVSS 7.5 availability-only score, and was reported by Microsoft with a patch available. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Buffer Overflow Stack Overflow Windows 10 Version 1607 Windows 10 Version 1809 Windows Server 2012 +10
NVD
CVSS 3.1
7.5
EPSS
0.8%
CVE-2026-44806 HIGH PATCH Exploit Unlikely This Week

Denial of service in Windows Cryptographic Services affects a broad sweep of supported Microsoft platforms, from Windows 10 (1607) and Server 2012 through Windows 11 26H1 and Server 2025. A memory-leak flaw (CWE-401) lets a remote, unauthenticated attacker send network traffic that fails to release memory over time, degrading or exhausting the affected service until availability is impacted. There is no public exploit identified at time of analysis, exploitation is not yet observed (SSVC: none), and EPSS is low (0.78%), but a vendor patch is available and Automatable is 'yes', warranting prompt patching.

Authentication Bypass Microsoft Windows 10 Version 1607 Windows 10 Version 1809 Windows 10 Version 21H2 +15
NVD
CVSS 3.1
7.5
EPSS
0.8%
CVE-2026-49181 HIGH PATCH Exploit Unlikely This Week

Information disclosure (and vendor-labeled privilege elevation) in the Windows DHCP Client affects Windows 10 (1607/1809), Windows Server 2012 through 2025, and their Server Core installations via an integer underflow (CWE-191) reachable over the network. A remote attacker positioned to answer DHCP traffic can craft malformed responses that wrap a length/counter calculation, with a CVSS 3.1 base of 7.5 (confidentiality impact only per the published vector). No public exploit is identified at time of analysis and it is not listed in CISA KEV, but Microsoft ships a patch.

Authentication Bypass Microsoft Integer Overflow Windows 10 Version 1607 Windows 10 Version 1809 +11
NVD
CVSS 3.1
7.5
EPSS
0.8%
CVE-2026-50468 MEDIUM PATCH Exploit Unlikely This Month

Buffer over-read in Microsoft SQL Server 2025 exposes server memory contents to low-privileged authenticated attackers over the network, resulting in high confidentiality impact with no integrity or availability consequences. Both the Cumulative Update 6 (CU 6) and General Distribution Release (GDR) servicing tracks on x64-based systems are confirmed affected per vendor CPE data. No public exploit has been identified and CISA has not listed this in KEV; SSVC assessment corroborates no active exploitation at time of analysis, placing this in a measured but real priority category for environments handling sensitive SQL data.

Buffer Overflow Microsoft Sql Server 2025 Cu 6 Microsoft Sql Server 2025 For X64 Based Systems Gdr
NVD
CVSS 3.1
6.5
EPSS
0.7%
CVE-2026-56185 MEDIUM PATCH Exploit Unlikely This Month

Improper authentication in Windows Admin Center allows an authorized attacker to disclose information over a network.

Authentication Bypass Microsoft Windows Admin Center
NVD
CVSS 3.1
6.5
EPSS
0.6%
CVE-2026-47282 MEDIUM PATCH Exploit Unlikely This Month

Insufficiently protected credentials in GitHub Copilot and Visual Studio Code allows an unauthorized attacker to disclose information over a network.

Information Disclosure Visual Studio Code
NVD VulDB
CVSS 3.1
6.5
EPSS
0.6%
CVE-2026-15709 HIGH This Week

Denial of service in libsoup's WebSocket permessage-deflate implementation lets a remote, unauthenticated attacker crash applications by sending a small, highly compressed 'decompression bomb' that expands without bound during inflation, exhausting memory and triggering an Out-of-Memory kill. All Red Hat Enterprise Linux 6 through 10 ship the affected libsoup HTTP/WebSocket library, and client connections are especially exposed because the decompressed-size guard (max_total_message_size) is disabled by default for clients. There is no public exploit identified at time of analysis and this CVE is not listed in CISA KEV.

Denial Of Service Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 8 +1
NVD VulDB
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-52100 HIGH This Week

Arbitrary code execution in andreimarcu linx-server (a self-hosted file/media sharing service) versions 1.0 through 2.3.8 can be triggered by a remote attacker abusing a Cross-Site Request Forgery flaw in the uploadPutHandler function, per NVD and MITRE. Because the upload endpoint lacks anti-CSRF protection, an attacker can forge upload requests that ride an authenticated victim's session to achieve code execution. No public exploit has been identified in the provided data, though a third-party vulnerability report is referenced; the flaw is not listed in CISA KEV and no EPSS score was supplied.

CSRF RCE
NVD GitHub
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-54087 HIGH PATCH GHSA This Week

Stored cross-site scripting in EasyAdminBundle (Symfony admin generator) versions 5.0.0 through 5.0.12 allows a lower-privileged user with access to a form using FileField or ImageField to upload a browser-executable .html or .svg file that EasyAdmin then links to inline, executing attacker-controlled JavaScript in a viewing administrator's authenticated session. Impact includes session/CSRF-token theft and privilege escalation; it is explicitly NOT remote code execution because filenames come from Symfony's guessExtension(). There is no public exploit identified at time of analysis and it is not in CISA KEV; a vendor patch is available in 5.0.13.

XSS Privilege Escalation PHP CSRF RCE
NVD GitHub
CVSS 3.1
7.6
CVE-2026-58233 HIGH This Week

Insecure deserialization in the SAP Change and Transport System Attach Tool (ctsattach) lets an authenticated, low-privileged attacker achieve remote code execution by supplying a crafted archive that a victim then processes through the tool's library. Successful exploitation yields high confidentiality and integrity impact - attackers can read sensitive data and take control of the host and its processes - with low availability impact. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the CWE-502 root cause and 7.6 CVSS make this a meaningful patch priority for SAP landscapes.

Deserialization SAP RCE Sap Change And Transport System Attach Tool Ctsattach
NVD
CVSS 3.1
7.6
EPSS
0.3%
CVE-2026-56648 HIGH PATCH This Week

Elevation of privilege in the Windows Network File System (NFS) component affects a broad range of Microsoft platforms - Windows 10 (1607 through 22H2), Windows 11 (24H2, 25H2, 26H1), and Windows Server 2012 through 2025 - where an authorized attacker can win a time-of-check/time-of-use (TOCTOU) race condition over the network to gain higher privileges. The CVSS 3.1 vector (AV:N/AC:H/PR:L) indicates a network-reachable but high-complexity flaw requiring low-level existing privileges, with full high impact to confidentiality, integrity and availability. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; a Microsoft (MSRC) patch is available.

Microsoft Information Disclosure Windows 10 Version 1607 Windows 10 Version 1809 Windows 10 Version 21H2 +15
NVD
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-15711 HIGH This Week

Remote denial of service in libsoup, the GNOME HTTP client/server library, allows unauthenticated attackers to crash any application using libsoup's WebSocket support by sending a single malformed control frame. The parser fails to enforce RFC 6455's 125-byte limit on PING/PONG/CLOSE control frames and mishandles the oversized payload instead of cleanly closing the connection, causing an internal processing crash. Red Hat reports the flaw across RHEL 6 through 10; no public exploit has been identified at time of analysis and no EPSS score was provided.

Denial Of Service Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 8 +1
NVD VulDB
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-50659 MEDIUM PATCH Exploit Unlikely This Month

Improper encoding or escaping of output in .NET allows an authorized attacker to perform spoofing over a network.

Information Disclosure Net 10 0 Net 8 0 Net 9 0 Microsoft Visual Studio 2022 Version 17 12 +2
NVD VulDB
CVSS 3.1
6.5
EPSS
0.4%
CVE-2026-48352 HIGH This Week

CAI Content Credentials is affected by an Improper Input Validation vulnerability that could result in an application denial-of-service. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condition. Exploitation of this issue does not require user interaction.

Denial Of Service C2Pa C2Pa Web C2Patool
NVD VulDB
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-48351 HIGH This Week

CAI Content Credentials is affected by an Improper Input Validation vulnerability that could result in an application denial-of-service. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condition. Exploitation of this issue does not require user interaction.

Denial Of Service C2Pa C2Pa Web C2Patool
NVD
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-48295 HIGH This Week

CAI Content Credentials is affected by an Insufficiently Protected Credentials vulnerability that could result in disclosure of sensitive information. An attacker could leverage this vulnerability to gain unauthorized read access. Exploitation of this issue does not require user interaction.

Information Disclosure C2Pa C2Pa Web C2Patool
NVD
CVSS 3.1
7.5
EPSS
0.4%
CVE-2025-53379 HIGH This Week

Information disclosure in Fortinet FortiAuthenticator (6.5 all versions and 6.6.0–6.6.2) lets a remote unauthenticated attacker read out-of-bounds memory via a specially crafted request, exposing sensitive in-memory data. The CVSS temporal metrics (E:F, RC:C) indicate a functional, confirmed exploit is understood by the vendor, and an official fix is available (RL:O). No CISA KEV listing is present, so this is not confirmed as actively exploited despite the mature exploit signal.

Fortinet Buffer Overflow Information Disclosure Fortiauthenticator
NVD
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-58279 MEDIUM PATCH Exploit Unlikely This Month

Missing authorization in Azure CycleCloud allows an authorized attacker to elevate privileges over a network.

Authentication Bypass Microsoft Azure Cyclecloud 8 9 1
NVD
CVSS 3.1
6.5
EPSS
0.4%
CVE-2026-59884 HIGH PATCH This Week

Denial of service in the pyasn1 Python ASN.1 library (versions prior to 0.6.4) allows a remote attacker to exhaust CPU and crash applications by supplying crafted BER, CER, or DER encoded data. The shared BER decoder parses long-form tags without bounding the tag ID size, so a malicious tag forces construction of an arbitrarily large integer whose processing scales quadratically, and on Python 3.11+ triggers unhandled ValueError exceptions in integer-to-string error formatting. No public exploit identified at time of analysis, though the fix commit ships proof-of-concept test cases; not listed in CISA KEV.

Python Denial Of Service Pyasn1
NVD GitHub
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-59200 HIGH PATCH This Week

Uncontrolled memory consumption in Python Pillow (PIL) versions 5.1.0 through 12.2.x allows a remote attacker to cause denial of service by supplying a small crafted PDF whose FlateDecode stream declares a large Length; PdfParser.PdfStream.decode() passes this attacker-controlled Length straight to zlib.decompress() as the bufsize with no upper bound, so a tiny file inflates into gigabytes of decompressed data and exhausts host memory. Fixed in 12.3.0 by streaming decompression with a bounded max_length. No public exploit identified at time of analysis and this CVE is not in CISA KEV, but the trigger is trivial to construct.

Python Denial Of Service Pillow
NVD GitHub
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-59885 HIGH PATCH This Week

Denial of service in the pyasn1 Python ASN.1 library (all versions prior to 0.6.4) allows remote attackers to exhaust CPU by submitting a small crafted OBJECT IDENTIFIER or RELATIVE-OID whose arcs are decoded in quadratic time, so any application that calls decode() on untrusted ASN.1 data can be stalled per call; re-encoding such values triggers the same blow-up. Rated CVSS 7.5 (availability-only) with no confidentiality or integrity impact; no public exploit identified at time of analysis, though the fix commit ships a regression test that effectively demonstrates the trigger. As a foundational dependency behind LDAP, SNMP, X.509/PKI and crypto tooling across the Python ecosystem, its broad transitive reach makes this notable despite the modest severity.

Python Denial Of Service Pyasn1
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-59886 HIGH PATCH This Week

Uncontrolled resource consumption in the pyasn1 Python ASN.1 library (versions prior to 0.6.4) lets remote attackers hang applications that decode untrusted BER/CER/DER data. A REAL value only a few bytes long can encode an enormous exponent; when the decoded univ.Real object is later printed, logged, compared, or converted via prettyPrint(), str(), int(), or float(), pyasn1 performs exact big-integer exponentiation that consumes excessive CPU and memory. There is no public exploit identified at time of analysis, but the network/no-auth/no-interaction, availability-only profile makes this a straightforward denial-of-service primitive; the issue is fixed in version 0.6.4.

Python Denial Of Service Pyasn1
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-51105 HIGH This Week

Denial of service in aMule 2.3.3 lets a remote eD2k server crash the client by sending a malformed OP_SERVERMESSAGE packet that overflows a stack buffer (CWE-121). The flaw is triggered client-side when parsing server-supplied message data, so any hostile or spoofed server the client connects to can terminate the application. No public exploit has been identified at time of analysis, and the issue is documented only as an upstream bug report (amule GitHub issue #445), not a released patch.

Buffer Overflow Stack Overflow Denial Of Service N A
NVD GitHub
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-47477 HIGH This Week

Denial of service in NVIDIA Triton Inference Server for Linux stems from a stack-based buffer overflow (CWE-121) reachable by remote, unauthenticated attackers over the network. Per the CVSS 3.1 vector, exploitation requires no privileges or user interaction and impacts only availability (A:H), with no confidentiality or integrity effect. There is no public exploit identified at time of analysis, and the CVE is not listed in CISA KEV; no EPSS score was provided in the input.

Buffer Overflow Stack Overflow Denial Of Service Nvidia Triton Inference Server
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-47478 HIGH This Week

Denial of service in NVIDIA Triton Inference Server for Linux allows a remote, unauthenticated attacker to disrupt availability by triggering use of an expired (stale) file descriptor. The flaw impacts availability only (no data exposure or code execution) and, per CVSS PR:N/UI:N, requires no authentication or user interaction. There is no public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV; no EPSS score was provided in the input.

Nvidia Denial Of Service Triton Inference Server
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-15765 HIGH PATCH This Week

Use after free in Ozone in Google Chrome prior to 150.0.7871.125 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical)

Google Use After Free Memory Corruption Denial Of Service
NVD VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-15764 HIGH PATCH This Week

Use after free in Ozone in Google Chrome on Linux prior to 150.0.7871.125 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical)

Google Use After Free Memory Corruption Denial Of Service
NVD VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-12523 HIGH PATCH This Week

Remote memory exhaustion in Cloudflare quiche's HTTP/3 layer allows unauthenticated attackers to crash or degrade QUIC servers by sending specially crafted HTTP/3 frames that trigger over-allocation. Two distinct defects are involved: frame parsers pre-allocate buffers based on an attacker-declared length field without requiring the bytes to actually be sent, and QPACK decompression fails to enforce the configured MAX_FIELD_SECTION_SIZE limit, so crafted HEADERS frames commit far more memory than advertised. No public exploit identified at time of analysis; impact is availability-only (CVSS 7.5) with no confidentiality or integrity effect.

Denial Of Service Quiche
NVD GitHub
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-15777 HIGH PATCH This Week

Use after free in UI in Google Chrome on Linux prior to 150.0.7871.125 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Google Use After Free Memory Corruption Denial Of Service
NVD VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-47482 HIGH This Week

Denial of service in NVIDIA Triton Inference Server on Linux allows remote unauthenticated attackers to exhaust host memory by triggering a memory leak (CWE-401, missing release of memory after effective lifetime), degrading or crashing the inference service. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N, A:H) indicates trivial network-reachable exploitation with no authentication and high availability impact, but no confidentiality or integrity exposure. No public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

Nvidia Denial Of Service Triton Inference Server
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-47480 HIGH This Week

Denial of service in NVIDIA Triton Inference Server on Linux allows remote unauthenticated attackers to crash the service by triggering an uncaught exception (CWE-248), taking the model-serving endpoint offline. The flaw carries CVSS 7.5 with a pure availability impact (C:N/I:N/A:H) and no public exploit identified at time of analysis; it was reported by NVIDIA itself. No confidentiality or integrity compromise is involved — the sole consequence is loss of inference availability.

Nvidia Denial Of Service Triton Inference Server
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-47479 HIGH This Week

Denial of service in NVIDIA Triton Inference Server for Linux lets remote unauthenticated attackers exhaust server resources (CWE-400 uncontrolled resource consumption) and render the AI/ML inference endpoint unavailable, with no impact to confidentiality or integrity. The CVSS 3.1 base score is 7.5 (AV:N/AC:L/PR:N/UI:N/A:H), reflecting network-reachable, low-complexity, no-privilege exploitation. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; no EPSS score was provided in the input.

Nvidia Denial Of Service Triton Inference Server
NVD
CVSS 3.1
7.5
EPSS
0.3%
Prev Page 11 of 20 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy