Skip to main content

CWE-459

Incomplete Cleanup

131 CVEs Avg CVSS 6.3 MITRE
6
CRITICAL
41
HIGH
77
MEDIUM
7
LOW
15
POC
0
KEV

Monthly

CVE-2026-7639 HIGH This Week

Local memory-corruption escalation in Imagination Technologies' Graphics DDK (the PowerVR GPU driver stack) lets an unprivileged user trigger a use-after-free by issuing an improper sequence of GPU system calls. By forcing a failure path in the MMU mapping logic, an attacker leaves internal driver state incompletely cleaned up, enabling unauthorized read/write access to physical memory from shader code. There is no public exploit identified at time of analysis and EPSS is low (0.15%), but the flaw carries high confidentiality, integrity, and availability impact for local attackers.

Authentication Bypass Denial Of Service Graphics Ddk
NVD
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-52733 Cargo MEDIUM PATCH GHSA This Month

Persistent RocksDB state corruption in zebrad up to v4.4.1 arises from an asymmetric cleanup bug in the non-finalized chain fork handler: `pop_tip` omits the Sapling and Orchard note commitment subtree root cleanup that `pop_root` correctly performs, causing stale subtree root entries to survive in memory and be flushed to disk during subsequent chain finalization. The corrupted subtree root history survives node restarts and is served to downstream consumers of `z_getsubtreesbyindex` - primarily `lightwalletd` and light wallets - causing wallet synchronization failures or incorrect wallet state that requires a full database rebuild to recover. No public exploit is identified at time of analysis and this vulnerability is not listed in CISA KEV; the risk is passive silent corruption accumulating on all unpatched nodes during routine chain fork events rather than adversarial exploitation.

Information Disclosure
NVD GitHub
CVSS 3.1
6.5
CVE-2026-52736 Cargo HIGH PATCH GHSA This Week

Remote denial-of-service in Zebra (zebrad ≤ v4.4.1), the Zcash Foundation's Rust node, lets an unauthenticated P2P peer permanently stall a targeted node at a chosen block height. By exploiting ZIP-244 transaction malleability, an attacker crafts a poisoned block body sharing the same header hash as a valid canonical block; Zebra caches the hash before validation and never evicts it on failure, so the legitimate block is later rejected as a duplicate. This is a real availability threat against default configurations, though there is no public exploit identified at time of analysis and it is not listed in CISA KEV; the flaw was independently reproduced end-to-end by two researchers.

Information Disclosure Canonical Checkpoint
NVD GitHub
CVE-2026-5038 npm HIGH PATCH GHSA This Week

Denial of service in Multer versions 2.0.0-alpha.1 through 2.1.1 and 3.0.0-alpha.1 allows remote unauthenticated attackers to exhaust server disk space when the library is configured with diskStorage. Aborted or malformed multipart uploads leave orphaned partial files because stream destruction is not propagated to the underlying fs.WriteStream, enabling resource exhaustion at scale with no public exploit identified at time of analysis. EPSS probability is low at 0.25% but SSVC marks the issue automatable with partial technical impact.

Denial Of Service Multer
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-53867 MEDIUM PATCH This Month

Orphaned profile image retention in Capgo before 12.128.2 exposes previously uploaded user images indefinitely after replacement or deletion, because the backend storage object is never purged when the application record is updated. Attackers who possess a prior image URL - obtained via browser history, referrer logs, network interception, or prior caching - can retrieve user-uploaded content even after the user intended to remove it, violating data erasure expectations. No public exploit has been identified at time of analysis, and the CVSS 4.0 vector (PR:L) indicates prior authenticated access or URL knowledge is a prerequisite, limiting opportunistic mass exploitation.

Authentication Bypass Capgo
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-33232 HIGH PATCH This Week

Unauthenticated denial-of-service in AutoGPT Platform versions 0.4.2 through 0.6.51 allows remote attackers to exhaust server disk space by repeatedly invoking the download_agent_file endpoint, which creates temporary files that are never cleaned up. Once disk capacity is consumed, the backend database and dependent services fail with 'No space left on device' errors, taking the entire platform offline for all users. No public exploit identified at time of analysis, but the trivial nature of the attack (simple repeated HTTP requests) makes it readily reproducible.

Denial Of Service Autogpt
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-0427 MEDIUM This Month

Improper cleanup of shared GPU firmware registers in AMD Instinct and Radeon Pro accelerators allows admin-privileged attackers within guest virtual machines to access registers allocated to other guest VMs, potentially compromising confidentiality, integrity, or availability across isolated workloads. The vulnerability requires local admin privileges within a guest VM and affects multiple GPU product lines used in data center and HPC environments.

Information Disclosure Amd Instinct Mi210 Amd Instinct Mi300X Amd Instinct Mi325X Amd Radeon Pro V710
NVD VulDB
CVSS 4.0
4.6
EPSS
0.0%
CVE-2026-34263 CRITICAL NEWS Act Now

Arbitrary server-side code execution in SAP Commerce Cloud via unauthenticated malicious configuration upload and code injection. Attackers can remotely exploit a misconfigured Spring Security framework to upload crafted configuration files and inject code without authentication, requiring only that a user interact with malicious content (CVSS:3.1/AV:N/AC:L/PR:N/UI:R). The vulnerability affects SAP Commerce Cloud Configuration with critical impact across confidentiality, integrity, and availability. No public exploit code or CISA KEV listing identified at time of analysis, though EPSS data unavailable. Patch details available in SAP Security Note 3733064.

RCE Java SAP
NVD VulDB
CVSS 3.1
9.6
EPSS
0.0%
CVE-2026-43395 MEDIUM PATCH This Month

Incomplete cleanup in the Linux kernel's DRM/Xe GPU driver allows a local low-privileged user to leak kernel object references (syncobj, fence, chain fence, or user fence) by triggering error paths in xe_sync_entry_parse(), resulting in kernel memory exhaustion and local denial of service. Affected kernels include those shipping the Intel Xe GPU driver from the introducing commit (dd08ebf6c352) up to the fix commits landed in stable series 6.12, 6.18, 6.19, and 7.0. No public exploit code exists and no active exploitation has been reported; EPSS probability sits at 0.02% (5th percentile), reflecting extremely low real-world exploitation interest.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-66467 HIGH This Week

Apache CloudStack's MinIO integration fails to clean up bucket access policies when buckets are deleted, enabling previous bucket owners to retain unauthorized access via cached credentials. If another user creates a bucket with the same name, the former owner gains read/write access using their old access keys. CISA has not listed this CVE in KEV, indicating no confirmed widespread exploitation. CVSS 8.0 reflects high impact but requires authenticated access and user interaction (PR:L/UI:R), tempering immediate urgency. Patch available in CloudStack 4.20.3.0 and 4.22.0.1.

Authentication Bypass Apache
NVD VulDB
CVSS 3.1
8.0
EPSS
0.0%
EPSS 0% CVSS 7.8
HIGH This Week

Local memory-corruption escalation in Imagination Technologies' Graphics DDK (the PowerVR GPU driver stack) lets an unprivileged user trigger a use-after-free by issuing an improper sequence of GPU system calls. By forcing a failure path in the MMU mapping logic, an attacker leaves internal driver state incompletely cleaned up, enabling unauthorized read/write access to physical memory from shader code. There is no public exploit identified at time of analysis and EPSS is low (0.15%), but the flaw carries high confidentiality, integrity, and availability impact for local attackers.

Authentication Bypass Denial Of Service Graphics Ddk
NVD
CVSS 6.5
MEDIUM PATCH This Month

Persistent RocksDB state corruption in zebrad up to v4.4.1 arises from an asymmetric cleanup bug in the non-finalized chain fork handler: `pop_tip` omits the Sapling and Orchard note commitment subtree root cleanup that `pop_root` correctly performs, causing stale subtree root entries to survive in memory and be flushed to disk during subsequent chain finalization. The corrupted subtree root history survives node restarts and is served to downstream consumers of `z_getsubtreesbyindex` - primarily `lightwalletd` and light wallets - causing wallet synchronization failures or incorrect wallet state that requires a full database rebuild to recover. No public exploit is identified at time of analysis and this vulnerability is not listed in CISA KEV; the risk is passive silent corruption accumulating on all unpatched nodes during routine chain fork events rather than adversarial exploitation.

Information Disclosure
NVD GitHub
HIGH PATCH This Week

Remote denial-of-service in Zebra (zebrad ≤ v4.4.1), the Zcash Foundation's Rust node, lets an unauthenticated P2P peer permanently stall a targeted node at a chosen block height. By exploiting ZIP-244 transaction malleability, an attacker crafts a poisoned block body sharing the same header hash as a valid canonical block; Zebra caches the hash before validation and never evicts it on failure, so the legitimate block is later rejected as a duplicate. This is a real availability threat against default configurations, though there is no public exploit identified at time of analysis and it is not listed in CISA KEV; the flaw was independently reproduced end-to-end by two researchers.

Information Disclosure Canonical Checkpoint
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in Multer versions 2.0.0-alpha.1 through 2.1.1 and 3.0.0-alpha.1 allows remote unauthenticated attackers to exhaust server disk space when the library is configured with diskStorage. Aborted or malformed multipart uploads leave orphaned partial files because stream destruction is not propagated to the underlying fs.WriteStream, enabling resource exhaustion at scale with no public exploit identified at time of analysis. EPSS probability is low at 0.25% but SSVC marks the issue automatable with partial technical impact.

Denial Of Service Multer
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Orphaned profile image retention in Capgo before 12.128.2 exposes previously uploaded user images indefinitely after replacement or deletion, because the backend storage object is never purged when the application record is updated. Attackers who possess a prior image URL - obtained via browser history, referrer logs, network interception, or prior caching - can retrieve user-uploaded content even after the user intended to remove it, violating data erasure expectations. No public exploit has been identified at time of analysis, and the CVSS 4.0 vector (PR:L) indicates prior authenticated access or URL knowledge is a prerequisite, limiting opportunistic mass exploitation.

Authentication Bypass Capgo
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Unauthenticated denial-of-service in AutoGPT Platform versions 0.4.2 through 0.6.51 allows remote attackers to exhaust server disk space by repeatedly invoking the download_agent_file endpoint, which creates temporary files that are never cleaned up. Once disk capacity is consumed, the backend database and dependent services fail with 'No space left on device' errors, taking the entire platform offline for all users. No public exploit identified at time of analysis, but the trivial nature of the attack (simple repeated HTTP requests) makes it readily reproducible.

Denial Of Service Autogpt
NVD GitHub VulDB
EPSS 0% CVSS 4.6
MEDIUM This Month

Improper cleanup of shared GPU firmware registers in AMD Instinct and Radeon Pro accelerators allows admin-privileged attackers within guest virtual machines to access registers allocated to other guest VMs, potentially compromising confidentiality, integrity, or availability across isolated workloads. The vulnerability requires local admin privileges within a guest VM and affects multiple GPU product lines used in data center and HPC environments.

Information Disclosure Amd Instinct Mi210 Amd Instinct Mi300X +2
NVD VulDB
EPSS 0% CVSS 9.6
CRITICAL Act Now

Arbitrary server-side code execution in SAP Commerce Cloud via unauthenticated malicious configuration upload and code injection. Attackers can remotely exploit a misconfigured Spring Security framework to upload crafted configuration files and inject code without authentication, requiring only that a user interact with malicious content (CVSS:3.1/AV:N/AC:L/PR:N/UI:R). The vulnerability affects SAP Commerce Cloud Configuration with critical impact across confidentiality, integrity, and availability. No public exploit code or CISA KEV listing identified at time of analysis, though EPSS data unavailable. Patch details available in SAP Security Note 3733064.

RCE Java SAP
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Incomplete cleanup in the Linux kernel's DRM/Xe GPU driver allows a local low-privileged user to leak kernel object references (syncobj, fence, chain fence, or user fence) by triggering error paths in xe_sync_entry_parse(), resulting in kernel memory exhaustion and local denial of service. Affected kernels include those shipping the Intel Xe GPU driver from the introducing commit (dd08ebf6c352) up to the fix commits landed in stable series 6.12, 6.18, 6.19, and 7.0. No public exploit code exists and no active exploitation has been reported; EPSS probability sits at 0.02% (5th percentile), reflecting extremely low real-world exploitation interest.

Information Disclosure Linux Red Hat +1
NVD VulDB
EPSS 0% CVSS 8.0
HIGH This Week

Apache CloudStack's MinIO integration fails to clean up bucket access policies when buckets are deleted, enabling previous bucket owners to retain unauthorized access via cached credentials. If another user creates a bucket with the same name, the former owner gains read/write access using their old access keys. CISA has not listed this CVE in KEV, indicating no confirmed widespread exploitation. CVSS 8.0 reflects high impact but requires authenticated access and user interaction (PR:L/UI:R), tempering immediate urgency. Patch available in CloudStack 4.20.3.0 and 4.22.0.1.

Authentication Bypass Apache
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy