Skip to main content

CWE-670

Always-Incorrect Control Flow Implementation

114 CVEs Avg CVSS 6.6 MITRE
9
CRITICAL
51
HIGH
46
MEDIUM
8
LOW
29
POC
1
KEV

Monthly

CVE-2026-14935 LOW Monitor

GStreamer's webrtcbin component accepts remote SDP offers and answers that are missing the required a=fingerprint attribute due to an inverted boolean logic check in _check_sdp_crypto(), undermining the DTLS certificate fingerprint binding that protects WebRTC media streams from interception. An attacker already positioned as a man-in-the-middle on the WebRTC signaling channel can strip the a=fingerprint attribute from SDP messages, which the vulnerable code then incorrectly accepts, allowing the attacker to substitute their own DTLS certificate and intercept or tamper with encrypted media. No public exploit code exists and no CISA KEV listing has been issued; however, the flaw is architecturally significant because it silently voids a key WebRTC security guarantee rather than causing an obvious crash.

Authentication Bypass Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 8 +1
NVD
CVSS 3.1
3.7
EPSS
0.1%
CVE-2026-56328 HIGH PATCH This Week

Release-routing integrity failure in Capgo before 12.128.2 lets an authorized app or channel manager covertly steer which update bundle unnamed clients receive. Because the platform permits multiple public channels per app/platform to coexist and silently resolves channel-less /updates requests to a single hidden 'winner' channel, a low-privileged insider can manipulate default update state and serve a chosen bundle to clients that did not specify a channel. There is no public exploit identified at time of analysis, and the issue is not in CISA KEV.

Information Disclosure Capgo
NVD GitHub
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-7656 MEDIUM POC PATCH This Month

Forged IPv6 Neighbor Discovery acceptance in the Zephyr RTOS network stack (all releases through v4.4.0) lets an adjacent on-link attacker inject spoofed Router Advertisement, Neighbor Solicitation, and Neighbor Advertisement messages because an operator-precedence bug in subsys/net/ip/ipv6_nbr.c silently skips every RFC 4861 sanity check whenever the (always-present) ICMPv6 code is 0. Because the bypassed checks include the Hop-Limit==255 on-link proof, even off-link/remote attackers may have forged ND packets accepted, enabling default-router/DNS/SLAAC hijacking and neighbor-cache poisoning for man-in-the-middle, redirection, and denial of service. A vendor patch exists (commit 095f064c) but there is no public exploit identified at time of analysis and the issue is not in CISA KEV.

Denial Of Service Zephyr
NVD GitHub VulDB
CVSS 3.1
6.8
EPSS
0.2%
CVE-2026-55276 CRITICAL PATCH Act Now

Incomplete security-constraint logging in Apache Tomcat (8.5.0-8.5.100, 9.0.0.M1-9.0.118, 10.1.0-M1-10.1.55, 11.0.0-M1-11.0.22) omits special roles and empty authorization constraints when the effective web.xml is written to the log, giving administrators an inaccurate view of the deployed access-control configuration. There is no public exploit identified at time of analysis, EPSS is low (0.17%, 7th percentile), and CISA SSVC marks exploitation status as none, despite the inflated 9.1 CVSS published by Apache. The practical effect is misleading audit/diagnostic output rather than direct attacker compromise.

Information Disclosure Tomcat Apache Apache Tomcat
NVD VulDB HeroDevs
CVSS 3.1
9.1
EPSS
0.2%
CVE-2026-53404 HIGH PATCH This Week

Access-control bypass in Apache Tomcat's RewriteValve (versions 8.5.0-8.5.100, 9.0.0.M1-9.0.118, 10.1.0-M1-10.1.55, and 11.0.0-M1-11.0.22) arises because once the first condition in an OR (`[OR]`) chain matched, subsequent non-OR conditions were never evaluated. Where operators rely on chained rewrite conditions to gate or restrict requests, an attacker can satisfy only the first condition and have later guard conditions silently skipped, leading to information disclosure or unintended request routing. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; Apache has released fixes in 11.0.23, 10.1.56, and 9.0.119.

Information Disclosure Tomcat Apache Apache Tomcat
NVD VulDB
CVSS 3.1
7.3
EPSS
0.2%
CVE-2026-56307 MEDIUM PATCH This Month

Broken cursor pagination in Capgo's /private/devices endpoint on the Cloudflare/workerd runtime path allows authenticated attackers with app.read_devices permission to trigger infinite duplicate-page loops, making later dataset rows permanently unreachable for affected sessions. All Capgo versions before 12.128.12 are vulnerable, and the impact is operational: device-management workflows repeatedly process the same duplicate records while failing to advance through the full dataset. No public exploit identified at time of analysis, and this vulnerability is not listed in CISA KEV; the CVSS 4.0 score of 5.3 (Medium) reflects limited, availability-only impact scoped to the vulnerable system.

Information Disclosure Capgo
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-12321 MEDIUM PATCH This Month

JIT miscompilation in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 152.

Mozilla Information Disclosure Suse Red Hat
NVD VulDB
CVSS 3.1
5.4
EPSS
0.2%
CVE-2026-48844 HIGH PATCH This Week

Code injection in Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1 allows authenticated attackers to execute arbitrary PHP via the LDAP autovalues option, which previously evaluated user-influenced expressions as code. The upstream maintainers removed code evaluation support entirely in the fixed releases. EPSS sits at 0.05% (14th percentile) and there is no public exploit identified at time of analysis, but the issue is patched and rated CVSS 7.5.

Code Injection Webmail
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-20171 MEDIUM This Month

BGP session flapping denial-of-service in Cisco NX-OS on Nexus 3000 and 9000 Series Switches exposes data-center routing infrastructure to disruption from unauthenticated remote attackers. The flaw resides in the enforce-first-as BGP feature, where incorrect parsing of a transitive BGP attribute causes an affected switch to drop its BGP peer session and enter a flap loop upon receiving a crafted BGP UPDATE message. No active exploitation has been confirmed (not in CISA KEV), and no public exploit code has been identified at time of analysis, though the Changed scope in the CVSS vector reflects that the instability can propagate beyond the directly attacked peer, amplifying network-wide impact.

Denial Of Service Cisco
NVD VulDB
CVSS 3.1
6.8
EPSS
0.0%
CVE-2026-44928 LOW PATCH Monitor

The EqualsUri function in uriparser before version 1.0.2 incorrectly classifies structurally distinct URIs as equivalent due to flawed absolutePath comparison logic when a host is present. An attacker can craft two different URIs that the library treats as identical, potentially bypassing URI-based access control checks or authentication mechanisms that rely on URI comparison. The vulnerability affects all versions before 1.0.2 and requires local access with high attack complexity; the impact is limited to integrity (logic bypass) with no confidentiality or availability impact.

Information Disclosure Uriparser
NVD GitHub VulDB
CVSS 3.1
2.9
EPSS
0.0%
EPSS 0% CVSS 3.7
LOW Monitor

GStreamer's webrtcbin component accepts remote SDP offers and answers that are missing the required a=fingerprint attribute due to an inverted boolean logic check in _check_sdp_crypto(), undermining the DTLS certificate fingerprint binding that protects WebRTC media streams from interception. An attacker already positioned as a man-in-the-middle on the WebRTC signaling channel can strip the a=fingerprint attribute from SDP messages, which the vulnerable code then incorrectly accepts, allowing the attacker to substitute their own DTLS certificate and intercept or tamper with encrypted media. No public exploit code exists and no CISA KEV listing has been issued; however, the flaw is architecturally significant because it silently voids a key WebRTC security guarantee rather than causing an obvious crash.

Authentication Bypass Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 6 +3
NVD
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Release-routing integrity failure in Capgo before 12.128.2 lets an authorized app or channel manager covertly steer which update bundle unnamed clients receive. Because the platform permits multiple public channels per app/platform to coexist and silently resolves channel-less /updates requests to a single hidden 'winner' channel, a low-privileged insider can manipulate default update state and serve a chosen bundle to clients that did not specify a channel. There is no public exploit identified at time of analysis, and the issue is not in CISA KEV.

Information Disclosure Capgo
NVD GitHub
EPSS 0% CVSS 6.8
MEDIUM POC PATCH This Month

Forged IPv6 Neighbor Discovery acceptance in the Zephyr RTOS network stack (all releases through v4.4.0) lets an adjacent on-link attacker inject spoofed Router Advertisement, Neighbor Solicitation, and Neighbor Advertisement messages because an operator-precedence bug in subsys/net/ip/ipv6_nbr.c silently skips every RFC 4861 sanity check whenever the (always-present) ICMPv6 code is 0. Because the bypassed checks include the Hop-Limit==255 on-link proof, even off-link/remote attackers may have forged ND packets accepted, enabling default-router/DNS/SLAAC hijacking and neighbor-cache poisoning for man-in-the-middle, redirection, and denial of service. A vendor patch exists (commit 095f064c) but there is no public exploit identified at time of analysis and the issue is not in CISA KEV.

Denial Of Service Zephyr
NVD GitHub VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Incomplete security-constraint logging in Apache Tomcat (8.5.0-8.5.100, 9.0.0.M1-9.0.118, 10.1.0-M1-10.1.55, 11.0.0-M1-11.0.22) omits special roles and empty authorization constraints when the effective web.xml is written to the log, giving administrators an inaccurate view of the deployed access-control configuration. There is no public exploit identified at time of analysis, EPSS is low (0.17%, 7th percentile), and CISA SSVC marks exploitation status as none, despite the inflated 9.1 CVSS published by Apache. The practical effect is misleading audit/diagnostic output rather than direct attacker compromise.

Information Disclosure Tomcat Apache +1
NVD VulDB HeroDevs
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Access-control bypass in Apache Tomcat's RewriteValve (versions 8.5.0-8.5.100, 9.0.0.M1-9.0.118, 10.1.0-M1-10.1.55, and 11.0.0-M1-11.0.22) arises because once the first condition in an OR (`[OR]`) chain matched, subsequent non-OR conditions were never evaluated. Where operators rely on chained rewrite conditions to gate or restrict requests, an attacker can satisfy only the first condition and have later guard conditions silently skipped, leading to information disclosure or unintended request routing. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; Apache has released fixes in 11.0.23, 10.1.56, and 9.0.119.

Information Disclosure Tomcat Apache +1
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Broken cursor pagination in Capgo's /private/devices endpoint on the Cloudflare/workerd runtime path allows authenticated attackers with app.read_devices permission to trigger infinite duplicate-page loops, making later dataset rows permanently unreachable for affected sessions. All Capgo versions before 12.128.12 are vulnerable, and the impact is operational: device-management workflows repeatedly process the same duplicate records while failing to advance through the full dataset. No public exploit identified at time of analysis, and this vulnerability is not listed in CISA KEV; the CVSS 4.0 score of 5.3 (Medium) reflects limited, availability-only impact scoped to the vulnerable system.

Information Disclosure Capgo
NVD GitHub VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

JIT miscompilation in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 152.

Mozilla Information Disclosure Suse +1
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Code injection in Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1 allows authenticated attackers to execute arbitrary PHP via the LDAP autovalues option, which previously evaluated user-influenced expressions as code. The upstream maintainers removed code evaluation support entirely in the fixed releases. EPSS sits at 0.05% (14th percentile) and there is no public exploit identified at time of analysis, but the issue is patched and rated CVSS 7.5.

Code Injection Webmail
NVD GitHub VulDB
EPSS 0% CVSS 6.8
MEDIUM This Month

BGP session flapping denial-of-service in Cisco NX-OS on Nexus 3000 and 9000 Series Switches exposes data-center routing infrastructure to disruption from unauthenticated remote attackers. The flaw resides in the enforce-first-as BGP feature, where incorrect parsing of a transitive BGP attribute causes an affected switch to drop its BGP peer session and enter a flap loop upon receiving a crafted BGP UPDATE message. No active exploitation has been confirmed (not in CISA KEV), and no public exploit code has been identified at time of analysis, though the Changed scope in the CVSS vector reflects that the instability can propagate beyond the directly attacked peer, amplifying network-wide impact.

Denial Of Service Cisco
NVD VulDB
EPSS 0% CVSS 2.9
LOW PATCH Monitor

The EqualsUri function in uriparser before version 1.0.2 incorrectly classifies structurally distinct URIs as equivalent due to flawed absolutePath comparison logic when a host is present. An attacker can craft two different URIs that the library treats as identical, potentially bypassing URI-based access control checks or authentication mechanisms that rely on URI comparison. The vulnerability affects all versions before 1.0.2 and requires local access with high attack complexity; the impact is limited to integrity (logic bypass) with no confidentiality or availability impact.

Information Disclosure Uriparser
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy