Skip to main content

Suse

9339 CVEs vendor

Monthly

CVE-2026-28687 NuGet MEDIUM PATCH This Month

Heap use-after-free in ImageMagick's MSL decoder (versions before 7.1.2-16 and 6.9.13-41) allows remote attackers to trigger memory access violations via specially crafted MSL files, resulting in denial of service. The vulnerability requires no authentication or user interaction and affects systems processing untrusted image files. No patch is currently available for this MEDIUM severity issue.

Use After Free Imagemagick Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-28686 NuGet MEDIUM PATCH This Month

Medium severity vulnerability in ImageMagick. A heap-buffer-overflow vulnerability exists in the PCL encode due to an undersized output buffer allocation.

Buffer Overflow Imagemagick Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
6.8
EPSS
0.0%
CVE-2026-28494 NuGet HIGH PATCH This Week

High severity vulnerability in ImageMagick. A stack buffer overflow exists in ImageMagick's morphology kernel parsing functions. User-controlled kernel strings exceeding a buffer are copied into fixed-size stack buffers via memcpy without bounds checking, resulting in stack corruption.

Linux Buffer Overflow Imagemagick Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-28493 NuGet MEDIUM PATCH This Month

Medium severity vulnerability in ImageMagick. An integer overflow vulnerability exists in the SIXEL decoer. The vulnerability allows an attacker to perform an out of bounds via a specially crafted mage.

Integer Overflow Imagemagick Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-26982 MEDIUM PATCH This Month

Ghostty terminal emulator allows control characters embedded in pasted or drag-and-dropped text to execute arbitrary commands in certain shell environments, requiring only user interaction to trigger. An attacker can craft malicious text with invisible control sequences that, when copied/pasted by a user, execute unintended commands with the user's privileges. No patch is currently available for this vulnerability.

Command Injection Ghostty Suse
NVD GitHub VulDB
CVSS 3.1
6.3
EPSS
0.0%
CVE-2024-14027 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: fs/xattr: missing fdput() in fremovexattr error path In the Linux kernel, the fremovexattr() syscall calls fdget() to acquire a file reference but returns early without calling fdput() when strncpy_from_user() fails on the name argument.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-69648 MEDIUM PATCH This Month

GNU Binutils thru 2.45.1 readelf contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF .debug_rnglists data. [CVSS 6.2 MEDIUM]

RCE Denial Of Service Buffer Overflow Binutils Red Hat +1
NVD
CVSS 3.1
6.2
EPSS
0.0%
CVE-2025-69647 MEDIUM PATCH This Month

GNU Binutils thru 2.45.1 readelf contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF loclists data. [CVSS 6.2 MEDIUM]

Denial Of Service Binutils Red Hat Suse
NVD
CVSS 3.1
6.2
EPSS
0.0%
CVE-2026-3731 MEDIUM PATCH This Month

Out-of-bounds read in libssh versions up to 0.11.3 allows remote attackers to cause denial of service by manipulating the idx argument in the SFTP extension name handler functions. The vulnerability resides in the sftp_extensions_get_name and sftp_extensions_get_data functions, enabling unauthenticated attackers to trigger memory access violations without user interaction. Upgrading to libssh 0.11.4 or 0.12.0 resolves this issue.

Buffer Overflow Libssh Red Hat Suse
NVD VulDB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-30861 Go CRITICAL POC PATCH Act Now

OS command injection in WeKnora from version 0.2.5 allows authenticated users to execute arbitrary system commands. CVSS 9.9 with scope change. PoC available.

RCE Command Injection AI / ML Weknora Suse
NVD GitHub
CVSS 3.1
9.9
EPSS
0.2%
CVE-2026-30860 Go CRITICAL POC PATCH Act Now

SQL injection in WeKnora LLM document understanding framework allows authenticated users to extract arbitrary database contents. CVSS 9.9 with scope change. PoC available.

PostgreSQL RCE SQLi AI / ML Weknora +1
NVD GitHub
CVSS 3.1
9.9
EPSS
0.2%
CVE-2026-30859 Go MEDIUM PATCH This Month

WeKnora versions prior to 0.2.12 suffer from inadequate tenant isolation in database queries, permitting any authenticated user to access sensitive data from other tenants including API keys, model configurations, and private messages. The vulnerability affects multi-tenant deployments where account-level access controls fail to prevent cross-tenant data exfiltration. No patch is currently available for affected versions.

Authentication Bypass Information Disclosure AI / ML Weknora Suse
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-30858 Go MEDIUM POC PATCH This Month

DNS rebinding in WeKnora's web_fetch tool allows authenticated attackers to bypass URL validation and access internal resources and private IP addresses on the server through malicious domains that resolve differently during validation versus execution. Public exploit code exists for this vulnerability, and versions prior to 0.3.0 are affected with no patch currently available. An attacker could leverage this to access sensitive local services and exfiltrate data from the affected system.

DNS AI / ML Weknora Suse
NVD GitHub
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-30857 Go MEDIUM POC PATCH This Month

Weknora versions up to 0.3.0 is affected by authorization bypass through user-controlled key (CVSS 5.3).

Authentication Bypass AI / ML Weknora Suse
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-30856 Go MEDIUM PATCH This Month

Tool name collision in WeKnora's MCP client integration allows remote attackers with network access to register malicious tools that overwrite legitimate ones, enabling prompt injection attacks and potential data exfiltration. An attacker exploiting this vulnerability can redirect LLM execution to steal system prompts and context data, or execute arbitrary tools with the privileges of authenticated users. This affects WeKnora versions prior to 0.3.0.

Code Injection Suse
NVD GitHub
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-30855 Go HIGH POC PATCH This Week

Insufficient authorization checks in WeKnora's tenant management endpoints allow any authenticated user to read, modify, or delete arbitrary tenants, with public exploit code available. Since the application allows open registration, unauthenticated attackers can register an account and exploit this flaw to perform cross-tenant account takeover and data destruction. No patch is currently available for this high-severity vulnerability affecting WeKnora AI/ML framework versions prior to 0.3.2.

Authentication Bypass AI / ML Weknora Suse
NVD GitHub
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-30852 Go HIGH POC PATCH This Week

Caddy versions 2.7.5 through 2.11.1 contain a template injection vulnerability in the vars_regexp matcher that allows remote attackers to perform double variable expansion on user-controlled input, enabling disclosure of environment variables and file contents. By injecting placeholders like {env.DATABASE_URL} or {file./etc/passwd} into request headers, an unauthenticated attacker can leak sensitive system information. Public exploit code exists for this vulnerability, which is fixed in version 2.11.2.

TLS Caddy Suse
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-30851 Go HIGH POC PATCH This Week

Caddy versions 2.10.0 through 2.11.1 fail to strip client-supplied headers in the forward_auth copy_headers directive, enabling authenticated attackers to inject identity headers and escalate privileges. This authentication bypass vulnerability affects deployments relying on Caddy for request forwarding and has public exploit code available. The vulnerability requires valid authentication credentials but allows complete privilege elevation within affected systems.

TLS Privilege Escalation Caddy Suse
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-29196 Go MEDIUM PATCH This Month

Netmaker versions prior to 1.5.0 expose WireGuard private keys through unauthenticated API endpoints when accessed by users with the platform-user role, allowing credential theft across all network configurations despite UI-level access restrictions. An authenticated attacker can retrieve sensitive cryptographic material by directly calling GET /api/extclients/{network} or GET /api/nodes/{network} endpoints that lack proper output filtering. This vulnerability affects Netmaker and its integrated WireGuard deployments, with no patch currently available for affected versions.

Wireguard Netmaker Suse
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-29195 Go MEDIUM PATCH This Month

Netmaker versions prior to 1.5.0 fail to properly validate role assignments in the user update API endpoint, allowing authenticated admin users to escalate their privileges to super-admin. An attacker with admin credentials can exploit this authorization bypass to gain unrestricted access to the platform. No patch is currently available for affected installations.

Wireguard Netmaker Suse
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-30834 Go HIGH POC PATCH This Week

PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. [CVSS 7.5 HIGH]

SSRF Pinchtab Chrome Suse
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-30832 Go CRITICAL POC PATCH Act Now

SSRF in Soft Serve Git server versions 0.6.0 to 0.11.3 allows authenticated attackers to make requests to internal services. PoC and patch available.

SSH Soft Serve Suse
NVD GitHub
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-29194 Go HIGH PATCH This Week

Netmaker versions prior to 1.5.0 fail to properly validate host JWT tokens during authorization, allowing any attacker with knowledge of target object identifiers to bypass access controls and read, modify, or delete resources across different hosts. The vulnerability affects critical operations including node management, host deletion, and failover configurations, requiring only a valid host token and network access to exploit. Update to version 1.5.0 or later to remediate.

Wireguard Netmaker Suse
NVD GitHub
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-29076 MEDIUM POC PATCH This Month

Remote denial of service in cpp-httplib prior to version 0.37.0 allows unauthenticated attackers to crash server processes by submitting HTTP POST requests with maliciously crafted RFC 5987 filename* parameters that trigger catastrophic backtracking in the regex parser. The vulnerability exploits the recursive stack-based implementation of libstdc++'s regex engine, causing uncontrolled stack growth and stack overflow. Public exploit code exists for this vulnerability.

Stack Overflow Denial Of Service Cpp Httplib Red Hat Suse
NVD GitHub
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-29193 Go HIGH PATCH This Week

ZITADEL is an open source identity management platform. [CVSS 8.2 HIGH]

Authentication Bypass Zitadel Suse
NVD GitHub
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-29192 Go HIGH PATCH This Week

Account takeover in Zitadel versions 4.0.0 through 4.11.1 is possible through improper redirect URI validation in the login V2 interface, allowing attackers with high privileges to compromise user accounts. This cross-site scripting vulnerability affects organizations using the vulnerable Zitadel identity management platform and has been resolved in version 4.12.0.

XSS Zitadel Suse
NVD GitHub
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-29191 Go CRITICAL PATCH Act Now

Stored XSS in ZITADEL identity management platform versions 4.0.0 to 4.11.1 allows unauthenticated attackers to inject persistent scripts through the login flow. Patch available.

XSS Zitadel Suse
NVD GitHub
CVSS 3.1
9.3
EPSS
0.0%
CVE-2026-30247 Go MEDIUM POC PATCH This Month

WeKnora's document import feature is vulnerable to Server-Side Request Forgery through HTTP redirects, allowing unauthenticated remote attackers to bypass URL validation controls and access internal services despite backend protections against private IPs and metadata endpoints. The vulnerability affects WeKnora versions prior to 0.2.12 when deployed in Docker environments, where host.docker.internal addresses are not blocked. Public exploit code exists and no patch is currently available.

Docker SSRF AI / ML Weknora Suse
NVD GitHub
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-30233 Go MEDIUM POC PATCH This Month

OliveTin prior to version 3000.11.1 fails to enforce view permission checks on dashboard and API endpoints, allowing authenticated users to enumerate action bindings, titles, IDs, icons, and argument metadata despite having restricted access. While command execution remains properly denied, this information disclosure enables attackers to map available actions and their configurations. Public exploit code exists for this medium-severity vulnerability, and a patch is available.

Information Disclosure Olivetin Suse
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-30225 Go MEDIUM POC PATCH This Month

OliveTin versions prior to 3000.11.1 contain an authentication bypass in RestartAction that allows authenticated users to execute shell commands beyond their assigned permissions. The vulnerability stems from improper request context handling that causes the system to fall back to guest user privileges, which may have broader access than the authenticated caller. Public exploit code exists for this medium-severity flaw that enables privilege escalation and unauthorized command execution.

Privilege Escalation Olivetin Suse
NVD GitHub
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-30224 Go MEDIUM POC PATCH This Month

OliveTin prior to version 3000.11.1 fails to invalidate server-side sessions upon user logout, allowing attackers with a stolen session cookie to maintain authenticated access even after the legitimate user logs out. The vulnerability persists because browser cookies are cleared while the corresponding server session remains valid for approximately one year by default. Public exploit code exists for this session management bypass.

Authentication Bypass Olivetin Suse
NVD GitHub
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-30223 Go HIGH POC PATCH This Week

OliveTin gives access to predefined shell commands from a web interface. [CVSS 8.8 HIGH]

Authentication Bypass Olivetin Suse
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-69652 MEDIUM POC PATCH This Month

GNU Binutils thru 2.46 readelf contains a vulnerability that leads to an abort (SIGABRT) when processing a crafted ELF binary with malformed DWARF abbrev or debug information. [CVSS 6.2 MEDIUM]

Memory Corruption Denial Of Service Binutils Red Hat Suse
NVD
CVSS 3.1
6.2
EPSS
0.0%
CVE-2025-69650 HIGH POC PATCH This Week

GNU Binutils thru 2.46 readelf contains a double free vulnerability when processing a crafted ELF binary with malformed relocation data. During GOT relocation handling, dump_relocations may return early without initializing the all_relocations array. [CVSS 7.5 HIGH]

Memory Corruption Denial Of Service Binutils Red Hat Suse
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-69649 HIGH POC PATCH This Week

GNU Binutils thru 2.46 readelf contains a null pointer dereference vulnerability when processing a crafted ELF binary with malformed header fields. [CVSS 7.5 HIGH]

Null Pointer Dereference Memory Corruption Binutils Red Hat Suse
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-29089 HIGH This Week

Arbitrary code execution in TimescaleDB 2.23.0 through 2.25.1 allows local authenticated users to execute malicious functions by shadowing built-in PostgreSQL functions through user-writable schemas in the search_path setting during extension upgrades. An attacker with database access can create malicious functions in writable schemas that are invoked instead of legitimate PostgreSQL functions, resulting in code execution with database privileges. No patch is currently available for affected installations.

PostgreSQL RCE Timescaledb Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-69651 MEDIUM POC PATCH This Month

GNU Binutils thru 2.46 readelf contains a vulnerability that leads to an invalid pointer free when processing a crafted ELF binary with malformed relocation or symbol data. If dump_relocations returns early due to parsing errors, the internal all_relocations array may remain partially uninitialized. [CVSS 5.5 MEDIUM]

Memory Corruption Denial Of Service Binutils Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-69646 MEDIUM PATCH This Month

Binutils objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF debug_rnglists data. [CVSS 5.5 MEDIUM]

Denial Of Service Red Hat Suse
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-69645 MEDIUM PATCH This Month

Binutils objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF debug information. [CVSS 5.5 MEDIUM]

Denial Of Service Red Hat Suse
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-69644 MEDIUM PATCH This Month

An issue was discovered in Binutils before 2.46. The objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed debug information. [CVSS 5.0 MEDIUM]

Denial Of Service Binutils Red Hat Suse
NVD
CVSS 3.1
5.0
EPSS
0.0%
CVE-2026-29064 Go HIGH POC PATCH This Week

Zarf is an Airgap Native Packager Manager for Kubernetes. [CVSS 8.2 HIGH]

Kubernetes Path Traversal Zarf Suse
NVD GitHub
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-23925 MEDIUM PATCH This Month

An authenticated Zabbix user (User role) with template/host write permissions is able to create objects via the configuration.import API. This can lead to confidentiality loss by creating unauthorized hosts.

Authentication Bypass Zabbix Red Hat Suse
NVD VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-29183 Go CRITICAL POC PATCH Act Now

Reflected XSS in SiYuan knowledge management before 3.5.9.

XSS Siyuan Suse
NVD GitHub
CVSS 3.1
9.3
EPSS
0.0%
CVE-2026-29073 Go HIGH POC This Week

SQL injection in SiYuan prior to version 3.6.0 allows any authenticated user, including those with read-only access, to execute arbitrary database queries through the /api/query/sql endpoint due to insufficient authorization checks. Public exploit code exists for this vulnerability, enabling attackers to extract sensitive data or modify the knowledge base contents. No patch is currently available for affected versions.

SQLi Siyuan Suse
NVD GitHub
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-29042 Go CRITICAL POC PATCH Act Now

Shell command injection in Nuclio serverless framework before 1.15.20. PoC and patch available.

Command Injection AI / ML Nuclio Suse
NVD GitHub
CVSS 3.1
9.8
EPSS
0.7%
CVE-2026-28804 PyPI MEDIUM PATCH This Month

pypdf versions prior to 6.7.5 are vulnerable to denial-of-service attacks where specially crafted PDF files with ASCIIHexDecode filtered streams can cause excessive processing time and application hang. An unauthenticated attacker can exploit this by providing a malicious PDF that consumes significant computational resources when processed. A patch is available in version 6.7.5 and later.

Python Pypdf Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-29084 Go MEDIUM PATCH This Month

Gokapi versions prior to 2.2.3 lack CSRF protection on the login endpoint, allowing authenticated attackers to perform unwanted actions on behalf of legitimate users through malicious cross-site requests. An attacker can exploit this by crafting a webpage that tricks a logged-in user into unknowingly submitting forged login credentials or session-modifying requests. The vulnerability requires user interaction and a prior login session but could lead to unauthorized account access or session hijacking on self-hosted Gokapi instances.

CSRF Gokapi Suse
NVD GitHub
CVSS 3.1
4.6
EPSS
0.0%
CVE-2026-29061 Go MEDIUM PATCH This Month

Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. [CVSS 5.4 MEDIUM]

Privilege Escalation Gokapi Suse
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-29060 Go MEDIUM PATCH This Month

Privilege escalation in Gokapi prior to version 2.2.3 allows authenticated users to generate API keys with elevated permissions for file request management, despite lacking those privileges themselves. This affects deployments where no administrative users have access to the upload menu, enabling unauthorized users to create or modify file requests. No patch is currently available.

Authentication Bypass Gokapi Suse
NVD GitHub
CVSS 3.1
5.0
EPSS
0.0%
CVE-2026-28683 Go HIGH PATCH This Week

Stored XSS in Gokapi through malicious SVG file uploads enables authenticated attackers to execute arbitrary JavaScript in users' browsers via hotlinked files. An attacker with valid credentials can craft SVG payloads that persist in the application and compromise other users accessing the shared links. No patch is currently available for versions prior to 2.2.3.

XSS Gokapi Suse
NVD GitHub
CVSS 3.1
8.7
EPSS
0.0%
CVE-2026-28682 Go MEDIUM PATCH This Month

Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. [CVSS 6.4 MEDIUM]

Information Disclosure Gokapi Suse
NVD GitHub
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-29188 Go CRITICAL POC PATCH Act Now

Unauthorized file operations in File Browser before fix. PoC and patch available.

Authentication Bypass Filebrowser Suse
NVD GitHub
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-28492 Go MEDIUM POC PATCH This Month

File Browser versions prior to 2.61.0 incorrectly set the filesystem root to a parent directory when generating public share links, enabling any user with a share link to access and download files from sibling directories beyond the intended shared folder. This authenticated network-based vulnerability affects Golang and Filebrowser and has public exploit code available. The issue is resolved in version 2.61.0 and later.

Golang Filebrowser Suse
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-28790 Go HIGH POC PATCH This Week

OliveTin versions prior to 3000.11.0 suffer from broken access control allowing unauthenticated users to invoke the KillAction RPC endpoint and terminate running shell command executions, bypassing authentication restrictions. Public exploit code exists for this vulnerability, enabling remote denial of service attacks against legitimate administrative actions. The vulnerability affects OliveTin deployments regardless of authentication settings and has been remediated in version 3000.11.0 and later.

Denial Of Service Olivetin Suse
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-28789 Go HIGH POC PATCH This Week

OliveTin versions prior to 3000.10.3 are vulnerable to unauthenticated denial-of-service attacks when OAuth2 authentication is enabled, allowing remote attackers to crash the application by sending concurrent requests to the login endpoint. The vulnerability stems from unsynchronized access to shared state during OAuth2 processing, triggering a Go runtime panic. Public exploit code exists for this high-severity flaw, which is patched in version 3000.10.3 and later.

Golang Denial Of Service Olivetin Suse
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-28350 PyPI MEDIUM POC PATCH This Month

lxml_html_clean versions prior to 0.4.4 fail to sanitize <base> HTML tags, allowing attackers to inject malicious base tags and redirect relative links to attacker-controlled domains. Public exploit code exists for this vulnerability. The issue affects applications using the default Cleaner configuration and has been remediated in version 0.4.4.

XSS Lxml Html Clean Suse
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-28348 PyPI MEDIUM POC PATCH This Month

lxml_html_clean versions before 0.4.4 fail to properly sanitize CSS Unicode escape sequences in the _has_sneaky_javascript() method, allowing attackers to bypass filters and inject malicious @import statements or XSS payloads. Public exploit code exists for this vulnerability, which affects applications using the library for HTML sanitization. A patch is available in version 0.4.4 and should be applied immediately to prevent CSS-based injection attacks.

XSS Lxml Html Clean Suse
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-28342 Go HIGH POC PATCH This Week

OliveTin versions prior to 3000.10.2 are vulnerable to unauthenticated denial of service through the PasswordHash API endpoint, which lacks request throttling or authentication controls and allows attackers to trigger excessive memory allocation via concurrent hashing requests. An attacker can exhaust container memory by sending multiple parallel requests, causing service degradation or complete outage. Public exploit code exists for this vulnerability, and a patch is available in version 3000.10.2 and later.

Denial Of Service Olivetin Suse
NVD GitHub
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-27944 Go CRITICAL POC PATCH Act Now

Unauthenticated backup download and RCE in Nginx UI before 2.3.3. EPSS 1.0%. PoC available.

Nginx TLS Nginx Ui Suse
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
1.0%
CVE-2026-26998 Go MEDIUM PATCH This Month

Traefik versions prior to 2.11.38 and 3.6.9 fail to limit memory allocation when processing ForwardAuth middleware responses, allowing a malicious or compromised authentication server to trigger unbounded memory consumption. An attacker controlling the auth server can return an arbitrarily large response body that causes the Traefik process to exhaust available memory and crash, resulting in denial of service for all proxied routes. A patch is available in the specified versions.

Denial Of Service Traefik Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-26276 Go HIGH This Week

Gogs versions prior to 0.14.2 contain a DOM-based XSS vulnerability in the Issue creation page where attackers can inject malicious scripts through milestone names that execute when other users interact with those milestones. An authenticated attacker can craft a repository with a malicious milestone name containing JavaScript payloads that trigger in victim browsers, potentially compromising user sessions or sensitive data. No patch is currently available for affected versions.

XSS Gogs Suse
NVD GitHub
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-26196 Go MEDIUM PATCH This Month

Gogs versions prior to 0.14.2 expose authentication tokens in URL parameters, allowing credentials to be captured through server logs, browser history, and HTTP referrer headers. This information disclosure vulnerability affects self-hosted Gogs instances and could enable attackers to gain unauthorized API access if tokens are leaked through these channels. A patch is available in version 0.14.2 and later.

Information Disclosure Gogs Suse
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-26195 Go MEDIUM PATCH This Month

Stored cross-site scripting in Gogs prior to version 0.14.2 allows unauthenticated attackers to inject malicious scripts through template rendering of user-controlled data, potentially affecting all users viewing compromised content. The vulnerability exploits unsafe handling of data URLs combined with permissive sanitization, enabling attackers to steal session cookies, deface pages, or perform actions on behalf of victims. A patch is available in version 0.14.2 and later.

XSS Gogs Suse
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-26194 Go HIGH POC PATCH This Week

Gogs prior to version 0.14.2 contains a command injection vulnerability in release deletion functionality where improper handling of user-controlled tag names allows git options to be injected into git commands. An authenticated attacker with UI interaction can exploit this to achieve integrity and availability impacts. Public exploit code exists for this vulnerability.

Code Injection Gogs Suse
NVD GitHub
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-26022 Go HIGH POC PATCH This Week

Stored XSS in Gogs prior to version 0.14.2 allows authenticated users to execute arbitrary JavaScript in comments and issue descriptions by exploiting the HTML sanitizer's allowance of data: URI schemes. This affects all users viewing malicious content within the same Gogs instance and could enable session hijacking or credential theft. Public exploit code exists for this vulnerability, though a patch is available in version 0.14.2 and later.

XSS Gogs Suse
NVD GitHub
CVSS 3.1
8.7
EPSS
0.0%
CVE-2026-25921 Go CRITICAL POC PATCH Act Now

Supply chain attack via LFS object overwrite across repos in Gogs before 0.14.2. PoC and patch available.

Authentication Bypass Gogs Suse
NVD GitHub
CVSS 3.1
9.3
EPSS
0.0%
CVE-2026-30784 HIGH This Week

Unauthenticated attackers can abuse missing authorization controls in RustDesk Server's rendezvous and relay modules (hbbs/hbbr) to gain unauthorized privileges through exposed critical functions like punch hole requests and peer registration. This vulnerability affects RustDesk Server versions through 1.7.5 and 1.1.15, enabling remote privilege escalation over the network with no authentication required. No patch is currently available.

Authentication Bypass Suse
NVD VulDB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2026-25702 HIGH PATCH This Week

Improper access control in the Linux kernel affects SUSE Linux Enterprise Server 12 SP5, causing nftables firewall rules to become ineffective and allowing network traffic to bypass intended filtering policies. An unauthenticated remote attacker can exploit this vulnerability to circumvent firewall protections without user interaction. No patch is currently available for this vulnerability.

Linux Linux Enterprise Server Suse
NVD
CVSS 3.1
7.3
EPSS
0.1%
CVE-2026-3381 CRITICAL PATCH Act Now

Insecure embedded zlib in Compress::Raw::Zlib through 2.219 for Perl.

Information Disclosure Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-40926 CRITICAL PATCH Act Now

Insecure session ID generation in Plack::Middleware::Session::Simple before 0.05 for Perl. Patch available.

Information Disclosure Suse
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-2297 MEDIUM PATCH This Month

The import hook in CPython that handles legacy *.pyc files (SourcelessFileLoader) is incorrectly handled in FileLoader (a base class) and so does not use io.open_code() to read the .pyc files. sys.audit handlers for this audit event therefore do not fire.

Information Disclosure Red Hat Suse
NVD GitHub VulDB
CVSS 4.0
5.7
EPSS
0.0%
CVE-2026-3545 CRITICAL PATCH Act Now

Sandbox escape via navigation validation in Chrome before 145.0.7632.159. Patch available.

Google Chrome Red Hat Suse
NVD
CVSS 3.1
9.6
EPSS
0.1%
CVE-2026-3544 HIGH PATCH This Week

Google Chrome versions before 145.0.7632.159 contain a heap buffer overflow in the WebCodecs component that enables remote attackers to write data outside allocated memory bounds through malicious HTML pages. An unauthenticated attacker can exploit this vulnerability with minimal user interaction to achieve arbitrary code execution on affected systems. A patch is available in Chrome 145.0.7632.159 and later.

Google Buffer Overflow Chrome Red Hat Suse
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-3543 HIGH PATCH This Week

Out-of-bounds memory access in Google Chrome's V8 engine (versions prior to 145.0.7632.159) enables remote attackers to achieve memory corruption through malicious HTML pages without requiring user privileges beyond standard interaction. The vulnerability affects all Chrome users and could potentially lead to information disclosure, data corruption, or code execution depending on memory layout and exploitation context.

Chrome Google Red Hat Suse
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-3542 HIGH PATCH This Week

Out-of-bounds memory access in Google Chrome's WebAssembly implementation (versions prior to 145.0.7632.159) enables remote attackers to achieve full memory corruption through malicious HTML pages, requiring only user interaction. An attacker can exploit this to read sensitive data, modify memory, or crash the browser with no authentication needed. A patch is available in Chrome 145.0.7632.159 and later.

Google Chrome Red Hat Suse
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-3541 HIGH PATCH This Week

Out-of-bounds memory read in Google Chrome's CSS implementation (versions prior to 145.0.7632.159) allows network attackers to read sensitive memory contents by tricking users into viewing a malicious HTML page. The vulnerability requires user interaction but carries high impact, enabling information disclosure without authentication or special privileges. A patch is available in Chrome 145.0.7632.159 and later.

Google Chrome Red Hat Suse
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-3540 HIGH PATCH This Week

Out-of-bounds memory access in Google Chrome's WebAudio component (versions prior to 145.0.7632.159) enables remote attackers to read, modify, or crash the browser by tricking users into visiting malicious web pages. This network-based vulnerability requires no special privileges and affects all Chrome users who interact with untrusted content. A patch is available in Chrome 145.0.7632.159 and later versions.

Google Chrome Red Hat Suse
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-3539 HIGH PATCH This Week

Heap corruption in Google Chrome's DevTools prior to version 145.0.7632.159 can be triggered through a malicious extension, requiring user installation and interaction. An attacker exploiting this object lifecycle vulnerability could achieve arbitrary code execution with full system privileges. A patch is available in Chrome 145.0.7632.159 and later versions.

Google Chrome Red Hat Suse
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-3538 HIGH PATCH This Week

Google Chrome's Skia rendering engine contains an integer overflow flaw that enables remote attackers to access out-of-bounds memory when processing malicious HTML pages. Affected users running Chrome versions prior to 145.0.7632.159 could face memory corruption leading to information disclosure, data modification, or denial of service. A security patch is available to remediate this critical vulnerability.

Integer Overflow Chrome Google Red Hat Suse
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-3537 HIGH PATCH This Week

Heap corruption in Chrome's PowerVR graphics driver on Android versions prior to 145.0.7632.159 can be triggered through malicious HTML pages, potentially enabling remote code execution without user interaction beyond visiting a compromised website. The vulnerability stems from improper object lifecycle management and affects all Android users running vulnerable Chrome versions. A patch is available and should be applied immediately given the high exploitation potential.

Android Chrome Google Suse
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-3536 HIGH PATCH This Week

Google Chrome's ANGLE graphics library before version 145.0.7632.159 contains an integer overflow vulnerability that enables remote attackers to access out-of-bounds memory through malicious HTML pages. An unauthenticated attacker can exploit this flaw by tricking users into visiting a crafted webpage, potentially compromising confidentiality, integrity, and availability. A patch is available in Chrome 145.0.7632.159 and later versions.

Integer Overflow Chrome Google Red Hat Suse
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-28435 HIGH POC PATCH This Week

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. [CVSS 7.5 HIGH]

Denial Of Service Cpp Httplib Suse
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-28434 MEDIUM POC PATCH This Month

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. [CVSS 5.3 MEDIUM]

Information Disclosure Cpp Httplib Suse
NVD GitHub
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-20031 MEDIUM PATCH This Month

ClamAV's HTML CSS parser fails to properly handle UTF-8 string operations, enabling remote attackers to crash the scanning engine by submitting a malicious HTML file. An unauthenticated attacker can exploit this weakness over the network without user interaction to achieve denial of service. No patch is currently available.

Denial Of Service Suse
NVD VulDB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-62879 Go MEDIUM PATCH This Month

Rancher Backup And Restore Operator is affected by insertion of sensitive information into log file (CVSS 6.8).

Information Disclosure Rancher Backup And Restore Operator Suse
NVD GitHub
CVSS 3.1
6.8
EPSS
0.0%
CVE-2026-23237 MEDIUM PATCH This Month

The Linux kernel's Classmate laptop driver lacks NULL pointer checks in sysfs attribute handlers, allowing local users to trigger a denial of service by accessing device attributes before driver initialization completes. A premature sysfs access can cause the driver to dereference a NULL pointer when retrieving uninitialized device data, crashing the affected system.

Linux Null Pointer Dereference Denial Of Service Linux Kernel Red Hat +1
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-23235 HIGH PATCH This Week

Local privilege escalation in Linux kernel f2fs sysfs attributes allows unprivileged users to trigger out-of-bounds memory access and cause denial of service by writing oversized integer values to filesystem control interfaces. The vulnerability stems from improper bounds checking when mapping sysfs attributes to kernel structures of varying integer sizes, enabling attackers to corrupt kernel memory and crash the system. No patch is currently available for this vulnerability.

Linux Buffer Overflow Information Disclosure Linux Kernel Red Hat +1
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-23234 HIGH PATCH This Week

A use-after-free vulnerability in the Linux kernel's f2fs filesystem allows a local attacker with user privileges to trigger memory corruption and crash the system through a race condition between I/O completion and filesystem unmount operations. The vulnerability occurs when a loop device completes write operations concurrently with an unmount that frees filesystem structures still being accessed by pending I/O handlers. This issue has no available patch and requires kernel-level access to exploit.

Linux Use After Free Information Disclosure Memory Corruption Linux Kernel +2
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-23233 HIGH POC PATCH This Week

F2FS swapfile memory corruption in Linux kernel 6.6+ allows local attackers with user privileges to cause data corruption through improper physical block mapping when using fragmented swapfiles smaller than the F2FS section size. Public exploit code exists for this vulnerability, and attackers can trigger dm-verity corruption errors or F2FS node corruption leading to system crashes and data loss. No patch is currently available.

Linux Google Buffer Overflow Memory Corruption Linux Kernel +3
NVD GitHub VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-23232 MEDIUM PATCH This Month

A revert of a Linux kernel patch introduces a potential deadlock condition in the f2fs filesystem when concurrent write operations and checkpoint operations occur, allowing a local user with write permissions to cause a denial of service through system hang. The vulnerability affects the Linux kernel's f2fs module and requires low privileges to trigger. No patch is currently available to address this issue.

Linux Information Disclosure Linux Kernel Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Heap use-after-free in ImageMagick's MSL decoder (versions before 7.1.2-16 and 6.9.13-41) allows remote attackers to trigger memory access violations via specially crafted MSL files, resulting in denial of service. The vulnerability requires no authentication or user interaction and affects systems processing untrusted image files. No patch is currently available for this MEDIUM severity issue.

Use After Free Imagemagick Red Hat +1
NVD GitHub VulDB
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

Medium severity vulnerability in ImageMagick. A heap-buffer-overflow vulnerability exists in the PCL encode due to an undersized output buffer allocation.

Buffer Overflow Imagemagick Red Hat +1
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

High severity vulnerability in ImageMagick. A stack buffer overflow exists in ImageMagick's morphology kernel parsing functions. User-controlled kernel strings exceeding a buffer are copied into fixed-size stack buffers via memcpy without bounds checking, resulting in stack corruption.

Linux Buffer Overflow Imagemagick +2
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Medium severity vulnerability in ImageMagick. An integer overflow vulnerability exists in the SIXEL decoer. The vulnerability allows an attacker to perform an out of bounds via a specially crafted mage.

Integer Overflow Imagemagick Red Hat +1
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Ghostty terminal emulator allows control characters embedded in pasted or drag-and-dropped text to execute arbitrary commands in certain shell environments, requiring only user interaction to trigger. An attacker can craft malicious text with invisible control sequences that, when copied/pasted by a user, execute unintended commands with the user's privileges. No patch is currently available for this vulnerability.

Command Injection Ghostty Suse
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: fs/xattr: missing fdput() in fremovexattr error path In the Linux kernel, the fremovexattr() syscall calls fdget() to acquire a file reference but returns early without calling fdput() when strncpy_from_user() fails on the name argument.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 6.2
MEDIUM PATCH This Month

GNU Binutils thru 2.45.1 readelf contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF .debug_rnglists data. [CVSS 6.2 MEDIUM]

RCE Denial Of Service Buffer Overflow +3
NVD
EPSS 0% CVSS 6.2
MEDIUM PATCH This Month

GNU Binutils thru 2.45.1 readelf contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF loclists data. [CVSS 6.2 MEDIUM]

Denial Of Service Binutils Red Hat +1
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Out-of-bounds read in libssh versions up to 0.11.3 allows remote attackers to cause denial of service by manipulating the idx argument in the SFTP extension name handler functions. The vulnerability resides in the sftp_extensions_get_name and sftp_extensions_get_data functions, enabling unauthenticated attackers to trigger memory access violations without user interaction. Upgrading to libssh 0.11.4 or 0.12.0 resolves this issue.

Buffer Overflow Libssh Red Hat +1
NVD VulDB
EPSS 0% CVSS 9.9
CRITICAL POC PATCH Act Now

OS command injection in WeKnora from version 0.2.5 allows authenticated users to execute arbitrary system commands. CVSS 9.9 with scope change. PoC available.

RCE Command Injection AI / ML +2
NVD GitHub
EPSS 0% CVSS 9.9
CRITICAL POC PATCH Act Now

SQL injection in WeKnora LLM document understanding framework allows authenticated users to extract arbitrary database contents. CVSS 9.9 with scope change. PoC available.

PostgreSQL RCE SQLi +3
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

WeKnora versions prior to 0.2.12 suffer from inadequate tenant isolation in database queries, permitting any authenticated user to access sensitive data from other tenants including API keys, model configurations, and private messages. The vulnerability affects multi-tenant deployments where account-level access controls fail to prevent cross-tenant data exfiltration. No patch is currently available for affected versions.

Authentication Bypass Information Disclosure AI / ML +2
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM POC PATCH This Month

DNS rebinding in WeKnora's web_fetch tool allows authenticated attackers to bypass URL validation and access internal resources and private IP addresses on the server through malicious domains that resolve differently during validation versus execution. Public exploit code exists for this vulnerability, and versions prior to 0.3.0 are affected with no patch currently available. An attacker could leverage this to access sensitive local services and exfiltrate data from the affected system.

DNS AI / ML Weknora +1
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM POC PATCH This Month

Weknora versions up to 0.3.0 is affected by authorization bypass through user-controlled key (CVSS 5.3).

Authentication Bypass AI / ML Weknora +1
NVD GitHub
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Tool name collision in WeKnora's MCP client integration allows remote attackers with network access to register malicious tools that overwrite legitimate ones, enabling prompt injection attacks and potential data exfiltration. An attacker exploiting this vulnerability can redirect LLM execution to steal system prompts and context data, or execute arbitrary tools with the privileges of authenticated users. This affects WeKnora versions prior to 0.3.0.

Code Injection Suse
NVD GitHub
EPSS 0% CVSS 8.8
HIGH POC PATCH This Week

Insufficient authorization checks in WeKnora's tenant management endpoints allow any authenticated user to read, modify, or delete arbitrary tenants, with public exploit code available. Since the application allows open registration, unauthenticated attackers can register an account and exploit this flaw to perform cross-tenant account takeover and data destruction. No patch is currently available for this high-severity vulnerability affecting WeKnora AI/ML framework versions prior to 0.3.2.

Authentication Bypass AI / ML Weknora +1
NVD GitHub
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

Caddy versions 2.7.5 through 2.11.1 contain a template injection vulnerability in the vars_regexp matcher that allows remote attackers to perform double variable expansion on user-controlled input, enabling disclosure of environment variables and file contents. By injecting placeholders like {env.DATABASE_URL} or {file./etc/passwd} into request headers, an unauthenticated attacker can leak sensitive system information. Public exploit code exists for this vulnerability, which is fixed in version 2.11.2.

TLS Caddy Suse
NVD GitHub
EPSS 0% CVSS 8.1
HIGH POC PATCH This Week

Caddy versions 2.10.0 through 2.11.1 fail to strip client-supplied headers in the forward_auth copy_headers directive, enabling authenticated attackers to inject identity headers and escalate privileges. This authentication bypass vulnerability affects deployments relying on Caddy for request forwarding and has public exploit code available. The vulnerability requires valid authentication credentials but allows complete privilege elevation within affected systems.

TLS Privilege Escalation Caddy +1
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Netmaker versions prior to 1.5.0 expose WireGuard private keys through unauthenticated API endpoints when accessed by users with the platform-user role, allowing credential theft across all network configurations despite UI-level access restrictions. An authenticated attacker can retrieve sensitive cryptographic material by directly calling GET /api/extclients/{network} or GET /api/nodes/{network} endpoints that lack proper output filtering. This vulnerability affects Netmaker and its integrated WireGuard deployments, with no patch currently available for affected versions.

Wireguard Netmaker Suse
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Netmaker versions prior to 1.5.0 fail to properly validate role assignments in the user update API endpoint, allowing authenticated admin users to escalate their privileges to super-admin. An attacker with admin credentials can exploit this authorization bypass to gain unrestricted access to the platform. No patch is currently available for affected installations.

Wireguard Netmaker Suse
NVD GitHub
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. [CVSS 7.5 HIGH]

SSRF Pinchtab Chrome +1
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL POC PATCH Act Now

SSRF in Soft Serve Git server versions 0.6.0 to 0.11.3 allows authenticated attackers to make requests to internal services. PoC and patch available.

SSH Soft Serve Suse
NVD GitHub
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Netmaker versions prior to 1.5.0 fail to properly validate host JWT tokens during authorization, allowing any attacker with knowledge of target object identifiers to bypass access controls and read, modify, or delete resources across different hosts. The vulnerability affects critical operations including node management, host deletion, and failover configurations, requiring only a valid host token and network access to exploit. Update to version 1.5.0 or later to remediate.

Wireguard Netmaker Suse
NVD GitHub
EPSS 0% CVSS 5.9
MEDIUM POC PATCH This Month

Remote denial of service in cpp-httplib prior to version 0.37.0 allows unauthenticated attackers to crash server processes by submitting HTTP POST requests with maliciously crafted RFC 5987 filename* parameters that trigger catastrophic backtracking in the regex parser. The vulnerability exploits the recursive stack-based implementation of libstdc++'s regex engine, causing uncontrolled stack growth and stack overflow. Public exploit code exists for this vulnerability.

Stack Overflow Denial Of Service Cpp Httplib +2
NVD GitHub
EPSS 0% CVSS 8.2
HIGH PATCH This Week

ZITADEL is an open source identity management platform. [CVSS 8.2 HIGH]

Authentication Bypass Zitadel Suse
NVD GitHub
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Account takeover in Zitadel versions 4.0.0 through 4.11.1 is possible through improper redirect URI validation in the login V2 interface, allowing attackers with high privileges to compromise user accounts. This cross-site scripting vulnerability affects organizations using the vulnerable Zitadel identity management platform and has been resolved in version 4.12.0.

XSS Zitadel Suse
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Stored XSS in ZITADEL identity management platform versions 4.0.0 to 4.11.1 allows unauthenticated attackers to inject persistent scripts through the login flow. Patch available.

XSS Zitadel Suse
NVD GitHub
EPSS 0% CVSS 5.9
MEDIUM POC PATCH This Month

WeKnora's document import feature is vulnerable to Server-Side Request Forgery through HTTP redirects, allowing unauthenticated remote attackers to bypass URL validation controls and access internal services despite backend protections against private IPs and metadata endpoints. The vulnerability affects WeKnora versions prior to 0.2.12 when deployed in Docker environments, where host.docker.internal addresses are not blocked. Public exploit code exists and no patch is currently available.

Docker SSRF AI / ML +2
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM POC PATCH This Month

OliveTin prior to version 3000.11.1 fails to enforce view permission checks on dashboard and API endpoints, allowing authenticated users to enumerate action bindings, titles, IDs, icons, and argument metadata despite having restricted access. While command execution remains properly denied, this information disclosure enables attackers to map available actions and their configurations. Public exploit code exists for this medium-severity vulnerability, and a patch is available.

Information Disclosure Olivetin Suse
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM POC PATCH This Month

OliveTin versions prior to 3000.11.1 contain an authentication bypass in RestartAction that allows authenticated users to execute shell commands beyond their assigned permissions. The vulnerability stems from improper request context handling that causes the system to fall back to guest user privileges, which may have broader access than the authenticated caller. Public exploit code exists for this medium-severity flaw that enables privilege escalation and unauthorized command execution.

Privilege Escalation Olivetin Suse
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM POC PATCH This Month

OliveTin prior to version 3000.11.1 fails to invalidate server-side sessions upon user logout, allowing attackers with a stolen session cookie to maintain authenticated access even after the legitimate user logs out. The vulnerability persists because browser cookies are cleared while the corresponding server session remains valid for approximately one year by default. Public exploit code exists for this session management bypass.

Authentication Bypass Olivetin Suse
NVD GitHub
EPSS 0% CVSS 8.8
HIGH POC PATCH This Week

OliveTin gives access to predefined shell commands from a web interface. [CVSS 8.8 HIGH]

Authentication Bypass Olivetin Suse
NVD GitHub
EPSS 0% CVSS 6.2
MEDIUM POC PATCH This Month

GNU Binutils thru 2.46 readelf contains a vulnerability that leads to an abort (SIGABRT) when processing a crafted ELF binary with malformed DWARF abbrev or debug information. [CVSS 6.2 MEDIUM]

Memory Corruption Denial Of Service Binutils +2
NVD
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

GNU Binutils thru 2.46 readelf contains a double free vulnerability when processing a crafted ELF binary with malformed relocation data. During GOT relocation handling, dump_relocations may return early without initializing the all_relocations array. [CVSS 7.5 HIGH]

Memory Corruption Denial Of Service Binutils +2
NVD VulDB
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

GNU Binutils thru 2.46 readelf contains a null pointer dereference vulnerability when processing a crafted ELF binary with malformed header fields. [CVSS 7.5 HIGH]

Null Pointer Dereference Memory Corruption Binutils +2
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Arbitrary code execution in TimescaleDB 2.23.0 through 2.25.1 allows local authenticated users to execute malicious functions by shadowing built-in PostgreSQL functions through user-writable schemas in the search_path setting during extension upgrades. An attacker with database access can create malicious functions in writable schemas that are invoked instead of legitimate PostgreSQL functions, resulting in code execution with database privileges. No patch is currently available for affected installations.

PostgreSQL RCE Timescaledb +2
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC PATCH This Month

GNU Binutils thru 2.46 readelf contains a vulnerability that leads to an invalid pointer free when processing a crafted ELF binary with malformed relocation or symbol data. If dump_relocations returns early due to parsing errors, the internal all_relocations array may remain partially uninitialized. [CVSS 5.5 MEDIUM]

Memory Corruption Denial Of Service Binutils +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Binutils objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF debug_rnglists data. [CVSS 5.5 MEDIUM]

Denial Of Service Red Hat Suse
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Binutils objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF debug information. [CVSS 5.5 MEDIUM]

Denial Of Service Red Hat Suse
NVD
EPSS 0% CVSS 5.0
MEDIUM PATCH This Month

An issue was discovered in Binutils before 2.46. The objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed debug information. [CVSS 5.0 MEDIUM]

Denial Of Service Binutils Red Hat +1
NVD
EPSS 0% CVSS 8.2
HIGH POC PATCH This Week

Zarf is an Airgap Native Packager Manager for Kubernetes. [CVSS 8.2 HIGH]

Kubernetes Path Traversal Zarf +1
NVD GitHub
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

An authenticated Zabbix user (User role) with template/host write permissions is able to create objects via the configuration.import API. This can lead to confidentiality loss by creating unauthorized hosts.

Authentication Bypass Zabbix Red Hat +1
NVD VulDB
EPSS 0% CVSS 9.3
CRITICAL POC PATCH Act Now

Reflected XSS in SiYuan knowledge management before 3.5.9.

XSS Siyuan Suse
NVD GitHub
EPSS 0% CVSS 8.8
HIGH POC This Week

SQL injection in SiYuan prior to version 3.6.0 allows any authenticated user, including those with read-only access, to execute arbitrary database queries through the /api/query/sql endpoint due to insufficient authorization checks. Public exploit code exists for this vulnerability, enabling attackers to extract sensitive data or modify the knowledge base contents. No patch is currently available for affected versions.

SQLi Siyuan Suse
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL POC PATCH Act Now

Shell command injection in Nuclio serverless framework before 1.15.20. PoC and patch available.

Command Injection AI / ML Nuclio +1
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

pypdf versions prior to 6.7.5 are vulnerable to denial-of-service attacks where specially crafted PDF files with ASCIIHexDecode filtered streams can cause excessive processing time and application hang. An unauthenticated attacker can exploit this by providing a malicious PDF that consumes significant computational resources when processed. A patch is available in version 6.7.5 and later.

Python Pypdf Red Hat +1
NVD GitHub VulDB
EPSS 0% CVSS 4.6
MEDIUM PATCH This Month

Gokapi versions prior to 2.2.3 lack CSRF protection on the login endpoint, allowing authenticated attackers to perform unwanted actions on behalf of legitimate users through malicious cross-site requests. An attacker can exploit this by crafting a webpage that tricks a logged-in user into unknowingly submitting forged login credentials or session-modifying requests. The vulnerability requires user interaction and a prior login session but could lead to unauthorized account access or session hijacking on self-hosted Gokapi instances.

CSRF Gokapi Suse
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. [CVSS 5.4 MEDIUM]

Privilege Escalation Gokapi Suse
NVD GitHub
EPSS 0% CVSS 5.0
MEDIUM PATCH This Month

Privilege escalation in Gokapi prior to version 2.2.3 allows authenticated users to generate API keys with elevated permissions for file request management, despite lacking those privileges themselves. This affects deployments where no administrative users have access to the upload menu, enabling unauthorized users to create or modify file requests. No patch is currently available.

Authentication Bypass Gokapi Suse
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Stored XSS in Gokapi through malicious SVG file uploads enables authenticated attackers to execute arbitrary JavaScript in users' browsers via hotlinked files. An attacker with valid credentials can craft SVG payloads that persist in the application and compromise other users accessing the shared links. No patch is currently available for versions prior to 2.2.3.

XSS Gokapi Suse
NVD GitHub
EPSS 0% CVSS 6.4
MEDIUM PATCH This Month

Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. [CVSS 6.4 MEDIUM]

Information Disclosure Gokapi Suse
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL POC PATCH Act Now

Unauthorized file operations in File Browser before fix. PoC and patch available.

Authentication Bypass Filebrowser Suse
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM POC PATCH This Month

File Browser versions prior to 2.61.0 incorrectly set the filesystem root to a parent directory when generating public share links, enabling any user with a share link to access and download files from sibling directories beyond the intended shared folder. This authenticated network-based vulnerability affects Golang and Filebrowser and has public exploit code available. The issue is resolved in version 2.61.0 and later.

Golang Filebrowser Suse
NVD GitHub
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

OliveTin versions prior to 3000.11.0 suffer from broken access control allowing unauthenticated users to invoke the KillAction RPC endpoint and terminate running shell command executions, bypassing authentication restrictions. Public exploit code exists for this vulnerability, enabling remote denial of service attacks against legitimate administrative actions. The vulnerability affects OliveTin deployments regardless of authentication settings and has been remediated in version 3000.11.0 and later.

Denial Of Service Olivetin Suse
NVD GitHub
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

OliveTin versions prior to 3000.10.3 are vulnerable to unauthenticated denial-of-service attacks when OAuth2 authentication is enabled, allowing remote attackers to crash the application by sending concurrent requests to the login endpoint. The vulnerability stems from unsynchronized access to shared state during OAuth2 processing, triggering a Go runtime panic. Public exploit code exists for this high-severity flaw, which is patched in version 3000.10.3 and later.

Golang Denial Of Service Olivetin +1
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM POC PATCH This Month

lxml_html_clean versions prior to 0.4.4 fail to sanitize <base> HTML tags, allowing attackers to inject malicious base tags and redirect relative links to attacker-controlled domains. Public exploit code exists for this vulnerability. The issue affects applications using the default Cleaner configuration and has been remediated in version 0.4.4.

XSS Lxml Html Clean Suse
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM POC PATCH This Month

lxml_html_clean versions before 0.4.4 fail to properly sanitize CSS Unicode escape sequences in the _has_sneaky_javascript() method, allowing attackers to bypass filters and inject malicious @import statements or XSS payloads. Public exploit code exists for this vulnerability, which affects applications using the library for HTML sanitization. A patch is available in version 0.4.4 and should be applied immediately to prevent CSS-based injection attacks.

XSS Lxml Html Clean Suse
NVD GitHub
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

OliveTin versions prior to 3000.10.2 are vulnerable to unauthenticated denial of service through the PasswordHash API endpoint, which lacks request throttling or authentication controls and allows attackers to trigger excessive memory allocation via concurrent hashing requests. An attacker can exhaust container memory by sending multiple parallel requests, causing service degradation or complete outage. Public exploit code exists for this vulnerability, and a patch is available in version 3000.10.2 and later.

Denial Of Service Olivetin Suse
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL POC PATCH Act Now

Unauthenticated backup download and RCE in Nginx UI before 2.3.3. EPSS 1.0%. PoC available.

Nginx TLS Nginx Ui +1
NVD GitHub VulDB
EPSS 0% CVSS 4.4
MEDIUM PATCH This Month

Traefik versions prior to 2.11.38 and 3.6.9 fail to limit memory allocation when processing ForwardAuth middleware responses, allowing a malicious or compromised authentication server to trigger unbounded memory consumption. An attacker controlling the auth server can return an arbitrarily large response body that causes the Traefik process to exhaust available memory and crash, resulting in denial of service for all proxied routes. A patch is available in the specified versions.

Denial Of Service Traefik Red Hat +1
NVD GitHub VulDB
EPSS 0% CVSS 7.3
HIGH This Week

Gogs versions prior to 0.14.2 contain a DOM-based XSS vulnerability in the Issue creation page where attackers can inject malicious scripts through milestone names that execute when other users interact with those milestones. An authenticated attacker can craft a repository with a malicious milestone name containing JavaScript payloads that trigger in victim browsers, potentially compromising user sessions or sensitive data. No patch is currently available for affected versions.

XSS Gogs Suse
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Gogs versions prior to 0.14.2 expose authentication tokens in URL parameters, allowing credentials to be captured through server logs, browser history, and HTTP referrer headers. This information disclosure vulnerability affects self-hosted Gogs instances and could enable attackers to gain unauthorized API access if tokens are leaked through these channels. A patch is available in version 0.14.2 and later.

Information Disclosure Gogs Suse
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Stored cross-site scripting in Gogs prior to version 0.14.2 allows unauthenticated attackers to inject malicious scripts through template rendering of user-controlled data, potentially affecting all users viewing compromised content. The vulnerability exploits unsafe handling of data URLs combined with permissive sanitization, enabling attackers to steal session cookies, deface pages, or perform actions on behalf of victims. A patch is available in version 0.14.2 and later.

XSS Gogs Suse
NVD GitHub
EPSS 0% CVSS 7.3
HIGH POC PATCH This Week

Gogs prior to version 0.14.2 contains a command injection vulnerability in release deletion functionality where improper handling of user-controlled tag names allows git options to be injected into git commands. An authenticated attacker with UI interaction can exploit this to achieve integrity and availability impacts. Public exploit code exists for this vulnerability.

Code Injection Gogs Suse
NVD GitHub
EPSS 0% CVSS 8.7
HIGH POC PATCH This Week

Stored XSS in Gogs prior to version 0.14.2 allows authenticated users to execute arbitrary JavaScript in comments and issue descriptions by exploiting the HTML sanitizer's allowance of data: URI schemes. This affects all users viewing malicious content within the same Gogs instance and could enable session hijacking or credential theft. Public exploit code exists for this vulnerability, though a patch is available in version 0.14.2 and later.

XSS Gogs Suse
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL POC PATCH Act Now

Supply chain attack via LFS object overwrite across repos in Gogs before 0.14.2. PoC and patch available.

Authentication Bypass Gogs Suse
NVD GitHub
EPSS 0% CVSS 8.8
HIGH This Week

Unauthenticated attackers can abuse missing authorization controls in RustDesk Server's rendezvous and relay modules (hbbs/hbbr) to gain unauthorized privileges through exposed critical functions like punch hole requests and peer registration. This vulnerability affects RustDesk Server versions through 1.7.5 and 1.1.15, enabling remote privilege escalation over the network with no authentication required. No patch is currently available.

Authentication Bypass Suse
NVD VulDB
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Improper access control in the Linux kernel affects SUSE Linux Enterprise Server 12 SP5, causing nftables firewall rules to become ineffective and allowing network traffic to bypass intended filtering policies. An unauthenticated remote attacker can exploit this vulnerability to circumvent firewall protections without user interaction. No patch is currently available for this vulnerability.

Linux Linux Enterprise Server Suse
NVD
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Insecure embedded zlib in Compress::Raw::Zlib through 2.219 for Perl.

Information Disclosure Red Hat Suse
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Insecure session ID generation in Plack::Middleware::Session::Simple before 0.05 for Perl. Patch available.

Information Disclosure Suse
NVD GitHub
EPSS 0% CVSS 5.7
MEDIUM PATCH This Month

The import hook in CPython that handles legacy *.pyc files (SourcelessFileLoader) is incorrectly handled in FileLoader (a base class) and so does not use io.open_code() to read the .pyc files. sys.audit handlers for this audit event therefore do not fire.

Information Disclosure Red Hat Suse
NVD GitHub VulDB
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Sandbox escape via navigation validation in Chrome before 145.0.7632.159. Patch available.

Google Chrome Red Hat +1
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Google Chrome versions before 145.0.7632.159 contain a heap buffer overflow in the WebCodecs component that enables remote attackers to write data outside allocated memory bounds through malicious HTML pages. An unauthenticated attacker can exploit this vulnerability with minimal user interaction to achieve arbitrary code execution on affected systems. A patch is available in Chrome 145.0.7632.159 and later.

Google Buffer Overflow Chrome +2
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Out-of-bounds memory access in Google Chrome's V8 engine (versions prior to 145.0.7632.159) enables remote attackers to achieve memory corruption through malicious HTML pages without requiring user privileges beyond standard interaction. The vulnerability affects all Chrome users and could potentially lead to information disclosure, data corruption, or code execution depending on memory layout and exploitation context.

Chrome Google Red Hat +1
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Out-of-bounds memory access in Google Chrome's WebAssembly implementation (versions prior to 145.0.7632.159) enables remote attackers to achieve full memory corruption through malicious HTML pages, requiring only user interaction. An attacker can exploit this to read sensitive data, modify memory, or crash the browser with no authentication needed. A patch is available in Chrome 145.0.7632.159 and later.

Google Chrome Red Hat +1
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Out-of-bounds memory read in Google Chrome's CSS implementation (versions prior to 145.0.7632.159) allows network attackers to read sensitive memory contents by tricking users into viewing a malicious HTML page. The vulnerability requires user interaction but carries high impact, enabling information disclosure without authentication or special privileges. A patch is available in Chrome 145.0.7632.159 and later.

Google Chrome Red Hat +1
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Out-of-bounds memory access in Google Chrome's WebAudio component (versions prior to 145.0.7632.159) enables remote attackers to read, modify, or crash the browser by tricking users into visiting malicious web pages. This network-based vulnerability requires no special privileges and affects all Chrome users who interact with untrusted content. A patch is available in Chrome 145.0.7632.159 and later versions.

Google Chrome Red Hat +1
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Heap corruption in Google Chrome's DevTools prior to version 145.0.7632.159 can be triggered through a malicious extension, requiring user installation and interaction. An attacker exploiting this object lifecycle vulnerability could achieve arbitrary code execution with full system privileges. A patch is available in Chrome 145.0.7632.159 and later versions.

Google Chrome Red Hat +1
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Google Chrome's Skia rendering engine contains an integer overflow flaw that enables remote attackers to access out-of-bounds memory when processing malicious HTML pages. Affected users running Chrome versions prior to 145.0.7632.159 could face memory corruption leading to information disclosure, data modification, or denial of service. A security patch is available to remediate this critical vulnerability.

Integer Overflow Chrome Google +2
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Heap corruption in Chrome's PowerVR graphics driver on Android versions prior to 145.0.7632.159 can be triggered through malicious HTML pages, potentially enabling remote code execution without user interaction beyond visiting a compromised website. The vulnerability stems from improper object lifecycle management and affects all Android users running vulnerable Chrome versions. A patch is available and should be applied immediately given the high exploitation potential.

Android Chrome Google +1
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Google Chrome's ANGLE graphics library before version 145.0.7632.159 contains an integer overflow vulnerability that enables remote attackers to access out-of-bounds memory through malicious HTML pages. An unauthenticated attacker can exploit this flaw by tricking users into visiting a crafted webpage, potentially compromising confidentiality, integrity, and availability. A patch is available in Chrome 145.0.7632.159 and later versions.

Integer Overflow Chrome Google +2
NVD
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. [CVSS 7.5 HIGH]

Denial Of Service Cpp Httplib Suse
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM POC PATCH This Month

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. [CVSS 5.3 MEDIUM]

Information Disclosure Cpp Httplib Suse
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

ClamAV's HTML CSS parser fails to properly handle UTF-8 string operations, enabling remote attackers to crash the scanning engine by submitting a malicious HTML file. An unauthenticated attacker can exploit this weakness over the network without user interaction to achieve denial of service. No patch is currently available.

Denial Of Service Suse
NVD VulDB
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

Rancher Backup And Restore Operator is affected by insertion of sensitive information into log file (CVSS 6.8).

Information Disclosure Rancher Backup And Restore Operator Suse
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

The Linux kernel's Classmate laptop driver lacks NULL pointer checks in sysfs attribute handlers, allowing local users to trigger a denial of service by accessing device attributes before driver initialization completes. A premature sysfs access can cause the driver to dereference a NULL pointer when retrieving uninitialized device data, crashing the affected system.

Linux Null Pointer Dereference Denial Of Service +3
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Local privilege escalation in Linux kernel f2fs sysfs attributes allows unprivileged users to trigger out-of-bounds memory access and cause denial of service by writing oversized integer values to filesystem control interfaces. The vulnerability stems from improper bounds checking when mapping sysfs attributes to kernel structures of varying integer sizes, enabling attackers to corrupt kernel memory and crash the system. No patch is currently available for this vulnerability.

Linux Buffer Overflow Information Disclosure +3
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

A use-after-free vulnerability in the Linux kernel's f2fs filesystem allows a local attacker with user privileges to trigger memory corruption and crash the system through a race condition between I/O completion and filesystem unmount operations. The vulnerability occurs when a loop device completes write operations concurrently with an unmount that frees filesystem structures still being accessed by pending I/O handlers. This issue has no available patch and requires kernel-level access to exploit.

Linux Use After Free Information Disclosure +4
NVD VulDB
EPSS 0% CVSS 7.8
HIGH POC PATCH This Week

F2FS swapfile memory corruption in Linux kernel 6.6+ allows local attackers with user privileges to cause data corruption through improper physical block mapping when using fragmented swapfiles smaller than the F2FS section size. Public exploit code exists for this vulnerability, and attackers can trigger dm-verity corruption errors or F2FS node corruption leading to system crashes and data loss. No patch is currently available.

Linux Google Buffer Overflow +5
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

A revert of a Linux kernel patch introduces a potential deadlock condition in the f2fs filesystem when concurrent write operations and checkpoint operations occur, allowing a local user with write permissions to cause a denial of service through system hang. The vulnerability affects the Linux kernel's f2fs module and requires low privileges to trigger. No patch is currently available to address this issue.

Linux Information Disclosure Linux Kernel +2
NVD VulDB
Prev Page 37 of 104 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy