Skip to main content
CVE-2026-61867 LOW PATCH Monitor

Memory leak in ImageMagick's TIFF encoder before version 7.1.2-26 enables denial of service via controlled memory allocation failures. An attacker who can submit TIFF images for processing can repeatedly trigger allocation failures, causing the encoder to leak memory without releasing it, ultimately exhausting available system memory. No public exploit has been identified at time of analysis, and the CVSS 4.0 score of 2.1 reflects the constrained local attack vector and low availability impact.

Denial Of Service Imagemagick
NVD GitHub
CVSS 4.0
2.1
EPSS
0.1%
CVE-2026-61866 LOW PATCH Monitor

Memory leak in ImageMagick's JNG encoder before version 7.1.2-26 enables local resource exhaustion when malformed JNG files cause blob open failures without subsequent memory release. The flaw is classified CWE-401 and carries a CVSS 4.0 score of just 2.1, reflecting a local attack vector, high complexity, and availability-only impact - no confidentiality or integrity loss is possible. No public exploit code and no active exploitation (CISA KEV) have been identified, making this a low-priority finding relevant primarily to services that batch-process untrusted image files.

Denial Of Service Imagemagick
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-61865 LOW PATCH Monitor

ImageMagick's hough lines operation leaks a small amount of memory when a specific internal sub-operation fails, affecting the 7.x branch before 7.1.2-26 and the 6.x legacy branch before 6.9.13-51. This CWE-401 flaw is locally exploitable only under high attack complexity with specific prerequisites, producing a low availability impact with no confidentiality or integrity consequence - reflected in the CVSS 4.0 score of 2.1. No public exploit or active exploitation has been identified at time of analysis; this is a low-priority maintenance patch with no realistic threat-actor motivation.

Information Disclosure Imagemagick
NVD GitHub
CVSS 4.0
2.1
EPSS
0.1%
CVE-2026-61864 LOW PATCH Monitor

ImageMagick's log colorspace color transformation leaks a small amount of memory when the operation fails, affecting versions prior to 7.1.2-26 and 6.9.13-51. The flaw (CWE-401) resides in an error-handling code path that fails to release allocated memory, meaning repeated invocations that trigger failures could contribute to incremental memory exhaustion. No active exploitation is confirmed (not in CISA KEV) and no public exploit code has been identified; the CVSS 4.0 score of 2.1 reflects the highly constrained and low-impact nature of this issue.

Information Disclosure Imagemagick
NVD GitHub
CVSS 4.0
2.1
EPSS
0.1%
CVE-2026-61862 LOW PATCH Monitor

ImageMagick before 7.1.2-26 (7.x branch) and 6.9.13-51 (6.x branch) discloses one byte of process memory beyond a profile boundary when the `identify` command is run with debug output enabled and the embedded profile ends with a non-printable byte. The out-of-bounds read (CWE-125) is highly conditional - requiring local access, explicit debug mode activation, and a specifically crafted profile payload - keeping real-world impact extremely low despite ImageMagick's broad deployment footprint. No public exploit code or active exploitation has been identified at time of analysis.

Buffer Overflow Information Disclosure Imagemagick
NVD GitHub
CVSS 4.0
2.1
EPSS
0.1%
CVE-2026-61872 LOW PATCH Monitor

Memory leak in ImageMagick's TIFF encoder - affecting the 7.x branch before 7.1.2-26 and the 6.x branch before 6.9.13-51 - allows an attacker or application to cause gradual memory exhaustion by repeatedly supplying an invalid tiff:tile-geometry parameter during TIFF encoding operations. The flaw scores 2.0 under CVSS 4.0 with only low availability impact, a local attack vector, high complexity, and prerequisite conditions, placing it firmly in the low-severity tier. No public exploit code has been identified and the vulnerability is absent from the CISA KEV catalog, indicating no confirmed active exploitation at the time of analysis.

Information Disclosure Imagemagick
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.1%
CVE-2026-61464 LOW PATCH Monitor

Heap-based buffer over-write in ImageMagick's X11 import functionality exposes local systems to heap memory corruption and denial of service when processing a crafted X11 window title. Affected versions span both the 7.x branch (before 7.1.2-26) and the legacy 6.x branch (before 6.9.13-51), covering a large installed base across Linux and Unix environments. No public exploit identified at time of analysis, and the narrow exploitation conditions - requiring local privileged access with X11 in scope - significantly constrain real-world risk despite the CWE-122 heap overflow class.

Heap Overflow Buffer Overflow Denial Of Service Imagemagick
NVD GitHub VulDB
CVSS 4.0
1.0
EPSS
0.1%
CVE-2026-50289 HIGH POC PATCH GHSA This Week

OS command injection in the Node.js `systeminformation` library (npm, versions <= 5.31.6) lets a local actor run arbitrary commands with the privileges of any process that calls `networkInterfaces()` on Linux. While collecting DHCP state, `checkLinuxDCHPInterfaces()` reads Debian/Ubuntu `interfaces(5)` files and interpolates each `source <path>` token - read from file content - unquoted into a `cat ... | grep` string executed via `execSync()`/`/bin/sh`. Publicly available exploit code exists (a verbatim-sink PoC in the advisory); there is no CISA KEV listing and no CVSS score was assigned by the source, but a vendor patch (5.31.7) is available.

Debian Node.js Apple Microsoft Ubuntu +1
NVD GitHub
CVE-2026-54490 MEDIUM PATCH GHSA This Month

Resource limit bypass in the websocket-driver npm library (versions < 0.7.5) allows WebSocket messages to exceed the application's configured maximum message size when the permessage-deflate compression extension is active. The size enforcement is applied to compressed frame length headers rather than the decompressed payload, meaning a highly compressed message can appear within limits on the wire but expand arbitrarily upon decompression. Vendor-released patch is available in version 0.7.5; no public exploit has been identified at time of analysis.

Denial Of Service
NVD GitHub
CVE-2026-54466 CRITICAL PATCH GHSA Act Now

Message corruption in the Node.js websocket-driver package (versions < 0.7.5) lets a remote WebSocket client desynchronize frame parsing by abusing the draft-protocol length header. By streaming an indefinite run of continuation bytes (0x80 or higher), an attacker forces the server to accumulate an ever-growing integer that exceeds JavaScript's 64-bit floating-point precision, so the true payload length is computed incorrectly and subsequent bytes are parsed against the wrong frame boundaries. There is no public exploit identified at time of analysis and no CVSS score was assigned; the fix in 0.7.5 rejects any frame whose length header exceeds the configured maximum message length.

Information Disclosure
NVD GitHub
CVE-2026-54465 MEDIUM PATCH GHSA This Month

Memory exhaustion in the websocket-driver Ruby gem (versions prior to 0.8.1) allows a remote peer to crash or degrade a receiving process by sending an HTTP request or response with an arbitrarily large number of headers, which the parser accumulates without any size bound. Affected deployments are those using WebSocket::Driver.server() directly atop a raw TCP server (bypassing an HTTP framework), or applications using this library as a WebSocket client - standard HTTP framework integrations (Rails, Sinatra, Rack) are not in scope. No public exploit has been identified and the vulnerability is not listed in CISA KEV, but exploitation is mechanically trivial once a vulnerable deployment is identified, requiring only a crafted HTTP connection.

Denial Of Service
NVD GitHub
CVE-2026-54464 MEDIUM PATCH GHSA This Month

Resource exhaustion in the websocket-driver Ruby gem (faye/websocket-driver-ruby) allows any WebSocket peer to bypass a configured maximum message size when the permessage-deflate compression extension is in use. The size limit is enforced against the compressed frame length rather than the post-decompression size, enabling a decompression-bomb style attack where a small compressed payload expands far beyond the intended ceiling. Applications on versions below 0.8.1 silently accept oversized payloads, potentially exhausting server memory or CPU and causing a denial-of-service condition. No public exploit exists at time of analysis, but the attack class is well understood and low-complexity to implement.

Denial Of Service
NVD GitHub
CVE-2026-54463 MEDIUM PATCH GHSA This Month

Memory exhaustion in the Ruby websocket-driver gem (faye/websocket-driver-ruby) allows any network peer to crash the host process by abusing the draft WebSocket protocol's variable-length integer encoding. By streaming an indefinite sequence of bytes with values 0x80 or above in a frame length header, an attacker forces the parser to accumulate an ever-growing Ruby arbitrary-precision integer, consuming unbounded heap memory until the process is killed by the OS. The attack is bidirectional - a malicious server can target a client, or a malicious client can target a server - and no public exploit has been identified at time of analysis.

Denial Of Service
NVD GitHub
CVE-2026-54254 MEDIUM PATCH GHSA This Month

Pixeldrain API key exfiltration in cyberdrop-dl-patched (versions 8.5.0 through 9.13.x) allows a network attacker who controls a lookalike domain (e.g., evil-pixeldrain.com) to receive the victim's Pixeldrain Authorization header when the tool processes a crafted URL. The root cause is substring-based host matching: any domain containing 'pixeldrain' as a substring is accepted as a valid Pixeldrain host, causing the tool to blindly send API credentials to attacker-controlled infrastructure. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog, but the attack path is straightforward and fully described in the advisory.

WordPress Information Disclosure
NVD GitHub
CVE-2026-54452 MEDIUM PATCH GHSA This Month

SSRF protection bypass in the Doyensec safeurl Go library (versions prior to 0.2.4) allows network requests to four newly standardized IPv6 CIDR ranges that were absent from the library's internal blocklist. Applications that explicitly enable IPv6 via EnableIPv6(true) and rely on safeurl to enforce SSRF controls are exposed; attackers who can supply attacker-controlled URLs to such applications may reach internal resources hosted on NAT64 local-use (64:ff9b:1::/48), SRv6 SID (5f00::/16), documentation (3fff::/20), or Dummy IPv6 (100:0:0:1::/64) address space. No public exploit code or CISA KEV listing has been identified at time of analysis.

SSRF
NVD GitHub
CVE-2026-54450 LOW POC PATCH GHSA Monitor

ToolHive's hand-maintained SSRF guard (`networking.IsPrivateIP`) omits IPv6 NAT64 prefixes `64:ff9b::/96` (RFC 6052) and `64:ff9b:1::/48` (RFC 8215), allowing addresses like `64:ff9b:1::a9fe:a9fe` - the NAT64 encoding of the cloud metadata endpoint `169.254.169.254` - to be misclassified as globally routable and pass unchecked. On ToolHive deployments behind a NAT64/DNS64 gateway (the default in IPv6-only Kubernetes clusters and several IPv6-only cloud environments), an unauthenticated attacker can submit a crafted OAuth `client_id` URL that causes ToolHive's CIMD fetcher to dial internal or link-local addresses the guard is intended to block, achieving a blind internal-reachability oracle. Practical impact is limited to TCP/TLS connection probing rather than credential exfiltration due to HTTPS-only enforcement and TLS verification on the attacker-controlled path; a complete proof-of-concept is publicly available in the vendor advisory, and no public exploit identified at time of analysis as a KEV-listed active campaign.

Kubernetes Microsoft SSRF Oracle
NVD GitHub
CVE-2026-62944 HIGH PATCH GHSA This Week

Stored cross-site scripting in MantisBT (versions <= 2.28.3) lets an authenticated user inject arbitrary HTML/JavaScript through a crafted image-attachment filename that breaks out of an IMG tag's alt attribute. The payload executes when any user (including higher-privileged reviewers) renders the Word/HTML export view at print_all_bug_page_word.php?type_page=html&export=1, though real-world impact is constrained by MantisBT's Content Security Policy. There is no public exploit identified at time of analysis, and the flaw is fixed in 2.28.4.

PHP XSS
NVD GitHub
CVE-2026-52883 MEDIUM PATCH GHSA This Month

Authenticated injection of TIME_TRACKING and REMINDER note types in MantisBT's SOAP and REST APIs allows UPDATER-level users to corrupt billing data and falsify project records. The `note_type` integer parameter supplied by the caller is passed directly to `bugnote_add()` in the SOAP endpoint - and through `mc_issue_update()` in the REST API - without verifying the caller holds sufficient privilege to create that note type. Attackers with UPDATER access can inject arbitrary billable hours into MantisBT's billing reports, generating fraudulent invoices, and can register fake REMINDER notes via SOAP. No public exploit is identified at time of analysis, and a vendor patch is available in version 2.28.4.

PHP Code Injection
NVD GitHub
CVE-2026-52882 MEDIUM PATCH GHSA This Month

Authorization bypass in MantisBT's SOAP API, REST API, and web-based bug update interface allows authenticated lower-privileged users to assign unreleased product versions to issues, circumventing the `report_issues_for_unreleased_versions_threshold` access control. All three issue-update pathways in versions 2.28.3 and earlier were unprotected: the SOAP handler (`mc_issue_api.php`), the web form (`bug_update.php`), and the REST command layer (`IssueAddCommand.php`). No public exploit code and no active exploitation (CISA KEV) have been identified; vendor-released patch version 2.28.4 closes all three vectors.

Authentication Bypass PHP
NVD GitHub
CVE-2026-52881 CRITICAL PATCH GHSA Act Now

Reflected cross-site scripting in MantisBT 2.28.3 and earlier lets remote attackers inject HTML into the unauthenticated /admin/install.php installer page through six user-supplied parameters echoed via an unescaped printf format string. Because the application ships a script-src 'self' Content Security Policy that lacks a form-action directive, an attacker cannot run inline JavaScript but can render fake credential-harvesting login forms, perform <meta>-based open redirects, and overlay attacker HTML via CSS injection on the legitimate admin page. There is no public exploit identified at time of analysis, no CISA KEV listing, and no CVSS/EPSS score in the provided data; the issue was reported by watchTowr and fixed in 2.28.4.

Open Redirect PHP XSS
NVD GitHub
CVE-2026-52847 CRITICAL PATCH GHSA Act Now

Reflected cross-site scripting in MantisBT's /admin/install.php (versions 2.28.3 and earlier) lets remote attackers inject HTML through six unescaped, user-supplied parameters echoed by print_test_result(). Although the page's Content-Security-Policy (script-src 'self') blocks inline JavaScript, the missing form-action directive permits credential-phishing form injection, <meta>-based open redirects, and CSS overlay attacks against the trusted admin origin. The advisory states no authentication is required; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Open Redirect PHP XSS
NVD GitHub
CVE-2026-54494 MEDIUM POC PATCH GHSA This Month

Full-read SSRF in Koel's podcast subscription feature allows any authenticated user to coerce the server into fetching internal HTTP endpoints - including cloud instance metadata services - and receive the full response. The vulnerability exists because PHP's `filter_var` with `FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE` does not unwrap NAT64 (`64:ff9b::/96`) or 6to4 (`2002::/16`) IPv6 transition addresses, both of which deterministically embed a private IPv4 that the OS kernel routes internally. This affects all Koel deployments through v9.7.0 on NAT64 or dual-stack networks (the default for IPv6-only AWS and GCP subnets); a detailed proof-of-concept with verbatim server output is published in the advisory. No public exploit code is in KEV at time of analysis, but the PoC substantially lowers the exploitation barrier.

Microsoft SSRF PHP
NVD GitHub
CVE-2026-54451 HIGH POC PATCH GHSA This Week

Denial of service in the Elixir/Erlang Hex package protobuf (>= 0.8.0, < 0.16.1) allows an unauthenticated remote attacker to crash any service that decodes untrusted protobuf messages into a self-referential or cyclic message type. Because Protobuf.Decoder performs unbounded, non-tail recursion over embedded message fields, a small request body (a few KB to a few MB) can nest a field hundreds of thousands to millions of levels deep, forcing the BEAM to retain one stack/heap frame per level until it exhausts memory and pins a scheduler; a handful of concurrent requests take the node offline. This is a request-amplification DoS with a publicly available proof-of-concept, but no CISA KEV listing and no evidence of active exploitation; no CVSS or EPSS score is provided in the source data.

Google Denial Of Service
NVD GitHub
CVE-2026-49280 MEDIUM PATCH GHSA This Month

MantisBT's REST and SOAP APIs fail to enforce the $g_set_status_threshold authorization gate, allowing any authenticated user holding the UPDATER role (the default update permission) to change an issue's workflow status to values that should require DEVELOPER-level access or higher. The vulnerability is confirmed patched in release 2.28.4 with no public exploit or KEV listing. Because UPDATER is the default role for ordinary authenticated contributors, this flaw is broadly reachable on any MantisBT instance where the API is accessible without further hardening of role assignments.

Authentication Bypass PHP
NVD GitHub
CVE-2026-49273 HIGH PATCH GHSA This Week

Authenticated remote code execution in MantisBT versions 1.3.0 through 2.28.3 allows an administrator to run arbitrary PHP as the web server user (www-data) via the 'Manage Configuration' page (adm_config_set.php). When a config value is stored with a non-string type, the ConfigParser/Tokenizer path calls eval() on attacker-controlled code guarded only by a 'return;' prefix; because PHP hoists class and function declarations at compile time regardless of the return, an attacker can plant a class that later hijacks the autoloader. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; the flaw was reported privately by watchTowr and fixed in 2.28.4.

PHP RCE Code Injection
NVD GitHub
CVE-2026-47156 CRITICAL PATCH GHSA Act Now

Privilege escalation to administrator in MantisBT 2.28.3 and earlier lets a low-privileged or self-registered user impersonate any account, including the administrator, through the SOAP API's flawed mci_check_login() function. Because the function accepts any valid cookie_string without checking that it belongs to the supplied username, an attacker who knows a target username (e.g. 'administrator') and possesses their own MANTIS_STRING_COOKIE can authenticate as that user without a password. With self-registration enabled by default ($g_allow_signup = ON), this is exploitable from zero prior access, granting full read/write and destructive control over all projects, issues, and user data. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the underlying bug is trivially reliable.

Authentication Bypass PHP
NVD GitHub
CVE-2026-47142 HIGH PATCH GHSA This Week

SQL injection in MantisBT 2.28.3 and earlier (fixed in 2.28.4) lets an administrator poison the history_order configuration value, which core/history_api.php concatenates unsanitized into an ORDER BY clause; the injected SQL then fires whenever any authenticated user views a bug that has history entries. This converts an administrator's config-write into database-wide data theft (password hashes, cookie_strings, API tokens, private issues) and, where the MySQL account holds the FILE privilege, remote code execution via INTO OUTFILE dropping a PHP webshell in the web root. No public exploit identified at time of analysis; reported by McCaulay Hudson of watchTowr and tracked as GitHub advisory GHSA-mw6p-33vw-46cc.

SQLi PHP Information Disclosure
NVD GitHub
CVE-2026-56136 MEDIUM PATCH This Month

Out-of-bounds read in NTFS-3G through version 2026.2.25 exposes ntfs-3g process memory when a maliciously crafted NTFS image is mounted and a file with a specially crafted name is created on it. The flaw in ntfs_ir_nill() within the index-handling code allows an attacker who controls the filesystem image to read data from the running ntfs-3g process that may include confidential in-memory contents. No public exploit code and no active exploitation (CISA KEV) have been identified at time of analysis; this issue was surfaced by the Ubuntu security team.

Buffer Overflow
NVD
CVE-2026-46571 MEDIUM PATCH This Month

Out-of-bounds memory read in NTFS-3G through 2026.2.25 exposes ntfs-3g process memory contents when a victim mounts a crafted NTFS filesystem image and invokes readlink on a corrupted reparse point file. The defect resides in ntfs_fix_file_name() within libntfs-3g/reparse.c and can disclose potentially confidential in-process data - such as recently processed file paths or runtime buffers - to the attacker who supplied the malicious image. No public exploit has been identified at time of analysis; Ubuntu has confirmed patch availability via security advisory USN-8554-1.

Buffer Overflow
NVD
CVE-2026-42618 MEDIUM PATCH This Month

Heap buffer overflow in NTFS-3G through 2026.2.25 allows a local attacker to corrupt one byte of heap memory within the SUID-root ntfs-3g binary by supplying a specially crafted NTFS image, triggering the flaw during decompression in ntfs_decompress() in compress.c. Because the binary executes with root privileges via the SUID mechanism, successful heap exploitation could yield full local privilege escalation to root from an unprivileged account. No public exploit has been identified at time of analysis, and the single-byte overflow constraint substantially raises exploitation complexity, but the SUID-root execution context makes this a high-value local privilege escalation target.

Buffer Overflow
NVD
CVE-2026-42616 MEDIUM PATCH This Month

Heap buffer overflow in NTFS-3G's ntfscat utility (versions through 2026.2.25) enables heap memory corruption when processing a crafted malicious NTFS image, specifically in the cat() function of cat.c. The overflow is triggered passively during file read operations, requiring no complex interaction beyond ntfscat processing an attacker-supplied image. No public exploit has been identified at time of analysis, and a vendor patch is available via Ubuntu USN-8554-1. Given NTFS-3G's near-universal deployment across Linux distributions, organizations that process untrusted disk images - forensic tools, backup pipelines, virtualization stacks - face meaningful exposure until patched.

Buffer Overflow
NVD
CVE-2026-42617 MEDIUM PATCH This Month

Heap buffer overflow in NTFS-3G through 2026.2.25 allows a local attacker to corrupt heap memory in the SUID-root ntfs-3g binary by mounting a crafted NTFS image and performing a directory-extending operation such as creating a file. Because ntfs-3g runs as root via the SUID bit on most Linux distributions, successful exploitation of the overflow in ntfs_ir_to_ib() could yield local privilege escalation to root. No public exploit code or active exploitation has been identified at time of analysis; a vendor patch is available via Ubuntu Security Notice USN-8554-1.

Buffer Overflow
NVD
CVE-2026-46569 MEDIUM PATCH This Month

Heap buffer overflow in NTFS-3G through 2026.2.25 allows a local attacker to corrupt heap memory in the SUID-root ntfs-3g binary by supplying a crafted NTFS image, with exploitation triggered when a directory is extended (e.g., a file is created) on the mounted filesystem. Because ntfs-3g carries the SUID-root bit to operate FUSE-based NTFS mounts, successful heap corruption in this context carries privilege escalation potential to root. No public exploit code has been identified at time of analysis; a vendor-released patch is available via Ubuntu USN-8554-1.

Buffer Overflow
NVD
CVE-2026-46570 MEDIUM PATCH This Month

Heap buffer overflow in NTFS-3G through 2026.2.25 allows a local attacker to corrupt heap memory in the SUID-root ntfs-3g binary by supplying a crafted NTFS filesystem image, potentially achieving privilege escalation to root. The flaw resides in the index B-tree traversal function ntfs_index_walk_down() in libntfs-3g/index.c and is triggered during parsing of crafted file metadata. No public exploit code has been identified at time of analysis, but Ubuntu has issued a security advisory (USN-8554-1) and a vendor patch is available.

Buffer Overflow
NVD
CVE-2026-46572 MEDIUM PATCH This Month

Heap buffer overflow in NTFS-3G through 2026.2.25 allows local privilege escalation to root via a crafted NTFS filesystem image. The overflow occurs in ntfs_ib_cut_tail() within the index management code when a file is created inside a specially constructed directory on a malicious NTFS image. Because the ntfs-3g binary runs as SUID-root, heap corruption in this process can yield code execution with root privileges. No public exploit or active exploitation (CISA KEV) has been identified at time of analysis.

Buffer Overflow
NVD
CVE-2026-56135 MEDIUM PATCH This Month

Heap-based buffer overflow in NTFS-3G through 2026.2.25 enables a local attacker to corrupt heap memory inside the SUID-root ntfs-3g binary, creating a local privilege escalation path to root. The flaw resides in build_inherited_id() within libntfs-3g/security.c and is triggered by creating a file inside a specially crafted directory on a malicious NTFS image supplied by the attacker. No public exploit code has been identified at time of analysis; the issue was surfaced through the Ubuntu vendor security channel.

Buffer Overflow
NVD
Prev Page 6 of 6

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy