Skip to main content

Suse

9348 CVEs vendor

Monthly

CVE-2026-13785 CRITICAL PATCH Act Now

Sandbox escape in Google Chrome on macOS before 150.0.7871.47 stems from a use-after-free in the browser's Bluetooth component, letting a remote attacker who lures a user into specific UI gestures on a crafted HTML page corrupt memory and break out of the renderer sandbox. Rated Critical by Chromium and CVSS 9.6, though no public exploit has been identified and EPSS is low (0.22%, 13th percentile). A vendor fix is available and CISA SSVC currently marks exploitation as 'none'.

Memory Corruption Denial Of Service Use After Free Google Suse
NVD VulDB
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-13784 HIGH PATCH This Week

Use-after-free in Google Chrome's Views UI framework prior to 150.0.7871.47 lets a remote attacker trigger heap corruption after luring a user to a crafted HTML page and performing specific UI gestures, potentially achieving code execution in the renderer/browser process. Chromium rates the flaw Critical, though the CVSS is 8.8 due to required user interaction. No public exploit identified at time of analysis, and EPSS is low (0.22%, 13th percentile); SSVC lists exploitation as none but technical impact as total.

Memory Corruption Denial Of Service Use After Free Google Suse
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-13783 HIGH PATCH This Week

Use-after-free in Google Chrome's Views UI framework, fixed in 150.0.7871.47, lets a remote attacker who lures a victim into performing specific UI gestures on a crafted HTML page trigger heap corruption and potentially achieve code execution in the browser process. Chromium rates the flaw Critical, though the CVSS is 8.8 due to required user interaction; there is no public exploit identified at time of analysis and EPSS exploitation probability is low at 0.22%.

Memory Corruption Denial Of Service Use After Free Google Suse
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-13782 CRITICAL PATCH Act Now

Sandbox escape in Google Chrome desktop versions prior to 150.0.7871.47 lets a remote attacker who has already compromised the renderer process break out of the sandbox and gain broader code execution on the host via a crafted HTML page. Chromium rates the underlying use-after-free as Critical, though there is no public exploit identified at time of analysis and EPSS exploitation probability is low (0.21%). A vendor patch is available and the flaw is a classic second-stage chain component rather than a standalone entry point.

Memory Corruption Denial Of Service Use After Free Google Suse
NVD VulDB
CVSS 3.1
10.0
EPSS
0.2%
CVE-2026-13781 CRITICAL PATCH Act Now

Sandbox escape in Google Chrome's Skia graphics engine (versions prior to 150.0.7871.47) lets an attacker who has already compromised the renderer process break out of the browser sandbox via a crafted HTML page, achieving high-impact code execution across the security boundary (scope change). Rated Critical by Chromium and CVSS 9.6, but no public exploit is identified at time of analysis and EPSS is low (0.22%, 13th percentile). SSVC lists exploitation status as none, indicating no observed active exploitation.

Information Disclosure Google Suse
NVD VulDB
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-13780 CRITICAL PATCH Act Now

Sandbox escape in Google Chrome's ANGLE graphics component before version 150.0.7871.47 allows an attacker who has already compromised the renderer process to break out of the browser sandbox and execute code in a higher-privilege context via a crafted HTML page. Google rates the Chromium security severity as Critical (CVSS 9.6), though this is a second-stage bug requiring a prior renderer compromise. A vendor patch is available; no public exploit has been identified at time of analysis and EPSS exploitation probability is low (0.22%).

Information Disclosure Google Suse
NVD VulDB
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-13779 HIGH PATCH This Week

Remote code execution in Google Chrome on ChromeOS (versions prior to 150.0.7871.47) stems from a use-after-free in the Chromoting (Chrome Remote Desktop) component, letting a remote attacker corrupt memory and execute arbitrary code through malicious network traffic. Google rates the Chromium severity as Critical, and CVSS scores it 8.1 with a high attack complexity. As of this analysis there is no public exploit identified and it is not listed in CISA KEV; EPSS is low at 0.24% (15th percentile), and SSVC records exploitation status as none.

Memory Corruption Google Denial Of Service Use After Free RCE +1
NVD VulDB
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-13778 HIGH PATCH This Week

Local arbitrary code execution in Google Chrome for macOS (versions prior to 150.0.7871.47) stems from a use-after-free in the WebUSB implementation, which Chromium rates Critical. A local attacker who can present a malicious USB peripheral to a victim who authorizes it can corrupt renderer memory and run attacker-controlled code within the browser's context. There is no public exploit identified at time of analysis, and EPSS is low (0.16%, 5th percentile), reflecting limited likelihood of widespread opportunistic exploitation.

Memory Corruption Google Denial Of Service Use After Free RCE +1
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-13777 HIGH PATCH This Week

Heap corruption in the iOSWeb component of Google Chrome for iOS before 150.0.7871.47 lets a remote attacker who lures a victim to a crafted HTML page potentially achieve memory corruption with high confidentiality, integrity, and availability impact. Chromium rated the underlying issue Critical severity, though the CVSS base score is 8.8 because exploitation requires user interaction (visiting a page). There is no public exploit identified at time of analysis, it is not on CISA KEV, and the EPSS probability is low at 0.21%.

Information Disclosure Apple Google Suse
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-13776 CRITICAL PATCH Act Now

Sandbox escape via type confusion in Google Chrome's Dawn WebGPU implementation allows an attacker who already controls a compromised renderer process to break out of the browser sandbox using a crafted HTML page, affecting all Chrome desktop builds prior to 150.0.7871.47. Rated Critical by Chromium and CVSS 9.8, though the score assumes no prior privilege; realistically it is the second stage of an exploit chain. A vendor patch is available and no public exploit has been identified at time of analysis (EPSS 0.24%, 15th percentile).

Memory Corruption Information Disclosure Google Suse
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-13775 CRITICAL PATCH Act Now

Sandbox escape in Google Chrome desktop prior to 150.0.7871.47 stems from a use-after-free in the GPU process, letting a remote attacker who has already compromised the renderer break out of the browser sandbox via a crafted HTML page. Google rates the Chromium severity as Critical, and a fix is available in the Stable channel update. There is no public exploit identified at time of analysis, and EPSS exploitation probability is low at 0.22% (13th percentile).

Memory Corruption Denial Of Service Use After Free Google Suse
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-13774 HIGH PATCH This Week

Arbitrary code execution in Google Chrome desktop versions prior to 150.0.7871.47 stems from a use-after-free flaw in the Extensions component, which Chromium rated Critical severity. An attacker who convinces a victim to install a malicious extension can trigger the dangling-pointer condition through a crafted extension to run arbitrary code in the affected process. There is no public exploit identified at time of analysis, EPSS is low (0.16%, 6th percentile), and CISA/SSVC records no observed exploitation.

Memory Corruption Google Denial Of Service Use After Free RCE +1
NVD VulDB
CVSS 3.1
8.1
EPSS
0.2%
CVE-2023-46118 MEDIUM PATCH GHSA This Month

### Summary Responsibly disclosed by @NSEcho. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Denial Of Service Red Hat Suse
NVD GitHub
CVSS 3.1
4.9
EPSS
1.1%
CVE-2022-31008 MEDIUM PATCH GHSA This Month

### Impact Shovel and Federation plugins perform URI obfuscation in their worker (link) state. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Google Information Disclosure Red Hat Suse
NVD GitHub
CVSS 3.1
5.5
EPSS
0.3%
CVE-2026-14241 CRITICAL Act Now

Memory-corruption weaknesses in Mozilla Firefox 152.0.3 could allow remote attackers to potentially execute arbitrary code within the browser process. Mozilla graded the collected memory-safety bugs as critical (MFSA2026-62) and states some showed evidence of memory corruption that, with sufficient effort, could be exploited for code execution; there is no public exploit identified at time of analysis and EPSS exploitation probability is low (0.14%, 4th percentile). The issue is resolved in Firefox 152.0.4.

Memory Corruption Mozilla Buffer Overflow RCE Suse
NVD VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-13149 HIGH PATCH This Week

{}' brace groups to the expand() function, whose recursion is exponential in the number of such groups. Because brace-expansion is a near-ubiquitous transitive dependency (notably via minimatch/glob), any application that feeds untrusted input to expand() directly or indirectly is exposed. No public exploit was identified at time of analysis, though the CVSS 4.0 threat metric (E:P) indicates proof-of-concept maturity; the issue is not in CISA KEV.

Denial Of Service Brace Expansion Red Hat Suse
NVD GitHub
CVSS 4.0
7.7
EPSS
0.4%
CVE-2026-12610 MEDIUM This Month

Use-after-free in the SSSD PAM responder crashes the authentication daemon when a local attacker manipulates YubiKey or smartcard contents during an authentication attempt on Red Hat Enterprise Linux 6 through 10. The primary realized impact is a denial of service - the PAM responder crash disrupts all authentication - but the underlying memory corruption also presents a difficult-to-exploit privilege escalation path. No public exploit code exists at time of analysis, and the CVSS vector (AV:L/AC:H/PR:H) reflects a tightly constrained local attack requiring high privileges and significant complexity, limiting realistic blast radius to insider-threat and physical-access scenarios.

Privilege Escalation Denial Of Service Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 +6
NVD GitHub VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-14164 HIGH PATCH This Week

Denial of service in libarchive's RAR5 reader allows remote attackers to crash applications that decompress untrusted RAR5 archives via a double-free (CWE-415) of the stale filtered_buf pointer. Reported by Red Hat and affecting libarchive as shipped across Red Hat Enterprise Linux 6 through 10, OpenShift Container Platform 4, and Red Hat Hardened Images, the flaw is triggered purely by parsing a malicious archive entry. No public exploit has been identified and the issue is not in CISA KEV; impact is limited to availability (CVSS 7.5, A:H only) with no code execution or data exposure claimed.

Denial Of Service Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 8 +5
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-13606 MEDIUM PATCH This Month

Insufficient data exists to characterize CVE-2026-13606. The sole intelligence signal is a vendor report attributed to Ubuntu, indicating this vulnerability affects a package or component within the Ubuntu ecosystem. No description, CVSS score, vector, CWE classification, or additional references are available - a complete technical characterization is not possible from the provided data.

Information Disclosure Red Hat Suse
NVD
CVE-2026-13593 MEDIUM PATCH This Month

CSS::Minifier::XS versions before 0.14 for Perl have a memory leak when the entire document is minified away. The minify function has a memory leak when processing a document containing only characters to be removed, such as comments and whitespace.

Information Disclosure Css Suse
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-13595 MEDIUM PATCH This Month

Heap use-after-free read in libblkid (util-linux) enables unauthenticated local attackers to crash udisks or leak root-process heap data by presenting a crafted block device image during nested partition probing. BSD, Minix, Solaris x86, and UnixWare partition table parsers cache raw pointers into a dynamically allocated partition array; when subsequent partition additions trigger array reallocation, those pointers become stale and dereference freed memory. Because udev and udisks invoke libblkid automatically as root on block-device hot-plug events, USB insertion alone is sufficient to trigger the flaw without any user interaction or authentication. No public exploit identified at time of analysis.

Memory Corruption Denial Of Service Use After Free Information Disclosure Red Hat Enterprise Linux 10 +7
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-13503 MEDIUM POC This Month

Path traversal in ANTLR4 up to 4.13.2 exposes arbitrary file read via the tokenVocab grammar option handler. The vulnerable function getImportedVocabFile in TokenVocabParser.java fails to sanitize user-controlled grammar option values, allowing an attacker to supply a crafted .g4 grammar file that causes the tool to read files outside the intended working directory. A publicly available proof-of-concept exploit exists (GitHub issue reference), and no vendor patch has been released - the vendor did not respond to disclosure. No active exploitation is confirmed in CISA KEV, but the CVSS 4.0 E:P flag confirms exploit code is public.

Java Path Traversal Antlr4 Red Hat Suse
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.5%
CVE-2026-13500 MEDIUM POC This Month

Code injection in ANTLR4's Grammar Action Block Handler allows remote attackers to execute arbitrary code by supplying a crafted grammar file processed by the tool. All versions up to and including 4.13.2 are affected via the OutputFile.java code generation pathway. A public proof-of-concept exploit exists on GitHub (no KEV listing), though the vendor has not acknowledged or patched the issue, leaving users without an official fix.

Code Injection Java RCE Antlr4 Red Hat +1
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-48785 Go MEDIUM PATCH GHSA This Month

Apptainer's `limit container paths` security directive in setuid mode fails to enforce path boundaries correctly because it uses string prefix matching rather than full path-component comparison, allowing local users to run containers from sibling directories whose names begin with an allowed path string. A system configured to allow only `/data/safe` will inadvertently also permit `/data/safe-but-unsafe` or any other path sharing that prefix. This affects only installations running Apptainer in setuid mode with the `limit container paths` directive explicitly configured; no public exploit has been identified at time of analysis, and the vendor-confirmed fix is available in version 1.5.1.

Path Traversal Suse
NVD GitHub
CVSS 3.1
4.8
CVE-2026-13434 MEDIUM This Month

Network annotation injection in KubeVirt's VirtualMachineInstance API allows authenticated tenants to attach launcher pods to arbitrary network namespaces by writing unsanitized JSON into the Multus CNI default-network annotation. Exploitation is gated on the ExternalNetResourceInjection Beta feature gate being explicitly enabled by a cluster-admin (off by default, first available in OpenShift Virtualization 4.21), which intentionally bypasses the NAD namespace lookup that would otherwise reject malformed annotation values. A successful attack permits cross-namespace network attachment and IP/MAC address impersonation on segments normally segregated from tenant workloads; no public exploit has been identified at time of analysis.

Code Injection Red Hat Openshift Virtualization 4 Suse
NVD VulDB
CVSS 3.1
4.9
EPSS
0.2%
CVE-2026-57918 HIGH PATCH This Week

Client-side memory-safety failure in libnfs (through 6.0.2, fixed by commit f0b109d/935b8db) lets a malicious or compromised NFS server trigger an unsigned integer underflow in the RPC record-marker handling of rpc_read_from_socket(). When a victim application using libnfs connects to a crafted server, the server can supply a record marker whose declared xid/pdu length is smaller than the size libnfs expects to read, wrapping the length value and driving an oversized READ_IOVEC read with corresponding heap memory disclosure or corruption. There is no public exploit identified at time of analysis and it is not in CISA KEV; exploitation requires the victim to initiate a connection to an attacker-controlled NFS endpoint.

Integer Overflow Information Disclosure Libnfs Suse
NVD GitHub VulDB
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-6658 MEDIUM This Month

Cross-site scripting in jupyter/nbconvert versions 7.17.0 and earlier allows any user with notebook write access to inject and execute arbitrary JavaScript in the browsers of users who view HTML-exported notebooks. The flaw stems from the `data_mermaid` rendering block in `share/templates/lab/base.html.j2`, which outputs `text/vnd.mermaid` cell content directly into HTML without escaping, enabling tag breakout from the enclosing `<pre>` element. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog; however, the stored-XSS pattern means any user who views a maliciously crafted HTML export is at risk.

XSS Jupyter Jupyter Suse
NVD
CVSS 3.0
5.4
EPSS
0.2%
CVE-2026-13283 HIGH PATCH This Week

Use after free in AdFilter in Google Chrome on Android prior to 149.0.7827.201 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)

Memory Corruption Google Denial Of Service Use After Free RCE +2
NVD VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-13282 MEDIUM PATCH This Month

Use-after-free memory corruption in Google Chrome's Payments component on Android (prior to 149.0.7827.201) enables a local attacker with physical access to the device to trigger heap corruption, yielding high impact across confidentiality, integrity, and availability. The physical-access requirement (CVSS AV:P) substantially constrains the exploitable population to scenarios such as unattended or stolen devices. No public exploit identified at time of analysis, and no CISA KEV listing exists, indicating this has not been observed in active exploitation campaigns.

Memory Corruption Denial Of Service Use After Free Google Suse +1
NVD VulDB
CVSS 3.1
6.8
EPSS
0.1%
CVE-2026-13281 HIGH PATCH This Week

Integer overflow in Mojo in Google Chrome prior to 149.0.7827.201 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a malicious file. (Chromium security severity: High)

Buffer Overflow Google Suse Red Hat
NVD VulDB
CVSS 3.1
8.3
EPSS
0.2%
CVE-2026-22879 HIGH This Week

Heap-based buffer overflow in the vtk-dicom library's vtkDICOMItem::NewDataElement routine allows remote attackers to corrupt heap memory and potentially achieve arbitrary code execution by supplying a maliciously crafted DICOM data element. The flaw affects vtk-dicom (a DICOM I/O module commonly paired with the Visualization Toolkit) and was reported by Cisco Talos (TALOS-2026-2366), carrying a CVSS 3.1 base score of 8.1 with full confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Buffer Overflow Vtk Suse
NVD VulDB
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-48702 Go HIGH PATCH GHSA This Week

Remote unauthenticated denial of service in Sigstore Rekor (>= 0.3.0, < 1.5.2) allows attackers to crash the transparency log server via a gzip decompression bomb in its Alpine APK parsing path. The Package.Unmarshal() function decompresses the signature and control gzip members of a submitted APK into memory without bounding total decompressed size, so a ~1000:1 compression ratio payload (e.g. 2MB compressed to 2GB) exhausts heap and triggers a fatal Go runtime OOM or OS OOM-kill that the recover() middleware cannot catch. No public exploit identified at time of analysis; it is not in CISA KEV, and the impact is availability-only (no confidentiality or integrity loss).

Denial Of Service Suse
NVD GitHub
CVSS 3.1
7.5
CVE-2026-48504 Cargo MEDIUM PATCH GHSA This Month

Unbounded resource consumption in the Rust opentelemetry_sdk's BaggagePropagator::extract_with_context allows unauthenticated remote attackers to cause elevated CPU and heap allocation overhead by sending oversized W3C baggage propagation headers to any service using versions 0.32.0 or earlier. The SDK parsed the full header content before applying storage limits, meaning attacker-supplied data was processed and then discarded - wasting resources on every malicious request. A parallel design-level gap affects the Java (GHSA-rcgg-9c38-7xpx) and Go (GHSA-mh2q-q3fh-2475) OpenTelemetry SDKs, suggesting a cross-ecosystem pattern; no public exploit or active exploitation (KEV) has been identified.

Java Denial Of Service RCE Suse
NVD GitHub
CVSS 3.1
5.3
CVE-2026-54448 Go MEDIUM POC PATCH GHSA This Month

Decompression bomb (zip bomb) in Trivy's Helm chart scanner causes denial of service via OOM kill when processing a crafted .tgz archive. Affected versions prior to 0.71.0 use io.ReadAll without any size cap on tar entries inside Helm chart archives, allowing a small compressed file to expand to gigabytes in memory. An attacker who can place a malicious archive in any path that Trivy is directed to scan can reliably crash the Trivy process. No public exploit or CISA KEV listing at time of analysis.

Denial Of Service Trivy Suse
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-55092 HIGH PATCH This Week

Arbitrary file write in Aqua Security's Trivy scanner (prior to 0.71.1) allows an attacker who can make Trivy fetch an attacker-controlled OCI artifact to write layer content anywhere on the host filesystem. Trivy trusts the org.opencontainers.image.title manifest annotation as the output filename without sanitization, so a crafted value containing path-traversal sequences escapes the intended download directory (CWE-22). No public exploit has been identified at time of analysis; the CVSS 4.0 score is 7.0 (high), driven by high integrity and availability impact requiring user interaction.

Path Traversal Trivy Suse
NVD GitHub VulDB
CVSS 4.0
7.0
EPSS
0.3%
CVE-2026-55693 MEDIUM PATCH This Month

Stack out-of-bounds write in Vim's spell suggestion engine allows a crafted `.spl`/`.sug` file pair to corrupt the call stack and crash the editor when spell suggestions are invoked. All Vim releases prior to 9.2.0653 are affected, with the flaw in `tree_count_words()` and `sug_filltree()` inside `src/spellfile.c`, where three fixed-size MAXWLEN-element stack arrays are indexed by an unbounded depth counter. No public exploit identified at time of analysis (CVSS 4.0 E:U), though the upstream fix commit includes a detailed proof-of-concept test case reproducing the out-of-bounds write.

Memory Corruption Buffer Overflow Vim Suse
NVD GitHub VulDB
CVSS 4.0
5.7
EPSS
0.1%
CVE-2026-57451 MEDIUM PATCH This Month

Out-of-bounds read in Vim's text property subsystem allows a crafted undo file to crash the editor and potentially disclose adjacent heap memory. All Vim releases prior to 9.2.0670 are affected; the vulnerability is reachable whenever a user loads a malicious undo file with the persistent-undo feature compiled in and enabled. No public exploit or CISA KEV listing exists at time of analysis, placing real-world risk in the low-to-medium range despite the local crash severity.

Buffer Overflow Information Disclosure Vim Suse
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-57452 MEDIUM PATCH This Month

Vim crashes with an out-of-bounds read when opening a maliciously crafted file encrypted with the xchacha20poly1305 cipher (VimCrypt~04! or VimCrypt~05!) whose body is shorter than a libsodium secretstream header. An unsigned integer underflow in the length calculation inside crypt_sodium_buffer_decode() causes the subsequent crypto_secretstream_xchacha20poly1305_pull() call to read far past the end of the input buffer, resulting in a denial-of-service crash. No public exploit code and no CISA KEV listing have been identified at time of analysis; however, the fix commit includes a concrete reproducer test case confirming the crash path.

Buffer Overflow Information Disclosure Vim Suse
NVD GitHub
CVSS 3.1
5.5
EPSS
0.1%
CVE-2026-57453 HIGH PATCH This Week

Arbitrary command execution in Vim's bundled zip plugin (autoload/zip.vim) affects builds from 9.1.1784 up to the 9.2.0678 fix on systems where the plugin falls back to PowerShell for archive operations. When browsing, reading, extracting, updating or deleting zip entries, the plugin quotes archive entry names for the shell but not for PowerShell, so a crafted entry name escapes the string context and runs attacker-supplied commands with the privileges of the user who merely opened or viewed the archive. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; risk is bounded to Windows/PowerShell-fallback deployments and requires user interaction.

Command Injection Vim Red Hat Suse
NVD GitHub
CVSS 3.1
7.3
EPSS
0.1%
CVE-2026-12844 HIGH PATCH This Week

List::SomeUtils::XS versions before 0.59 for Perl have a heap buffer overflow in the pairwise function. pairwise() collects the values returned by the block into a heap buffer sized to the longer input array, then grows the buffer before each copy with a single quadrupling (alloc <<= 2) instead of a loop. A block call that returns more than four times the current allocation in one invocation outgrows that one quadrupling, and the copy writes past the end of the buffer. Any caller of pairwise() whose block returns, for a single pair, more than four times the longer input array's length writes past the buffer and corrupts the heap.

Memory Corruption Buffer Overflow List Suse
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-57454 MEDIUM PATCH This Month

Out-of-bounds heap read in Vim 9.2.0320-9.2.0678 allows a crafted undo or swap file to disclose adjacent heap memory or crash the editor when a victim opens it. The flaw resides in the text property (textprop) subsystem: a maliciously encoded virtual-text property with an oversized tp_text_offset is converted directly to a heap pointer without bounds validation in both the undo-restoration path (um_goto_line) and the display path (get_text_props). The CVSS 4.0 score of 6.8 (Medium) reflects local-only exploitation requiring active user interaction; no public exploit is confirmed at time of analysis, though the fix commit includes detailed test scaffolding constituting a near-complete attack blueprint.

Buffer Overflow Information Disclosure Vim Red Hat Suse
NVD GitHub VulDB
CVSS 4.0
6.8
EPSS
0.1%
CVE-2026-57455 MEDIUM PATCH This Month

Stack out-of-bounds write in Vim's spell_soundfold_sofo() function (src/spell.c) allows local exploitation when a SOFO-based spell language is active and the soundfold path is triggered with a word exceeding MAXWLEN (254) bytes, corrupting the call frame and crashing the editor with theoretical code execution potential. All Vim releases prior to 9.2.0698 carrying the single-byte SOFO branch are affected; the vendor has released a confirmed fix at v9.2.0698. No public exploit code exists and no CISA KEV listing is present; the CVSS 4.0 E:U supplemental metric confirms exploitation remains unproven at time of analysis.

Memory Corruption Buffer Overflow Vim Suse
NVD GitHub
CVSS 4.0
4.0
EPSS
0.1%
CVE-2026-57456 HIGH PATCH This Week

Arbitrary Python code execution in Vim before 9.2.0699 occurs when a victim triggers Python omni-completion (omnifunc) inside a malicious buffer; the python3complete.vim and legacy pythoncomplete.vim runtime plugins reconstruct in-buffer function and class definitions and run them through Python's exec(), inserting each scope's docstring verbatim between triple quotes. Because the docstring is never escaped, a crafted docstring can close the triple-quoted literal and inject attacker-controlled Python that runs with the user's privileges. There is no public exploit identified at time of analysis and the issue is not in CISA KEV, but a regression test bundled with the fix demonstrates the breakout, confirming exploitability; EPSS data was not provided.

Code Injection Python RCE Vim Suse
NVD GitHub
CVSS 4.0
8.4
EPSS
0.1%
CVE-2026-57235 Ruby MEDIUM PATCH This Month

Out-of-bounds read in Nokogiri's `NodeSet#[]` method (all versions before 1.19.4) enables an attacker who can supply a large negative integer index to bypass a 32-bit-truncated bounds check and trigger a read outside the node set's allocated memory. On CRuby (MRI Ruby), this typically crashes the process - denial of service - with ancillary potential for heap memory disclosure; on JRuby, the runtime's managed memory prevents memory corruption, but an incorrect node is silently returned. No public exploit or active exploitation has been identified; exploitation requires the target application to forward attacker-controlled integers directly to the `NodeSet#[]` or `#slice` API.

Buffer Overflow Information Disclosure Nokogiri Suse
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.3%
CVE-2026-42389 MEDIUM PATCH This Month

DNS response manipulation in PowerDNS Recursor 5.4.x allows network-positioned attackers to inject false DNS records through insufficient validation of answers received from authoritative servers, resulting in low-integrity violations in name resolution for downstream clients. The 5.4.x branch received hardening patches per PowerDNS advisory 2026-08 to close this validation gap. No public exploit has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog.

Information Disclosure Recursor Suse
NVD VulDB
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-40211 MEDIUM PATCH This Month

Denial of service in PowerDNS dnsdist's DNS over HTTP/3 (DoH3) handler allows unauthenticated remote attackers to exhaust server memory by opening high volumes of concurrent QUIC streams carrying crafted queries. Each crafted query triggers an exception that defers buffer deallocation until QUIC connection teardown rather than releasing memory promptly, enabling cumulative memory exhaustion across simultaneous streams. No public exploit code or active exploitation has been identified at time of analysis, and the attack surface is limited to instances with DoH3 explicitly enabled.

Denial Of Service Suse
NVD VulDB
CVSS 3.1
5.3
EPSS
0.4%
CVE-2026-40210 MEDIUM PATCH This Month

dnsdist's SetMacAddrAction handler exposes operators to uninitialized memory leakage in DNS responses and potential service crashes when the action is configured in the ruleset. The flaw is reachable over the network without authentication (AV:N/PR:N), but the high attack complexity (AC:H) constrains real-world impact to deployments that have explicitly enabled SetMacAddrAction - a non-default configuration. No public exploit code exists and no CISA KEV listing is present at time of analysis; the PowerDNS security team (Open-Xchange) reported this internally, suggesting responsible disclosure rather than observed active exploitation.

Buffer Overflow Suse
NVD VulDB
CVSS 3.1
4.8
EPSS
0.3%
CVE-2026-40209 MEDIUM PATCH This Month

TCP connection resource leak in PowerDNS dnsdist allows remote unauthenticated attackers to exhaust backend TCP connection capacity by sending IXFR (Incremental Zone Transfer) queries. Affected dnsdist instances fail to promptly release outgoing TCP connections to backends after IXFR processing, leaving them open until OS-level timeout; under sustained query volume this can exhaust the backend's concurrent connection limit or the dnsdist process's file descriptor table. No public exploit has been identified at time of analysis, and no CISA KEV listing exists, but the AV:N/AC:L/PR:N attack surface makes the trigger trivially automatable from the internet.

Denial Of Service Suse
NVD VulDB
CVSS 3.1
5.3
EPSS
0.4%
CVE-2026-33612 HIGH PATCH This Week

Cache poisoning in PowerDNS Recursor allows a malicious or compromised authoritative DNS server to inject forged records by returning a crafted zone that the resolver ingests through its ZoneToCache feature. Because the poisoned data lands in the shared recursor cache, all downstream clients can be served attacker-controlled answers, enabling traffic redirection and spoofing. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; the CVSS 7.5 (high) rating reflects high integrity impact with a scope change but high attack complexity.

Information Disclosure Suse
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-52690 MEDIUM PATCH This Month

DNSSEC validation in PowerDNS Recursor can be silently undermined by network-positioned attackers who spoof DNS replies to trick the Recursor into permanently marking a legitimate authoritative server's IP as EDNS-incapable. Once that state is poisoned, the Recursor is unable to perform proper DNSSEC validation for any zones served by that authoritative server, effectively disabling a critical security layer for downstream clients. No active exploitation has been confirmed by CISA KEV, and no public proof-of-concept has been identified at time of analysis; however, the attack complexity is rated High due to the spoofing prerequisite.

Recursor Authentication Bypass Suse
NVD
CVSS 3.1
5.9
EPSS
0.4%
CVE-2026-42390 MEDIUM PATCH This Month

ZONEMD validation bypass in PowerDNS Recursor allows a cryptographically invalid DNS zone to be accepted as legitimate when ZoneToCache is configured with ZONEMD validation enabled. This undermines the integrity guarantee that ZONEMD is designed to provide - an attacker capable of serving a crafted zone to the resolver (e.g., via a rogue authoritative source or network interception) can cause the recursor to cache and serve tampered DNS data. No public exploit code has been identified and exploitation is not confirmed in CISA KEV; real-world risk is constrained by the non-default configuration prerequisite.

Information Disclosure Recursor Suse
NVD VulDB
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-42388 MEDIUM PATCH This Month

PowerDNS Recursor crashes when processing a malformed SOA record within a catalog zone, resulting in a denial of service for all DNS resolution handled by the affected instance. The CVSS vector (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) confirms network-reachable unauthenticated exploitation, but high attack complexity reflects the non-default catalog zone configuration required. No public exploit identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Denial Of Service Recursor Suse
NVD
CVSS 3.1
5.9
EPSS
0.4%
CVE-2026-42387 MEDIUM PATCH This Month

PowerDNS Recursor crashes when a malicious authoritative DNS server serves a crafted zone via the ZoneToCache function, exploiting insufficient input validation to cause a denial of service. The CVSS vector (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) confirms this is a remotely triggerable availability-only impact, though high attack complexity reflects the prerequisite of controlling or compromising an authoritative name server in the resolution path. No public exploit code has been identified at time of analysis, and no KEV listing exists, but the impact on DNS infrastructure availability makes this a meaningful operational risk for affected deployments.

Denial Of Service Recursor Suse
NVD VulDB
CVSS 3.1
5.9
EPSS
0.4%
CVE-2026-40012 MEDIUM PATCH This Month

Improper packet cache handling in PowerDNS Recursor causes ECS zero-scoped DNS answers to be stored in the cache when they should be discarded or handled as global entries, creating an information disclosure pathway. All Recursor versions (cpe:2.3:a:powerdns:recursor:*:*:*:*:*:*:*:*) are affected, but only deployments with EDNS Client Subnet (ECS) explicitly enabled are exposed. The CVSS score of 5.3 with a network vector and no required privileges reflects that any DNS client can trigger the improper caching behavior, though real-world impact is bounded by the non-default ECS configuration requirement. No public exploit code has been identified and the vulnerability is not listed in the CISA KEV catalog.

Information Disclosure Recursor Suse
NVD
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-42005 MEDIUM PATCH This Month

PowerDNS Authoritative Server's optional internal web server accepts crafted HTTP requests that trigger unbounded memory allocation, exhausting process memory and causing a denial of service against the DNS service. Exploitation requires low-privilege authentication (PR:L per CVSS vector) and the internal web server must be explicitly enabled - it is disabled by default, sharply limiting the real-world attack surface. No public exploit code has been identified and this vulnerability is not listed in CISA KEV.

Denial Of Service Authoritative Suse
NVD VulDB
CVSS 3.1
4.3
EPSS
0.5%
CVE-2026-12490 HIGH PATCH This Week

Zone-transfer authentication bypass in NLnet Labs NSD allows unauthorized secondaries to obtain full zone contents without presenting the required TLS client certificate. Although a provide-xfr rule specifies a tls-auth-name (mandating client-certificate authentication), NSD only enforces this on the dedicated tls-auth-port; requests arriving over plain TCP on the regular port or over TLS on the regular tls-port are served when the remaining provide-xfr conditions match, defeating mutual-TLS access control. Reported by NLnet Labs with CVSS 4.0 8.2; no public exploit identified at time of analysis and not listed in CISA KEV.

Authentication Bypass Nsd Red Hat Suse
NVD VulDB
CVSS 4.0
8.2
EPSS
0.1%
CVE-2026-12246 HIGH PATCH This Week

Stack buffer overflow in NSD 4.14.0 (NLnet Labs authoritative DNS server) allows a party able to introduce zone data to overwrite up to 111 attacker-controlled bytes on the stack when a specially crafted APL resource record - carrying an adflength larger than the address family permits - is serialized as the zone is written to disk. Per the CVSS 4.0 vector (PR:L), exploitation requires low privileges and yields high integrity and availability impact, consistent with memory corruption leading to crash or potential code execution. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Buffer Overflow Nsd Red Hat Suse
NVD VulDB
CVSS 4.0
7.2
EPSS
0.2%
CVE-2026-12245 HIGH PATCH This Week

Remote denial-of-service in NLnet Labs NSD (authoritative DNS name server) version 4.13.0 and later allows an unauthenticated attacker to crash the server process by exploiting a heap use-after-free in the TLS error-logging path. By sending a DNS query over a DNS-over-TLS (DoT) connection and closing the socket before reading the response, an attacker triggers the freed-memory access trivially; no public exploit identified at time of analysis, and the issue is not in CISA KEV. The CVSS 4.0 score of 8.7 reflects high availability impact with no confidentiality or integrity exposure.

Memory Corruption Denial Of Service Use After Free Nsd Red Hat +1
NVD VulDB
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-12244 HIGH PATCH This Week

Heap overflow in NLnet Labs NSD allows a malicious or compromised zone primary to corrupt memory on a secondary (slave) NSD instance by sending an AXFR transfer containing a crafted SVCB resource record. An rdata size of 65512 causes a uint16_t length variable used for RR allocation to wrap (total size exceeds 65535), producing an undersized buffer and a controlled out-of-bounds write of up to 65509 bytes - an RCE-class primitive (CWE-190 integer overflow leading to heap overflow). No public exploit identified at time of analysis, but the controlled write and remote network vector (CVSS 4.0 base 8.7) make this a high-priority patch for any operator running NSD as a secondary.

Integer Overflow Denial Of Service Nsd Red Hat Suse
NVD VulDB
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-13311 HIGH This Week

Denial of service in the shell-quote Node.js library (versions prior to 1.8.5) lets remote attackers stall the single-threaded event loop by passing an attacker-controlled string into any code path that calls parse(). The flaw is purely algorithmic - parse() builds its token list with Array.prototype.concat as a reduce accumulator, giving O(n^2) behavior so even a small payload of plain space-separated words causes disproportionate CPU consumption. There is no public exploit identified at time of analysis and no KEV listing; impact is to availability only with no code execution or data disclosure despite the misleading 'RCE' source tag.

Node.js Denial Of Service RCE Shell Quote Red Hat +1
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.4%
CVE-2026-42450 HIGH PATCH This Week

Stack buffer overflow in OpenColorIO's .spi3d LUT parser allows a crafted color-lookup file to corrupt memory in any application that loads it. The flaw in FileFormatSpi3D.cpp reads attacker-controlled data from a 4096-byte line into 64-byte stack buffers via unbounded sscanf %s, permitting an overflow of roughly 4000 bytes on non-Windows platforms. It affects all OCIO 1.x and 2.x releases prior to 2.5.2 and, while no public exploit has been identified, the same unsafe pattern was found across the .spi3d, .spi1d, .cube, and .lut parsers.

Microsoft Buffer Overflow Opencolorio Suse
NVD GitHub
CVSS 4.0
8.4
EPSS
0.1%
CVE-2026-56370 NuGet MEDIUM PATCH This Month

Out-of-bounds read in ImageMagick's ConnectedComponentsImage() function allows local attackers to trigger access violations by supplying malformed connected-components artifact definitions via the CLI, leading to denial of service or potential arbitrary code execution. All ImageMagick releases before 7.1.2-19 are affected, as are Magick.NET NuGet packages before 14.12.0. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the RCE and information-disclosure tags warrant attention in environments that process untrusted image inputs through automated pipelines.

Denial Of Service RCE Buffer Overflow Information Disclosure Imagemagick +2
NVD GitHub VulDB
CVSS 4.0
4.8
EPSS
0.1%
CVE-2026-56368 NuGet MEDIUM PATCH This Month

Memory exhaustion via unfreed heap allocations in ImageMagick before 7.1.2-15 enables remote denial of service against services that process untrusted images through the affected raw-pixel-data coders. The flaw (CWE-401) causes 160-byte objects to accumulate on the heap with each crafted image processed, progressively starving the host process of memory. No public exploit code has been identified at time of analysis; the CVSS 4.0 score of 6.3 reflects network reachability offset by high attack complexity and partial attack requirements, limiting realistic mass exploitation.

Denial Of Service Imagemagick Red Hat Suse
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.2%
CVE-2026-9539 MEDIUM PATCH This Month

Out-of-bounds heap read and integer underflow in libslirp's TCP urgent data handler (sosendoob) exposes gigabytes of host process heap memory to a privileged guest VM attacker. All libslirp releases before v4.9.2, as embedded in hypervisors such as QEMU, are affected when guest workloads hold root or CAP_NET_RAW privileges. No public exploit has been identified and the vulnerability is not listed in CISA KEV, but the cross-VM-boundary scope change (S:C) and high confidentiality impact make this a material risk in multi-tenant or shared virtualization environments.

Buffer Overflow Information Disclosure Libslirp Suse
NVD VulDB
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-48496 Go MEDIUM PATCH GHSA This Month

Permanent denial of service in opentelemetry-ebpf-profiler versions 0.0.202527 through 0.0.202621 allows any unprivileged co-located process to halt the agent's ELF analysis goroutine by placing a FIFO or special file at a path the profiler will attempt to open via openat2. Once blocked, the processPIDEvents goroutine never recovers, rendering the profiling agent inoperable for the lifetime of the process. No public exploit has been identified at time of analysis; impact is strictly confined to availability of the profiling agent with no data exposure or privilege escalation possible.

Denial Of Service Suse
NVD GitHub
CVSS 3.1
6.2
CVE-2026-11972 HIGH PATCH This Week

Denial of service in CPython's tarfile module allows remote attackers to trigger an infinite loop by supplying a crafted tar archive opened in streaming mode (mode='r|'). The seek() routine fails to detect EOF and keeps requesting bufsize reads of empty data when a TarInfo header declares a size far larger than the actual stream, exhausting CPU on any Python service that parses untrusted tar streams. No public exploit identified at time of analysis, but the upstream fix and a reproducer test case are both published on GitHub.

Denial Of Service Cpython Red Hat Suse
NVD GitHub VulDB
CVSS 4.0
8.2
EPSS
0.3%
CVE-2026-54514 Maven MEDIUM PATCH GHSA This Month

Eager DNS resolution during InetSocketAddress deserialization in jackson-databind (versions 2.0.0 through pre-fix releases across the 2.18, 2.21, and 3.x lines) allows any attacker who can supply untrusted JSON to an affected endpoint to force outbound DNS lookups for attacker-chosen hostnames at readValue() time - before application validation or connect logic can intervene. This DNS-based SSRF (CWE-918) enables internal resolver probing, network topology enumeration, and DNS out-of-band interaction signals against applications that deserialize untrusted JSON into types containing InetSocketAddress fields. No public exploit code and no CISA KEV listing have been identified at time of analysis; EPSS data was not available in the provided intelligence sources.

SSRF Deserialization Jackson Databind Suse
NVD GitHub HeroDevs VulDB
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-54512 Maven HIGH POC PATCH GHSA This Week

PolymorphicTypeValidator bypass in jackson-databind versions 2.10.0 through 2.18.7, 2.19.0 through 2.21.3, and 3.0.0 through 3.1.3 allows attackers controlling JSON type identifiers to smuggle denied gadget classes through allow-listed generic containers, leading to arbitrary class instantiation and potential remote code execution. The flaw stems from DatabindContext._resolveAndValidateGeneric() validating only the raw container class name while skipping all nested generic type arguments. No public exploit identified at time of analysis, but the GHSA advisory includes a proof-of-concept configuration and payload structure.

Canonical Deserialization Jackson Databind Suse
NVD GitHub HeroDevs VulDB
CVSS 3.1
8.1
EPSS
0.6%
CVE-2026-53925 PyPI HIGH PATCH GHSA This Week

Arbitrary file write and command execution in Glances (Python system monitoring tool) versions 4.0.8 through 4.5.4 allows attackers with the ability to modify glances.conf to abuse shell-like operators (`>`, `|`, `&&`) interpreted by the `secure_popen()` function inside AMP module command configuration. The flaw bypasses the `--disable-config-exec` mitigation introduced for CVE-2026-33641, since that flag only blocks backtick execution in `config.get_value()` and not operator parsing in `secure_popen()`. Publicly available exploit code exists in the GitHub Security Advisory (GHSA-3vwc-qwhc-3mj7), but no public exploit identified in active campaigns at time of analysis.

Python Path Traversal Suse
NVD GitHub VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-0864 MEDIUM PATCH This Month

Config file injection in CPython's configparser module allows an attacker who controls multi-line values written via configparser.write() to smuggle arbitrary keys and values into the resulting INI-style configuration file by embedding carriage return (\r) characters. All CPython versions are listed as affected per the NVD CPE wildcard, and any Python application that writes attacker-influenced data to config files via configparser is a candidate target. No public exploit has been identified at time of analysis; CVSS 4.0 scores this at 4.1 (Medium) with high privilege requirements and specific attack conditions.

Code Injection Cpython Red Hat Suse
NVD GitHub VulDB
CVSS 4.0
4.1
EPSS
0.1%
CVE-2026-55556 CRITICAL PATCH Act Now

Heap overflow in rsyslog's contributed imhttp module allows remote unauthenticated clients to corrupt the rsyslog process heap by sending an oversized HTTP Basic Authentication header. The root cause is a one-character typo - `calloc(0, len)` instead of `calloc(1, len)` - which allocates zero or minimal bytes before the Base64 decoder writes up to `len` bytes into the buffer. The practical expected impact is denial of service (rsyslog process crash); remote code execution is theoretically possible but depends on heap allocator behavior, compiler hardening, and platform. No public exploit identified at time of analysis, and the vulnerability is not in CISA KEV.

Buffer Overflow Denial Of Service Suse
NVD GitHub
CVE-2026-56376 NuGet MEDIUM PATCH This Month

Heap use-after-free in ImageMagick's meta coder allows remote attackers to crash the process by submitting a specially crafted image file that triggers a memory allocation failure, causing a single byte write to a stale (freed) pointer. Affected versions are ImageMagick before 7.1.2-15 and 6.9.13-40, as well as Magick.NET NuGet wrapper packages before 14.10.3. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV; the CVSS 4.0 score of 6.3 with AC:H and AT:P reflects that reliable exploitation requires specific memory allocation failure conditions rather than straightforward request-and-crash triggering.

Use After Free Denial Of Service Memory Corruption Imagemagick Red Hat +1
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.3%
CVE-2026-48487 PyPI MEDIUM PATCH GHSA This Month

Cache poisoning in python-zeroconf before 0.149.16 allows any unauthenticated adjacent-network attacker to inject attacker-controlled DNS records into the local mDNS cache by multicasting a single crafted UDP packet on port 5353. The parser in `_read_character_string` and `_read_string` advanced its offset by a caller-declared length without validating it against the actual packet buffer size; Python's silent slice truncation meant over-advertised records were accepted and committed to `DNSCache` and `ServiceInfo` intact. The vendor manually downgraded severity to low, noting no RCE or OOM risk, but characterizes this as a building block for higher-impact chains in downstream consumers such as Home Assistant. No public exploit code has been identified and the vulnerability is not in CISA KEV.

Python Information Disclosure Suse
NVD GitHub
CVSS 3.1
6.5
CVE-2026-46611 PyPI MEDIUM PATCH GHSA This Month

DNS rebinding against the Glances XML-RPC server (`glances -s`) allows a network-adjacent or remote attacker to exfiltrate the full system monitoring dataset - including process command lines that routinely contain secrets - from a victim's browser without any authentication. The `GlancesXMLRPCHandler` in `glances/server.py` accepts arbitrary HTTP `Host` headers without validation, an omission that persists while the REST/WebUI server received an equivalent fix (TrustedHostMiddleware, v4.5.2) and the MCP server was protected since v4.5.1. No active exploitation is confirmed (not in CISA KEV), but a detailed proof-of-concept is published in the vendor's GitHub security advisory GHSA-w856-8p3r-p338 and the attack is materially amplified by the companion CORS wildcard issue CVE-2026-46608.

Kubernetes Docker RCE Python Red Hat +1
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-46608 PyPI HIGH PATCH GHSA This Week

Cross-origin data exposure in Glances XML-RPC server (versions 4.5.3 through 4.5.4) allows any malicious web page to read full system monitoring data from a victim's browser because the CORS allowlist silently collapses to 'Access-Control-Allow-Origin: *' whenever two or more origins are configured. This is an incomplete fix for CVE-2026-33533: the CORS header is computed once at startup and never validated against the request's Origin. Publicly available exploit code exists in the GHSA advisory, but there is no public exploit identified at time of analysis as actively exploited.

Grafana Docker Python Authentication Bypass Kubernetes +1
NVD GitHub
CVSS 3.1
7.4
EPSS
0.4%
CVE-2026-46607 PyPI HIGH PATCH GHSA This Week

Local arbitrary code execution in Glances versions prior to 4.5.5 occurs when the daemon deserializes its version-check cache file via pickle.load() without integrity validation. An attacker with write access to the Glances user's XDG cache directory (~/.cache/glances/glances-version.db) can plant a malicious pickle that executes as the Glances process user - frequently root - on next startup. Publicly available exploit code exists in the GHSA advisory, but no public exploit identified at time of analysis as actively weaponized.

Docker Python Privilege Escalation RCE Deserialization +1
NVD GitHub VulDB
CVSS 3.1
7.8
EPSS
0.3%
CVE-2026-46606 PyPI HIGH PATCH GHSA This Week

Local privilege escalation via command injection in Glances 4.5.5_dev1 and earlier allows users with libvirt domain-creation rights to execute arbitrary commands as the Glances process owner (typically root on hypervisor hosts). The flaw lives in the KVM/QEMU monitoring plugin, where VM domain names parsed from `virsh list --all` are interpolated into command strings handled by `secure_popen()`, which intentionally treats `&&`, `|`, and `>` as control operators. No public exploit identified at time of analysis, but a detailed PoC accompanies the GHSA-v5r2-qh84-fjx5 advisory.

Command Injection Ubuntu Debian RCE Python +1
NVD GitHub VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-54651 PyPI MEDIUM POC PATCH GHSA This Month

Infinite loop denial-of-service in pypdf prior to 6.13.1 allows an attacker to hang any process that merges a crafted PDF containing cyclic article/thread structures. The vulnerability exists in the `_add_articles_thread()` method of `_writer.py`, which traversed PDF article bead linked-list structures without cycle detection, permitting a self-referential `/N` (Next) pointer chain to create an irrecoverable loop. No public exploit code or CISA KEV listing exists at time of analysis, but the upstream PR diff publicly discloses the precise triggering structure, lowering the bar for exploitation against vulnerable merge pipelines.

Denial Of Service Python Pypdf Red Hat Suse
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.1%
CVE-2026-41046 HIGH PATCH This Week

Local privilege escalation and denial of service in qSnapper before 1.3.3 stems from path traversal via the configName D-Bus parameter, allowing local attackers to point the snapper backend at attacker-controlled config files. Per the SUSE security review that produced coordinated fixes for CVE-2026-41045 through CVE-2026-41049, exploitation can crash the service or escalate to root through abuse of snapper configuration handling. No public exploit identified at time of analysis, but the upstream advisory and Bugzilla entry document the issue in detail.

Path Traversal Denial Of Service Qsnapper Suse
NVD GitHub VulDB
CVSS 3.1
7.3
EPSS
0.2%
CVE-2026-56412 MEDIUM PATCH This Month

Use-after-free in libexpat before 2.8.2 arises from the `doCdataSection` function omitting `beforeHandler`/`afterHandler` depth-tracking calls for `XML_TOK_DATA_CHARS` tokens during CDATA section parsing - an incomplete fix for the related CVE-2026-50219. When a policy violation occurs during handler callback invocation in this code path, the parser's internal call-depth counter becomes inconsistent, enabling a use-after-free condition. An attacker supplying specially crafted XML to any libexpat-consuming application may trigger limited memory corruption, information disclosure, or availability impact under high-complexity conditions; no public exploit is identified at time of analysis and no CISA KEV listing exists.

Information Disclosure Use After Free Memory Corruption Libexpat Red Hat +1
NVD GitHub VulDB
CVSS 3.1
5.9
EPSS
0.1%
CVE-2026-56411 MEDIUM PATCH This Month

Integer overflow in the xmlwf utility bundled with libexpat before 2.8.2 enables heap corruption via XML documents containing an excessive number of NOTATION declarations in a DOCTYPE block. The flaw in endDoctypeDecl allows a crafted XML file to wrap a signed integer counter, producing an undersized heap allocation that can be overflowed with high confidentiality and integrity impact. No confirmed active exploitation (not in CISA KEV) and no public exploit code have been identified at time of analysis; vendor-released patch is available in libexpat 2.8.2.

Integer Overflow Buffer Overflow Libexpat Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
6.9
EPSS
0.1%
CVE-2026-56410 MEDIUM PATCH This Month

Integer overflow in libexpat's xmlwf tool allows an attacker supplying a crafted XML file with an excessively long DOCTYPE system identifier to trigger a heap buffer overflow via the resolveSystemId function. All libexpat versions before 2.8.2 are affected; the root cause is an unchecked size_t arithmetic operation - both the addition of string lengths and the subsequent multiplication by sizeof(XML_Char) - before a malloc call. No public exploit has been identified at time of analysis, and exploitation requires local access under high-complexity conditions per the CVSS:3.1/AV:L/AC:H vector.

Integer Overflow Buffer Overflow Libexpat Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
6.9
EPSS
0.1%
CVE-2026-56409 MEDIUM PATCH This Month

Integer overflow in the `xmlwf` command-line utility bundled with libexpat before 2.8.2 allows heap buffer overflow when the `-d outputDir` flag is used with extremely long path values. The overflow occurs during malloc size calculation - `(tcslen(outputDir) + tcslen(file) + 2) * sizeof(XML_Char)` - wrapping the size_t to a near-zero value, causing an undersized allocation followed by out-of-bounds write during filename construction. No public exploit has been identified at time of analysis and the vulnerability is absent from CISA KEV, but the heap overflow primitive is well-understood and could yield code execution in automated XML processing pipelines.

Integer Overflow Buffer Overflow Libexpat Suse
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-56408 MEDIUM PATCH This Month

Integer overflow in libexpat's copyString function (xmlparse.c) allows heap buffer overflow when processing specially crafted XML input, affecting all libexpat versions before 2.8.2. The missing bounds check on a size multiplication permits an attacker-controlled string length to wrap around SIZE_MAX, producing an undersized heap allocation that is subsequently overwritten - enabling potential memory corruption, arbitrary code execution, or data disclosure in any application consuming the library. No public exploit has been identified at time of analysis; a vendor-released patch is available in libexpat 2.8.2.

Integer Overflow Buffer Overflow Libexpat Suse
NVD GitHub VulDB
CVSS 3.1
6.9
EPSS
0.1%
CVE-2026-56407 MEDIUM PATCH This Month

Integer overflow in libexpat before 2.8.2 allows heap corruption during XML prolog parsing when accumulated entity value pool length exceeds INT_MAX, yielding high confidentiality and integrity impact per CVSS. The flaw resides in doProlog and the related storeSelfEntityValue path, where poolLength() return values are cast to signed integers without bounds validation - a gap closed in the upstream fix via explicit INT_MAX guards. No public exploit has been identified at time of analysis and this CVE is not listed in CISA KEV, but the widespread use of libexpat as a dependency across system tools, language runtimes, and XML-processing services means the blast radius of a weaponized exploit would be broad.

Integer Overflow Buffer Overflow Libexpat Suse
NVD GitHub VulDB
CVSS 3.1
6.9
EPSS
0.1%
CVE-2026-56406 MEDIUM PATCH This Month

Integer overflow in libexpat's XML_ParseBuffer function allows potential heap corruption leading to high-confidentiality and high-integrity impact in all libexpat versions before 2.8.2. The overflow occurs because XML_ParseBuffer lacked a bounds check on the byte index accumulator that was already present in the sibling XML_Parse function - a defensive guard omitted asymmetrically between two code paths. Any application that routes XML input through XML_ParseBuffer (a common pattern in incremental parsing) is exposed. No public exploit has been identified at time of analysis and no KEV listing exists, but the high C and I CVSS impact ratings reflect the potential for code execution via heap corruption.

Integer Overflow Buffer Overflow Libexpat Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
6.9
EPSS
0.1%
CVE-2026-56405 MEDIUM PATCH This Month

Integer overflow in libexpat's getAttributeId routine exposes any application embedding libexpat before version 2.8.2 to memory corruption with high confidentiality and integrity impact when parsing specially crafted XML documents. The flaw occurs when an internal counter traversing the attribute ID table reaches INT_MAX and wraps, producing an invalid index that can corrupt adjacent heap memory. No public exploit has been identified at time of analysis, and CISA has not listed this in the KEV catalog, but a vendor-released patch is available in libexpat 2.8.2 and upgrade is the recommended remediation.

Integer Overflow Buffer Overflow Libexpat Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
6.9
EPSS
0.1%
CVE-2026-56404 MEDIUM PATCH This Month

Integer overflow in libexpat's addBinding function (xmlparse.c) before version 2.8.2 allows memory corruption during XML namespace binding processing, with high confidentiality and integrity impact. All libexpat releases from 0 through 2.8.2-pre are affected (CPE: cpe:2.3:a:libexpat_project:libexpat:*:*:*:*:*:*:*:*), encompassing a significant downstream attack surface given the library's widespread use in Python, PHP, and system utilities. No public exploit or active exploitation has been confirmed at time of analysis; the official CVSS 3.1 score of 6.9 reflects meaningful impact tempered by high attack complexity and a local attack vector.

Integer Overflow Buffer Overflow Libexpat Suse
NVD GitHub VulDB
CVSS 3.1
6.9
EPSS
0.1%
CVE-2026-56403 MEDIUM PATCH This Month

Integer overflow in libexpat's storeAtts() function before version 2.8.2 allows heap buffer corruption during XML namespace attribute processing. When an XML document contains namespace-qualified attributes whose prefix name or local-part name approaches or exceeds INT_MAX bytes, the combined expanded-name length calculation wraps to a small integer, causing allocation of an undersized heap buffer followed by an out-of-bounds write during the memcpy phase. The vendor CVSS scores this 6.9 with High confidentiality and integrity impact; no public exploit has been identified at time of analysis and the CVE is not listed in the CISA KEV catalog.

Integer Overflow Buffer Overflow Libexpat Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
6.9
EPSS
0.1%
CVE-2026-56367 NuGet MEDIUM PATCH This Month

Integer overflow in ImageMagick's PSB/PSD v2 RLE decoder (ReadPSDChannelRLE in coders/psd.c) causes a heap out-of-bounds read exclusively on 32-bit builds, enabling information disclosure or process crash when processing attacker-controlled PSB files. Affected versions span ImageMagick below 7.1.2-15 and 6.9.x below 6.9.13-40, with corresponding Magick.NET NuGet packages below 14.10.3 also confirmed vulnerable. No public exploit code has been identified at time of analysis and no CISA KEV listing exists; the CVSS 4.0 score of 6.3 with AC:H and AT:P reflects that exploitation is constrained to 32-bit deployments processing untrusted PSB input.

Information Disclosure Buffer Overflow Imagemagick Red Hat Suse
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.2%
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Sandbox escape in Google Chrome on macOS before 150.0.7871.47 stems from a use-after-free in the browser's Bluetooth component, letting a remote attacker who lures a user into specific UI gestures on a crafted HTML page corrupt memory and break out of the renderer sandbox. Rated Critical by Chromium and CVSS 9.6, though no public exploit has been identified and EPSS is low (0.22%, 13th percentile). A vendor fix is available and CISA SSVC currently marks exploitation as 'none'.

Memory Corruption Denial Of Service Use After Free +2
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Use-after-free in Google Chrome's Views UI framework prior to 150.0.7871.47 lets a remote attacker trigger heap corruption after luring a user to a crafted HTML page and performing specific UI gestures, potentially achieving code execution in the renderer/browser process. Chromium rates the flaw Critical, though the CVSS is 8.8 due to required user interaction. No public exploit identified at time of analysis, and EPSS is low (0.22%, 13th percentile); SSVC lists exploitation as none but technical impact as total.

Memory Corruption Denial Of Service Use After Free +2
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Use-after-free in Google Chrome's Views UI framework, fixed in 150.0.7871.47, lets a remote attacker who lures a victim into performing specific UI gestures on a crafted HTML page trigger heap corruption and potentially achieve code execution in the browser process. Chromium rates the flaw Critical, though the CVSS is 8.8 due to required user interaction; there is no public exploit identified at time of analysis and EPSS exploitation probability is low at 0.22%.

Memory Corruption Denial Of Service Use After Free +2
NVD VulDB
EPSS 0% CVSS 10.0
CRITICAL PATCH Act Now

Sandbox escape in Google Chrome desktop versions prior to 150.0.7871.47 lets a remote attacker who has already compromised the renderer process break out of the sandbox and gain broader code execution on the host via a crafted HTML page. Chromium rates the underlying use-after-free as Critical, though there is no public exploit identified at time of analysis and EPSS exploitation probability is low (0.21%). A vendor patch is available and the flaw is a classic second-stage chain component rather than a standalone entry point.

Memory Corruption Denial Of Service Use After Free +2
NVD VulDB
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Sandbox escape in Google Chrome's Skia graphics engine (versions prior to 150.0.7871.47) lets an attacker who has already compromised the renderer process break out of the browser sandbox via a crafted HTML page, achieving high-impact code execution across the security boundary (scope change). Rated Critical by Chromium and CVSS 9.6, but no public exploit is identified at time of analysis and EPSS is low (0.22%, 13th percentile). SSVC lists exploitation status as none, indicating no observed active exploitation.

Information Disclosure Google Suse
NVD VulDB
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Sandbox escape in Google Chrome's ANGLE graphics component before version 150.0.7871.47 allows an attacker who has already compromised the renderer process to break out of the browser sandbox and execute code in a higher-privilege context via a crafted HTML page. Google rates the Chromium security severity as Critical (CVSS 9.6), though this is a second-stage bug requiring a prior renderer compromise. A vendor patch is available; no public exploit has been identified at time of analysis and EPSS exploitation probability is low (0.22%).

Information Disclosure Google Suse
NVD VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Remote code execution in Google Chrome on ChromeOS (versions prior to 150.0.7871.47) stems from a use-after-free in the Chromoting (Chrome Remote Desktop) component, letting a remote attacker corrupt memory and execute arbitrary code through malicious network traffic. Google rates the Chromium severity as Critical, and CVSS scores it 8.1 with a high attack complexity. As of this analysis there is no public exploit identified and it is not listed in CISA KEV; EPSS is low at 0.24% (15th percentile), and SSVC records exploitation status as none.

Memory Corruption Google Denial Of Service +3
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local arbitrary code execution in Google Chrome for macOS (versions prior to 150.0.7871.47) stems from a use-after-free in the WebUSB implementation, which Chromium rates Critical. A local attacker who can present a malicious USB peripheral to a victim who authorizes it can corrupt renderer memory and run attacker-controlled code within the browser's context. There is no public exploit identified at time of analysis, and EPSS is low (0.16%, 5th percentile), reflecting limited likelihood of widespread opportunistic exploitation.

Memory Corruption Google Denial Of Service +3
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Heap corruption in the iOSWeb component of Google Chrome for iOS before 150.0.7871.47 lets a remote attacker who lures a victim to a crafted HTML page potentially achieve memory corruption with high confidentiality, integrity, and availability impact. Chromium rated the underlying issue Critical severity, though the CVSS base score is 8.8 because exploitation requires user interaction (visiting a page). There is no public exploit identified at time of analysis, it is not on CISA KEV, and the EPSS probability is low at 0.21%.

Information Disclosure Apple Google +1
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Sandbox escape via type confusion in Google Chrome's Dawn WebGPU implementation allows an attacker who already controls a compromised renderer process to break out of the browser sandbox using a crafted HTML page, affecting all Chrome desktop builds prior to 150.0.7871.47. Rated Critical by Chromium and CVSS 9.8, though the score assumes no prior privilege; realistically it is the second stage of an exploit chain. A vendor patch is available and no public exploit has been identified at time of analysis (EPSS 0.24%, 15th percentile).

Memory Corruption Information Disclosure Google +1
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Sandbox escape in Google Chrome desktop prior to 150.0.7871.47 stems from a use-after-free in the GPU process, letting a remote attacker who has already compromised the renderer break out of the browser sandbox via a crafted HTML page. Google rates the Chromium severity as Critical, and a fix is available in the Stable channel update. There is no public exploit identified at time of analysis, and EPSS exploitation probability is low at 0.22% (13th percentile).

Memory Corruption Denial Of Service Use After Free +2
NVD VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Arbitrary code execution in Google Chrome desktop versions prior to 150.0.7871.47 stems from a use-after-free flaw in the Extensions component, which Chromium rated Critical severity. An attacker who convinces a victim to install a malicious extension can trigger the dangling-pointer condition through a crafted extension to run arbitrary code in the affected process. There is no public exploit identified at time of analysis, EPSS is low (0.16%, 6th percentile), and CISA/SSVC records no observed exploitation.

Memory Corruption Google Denial Of Service +3
NVD VulDB
EPSS 1% CVSS 4.9
MEDIUM PATCH This Month

### Summary Responsibly disclosed by @NSEcho. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Denial Of Service Red Hat Suse
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

### Impact Shovel and Federation plugins perform URI obfuscation in their worker (link) state. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Google Information Disclosure Red Hat +1
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

Memory-corruption weaknesses in Mozilla Firefox 152.0.3 could allow remote attackers to potentially execute arbitrary code within the browser process. Mozilla graded the collected memory-safety bugs as critical (MFSA2026-62) and states some showed evidence of memory corruption that, with sufficient effort, could be exploited for code execution; there is no public exploit identified at time of analysis and EPSS exploitation probability is low (0.14%, 4th percentile). The issue is resolved in Firefox 152.0.4.

Memory Corruption Mozilla Buffer Overflow +2
NVD VulDB
EPSS 0% CVSS 7.7
HIGH PATCH This Week

{}' brace groups to the expand() function, whose recursion is exponential in the number of such groups. Because brace-expansion is a near-ubiquitous transitive dependency (notably via minimatch/glob), any application that feeds untrusted input to expand() directly or indirectly is exposed. No public exploit was identified at time of analysis, though the CVSS 4.0 threat metric (E:P) indicates proof-of-concept maturity; the issue is not in CISA KEV.

Denial Of Service Brace Expansion Red Hat +1
NVD GitHub
EPSS 0% CVSS 6.4
MEDIUM This Month

Use-after-free in the SSSD PAM responder crashes the authentication daemon when a local attacker manipulates YubiKey or smartcard contents during an authentication attempt on Red Hat Enterprise Linux 6 through 10. The primary realized impact is a denial of service - the PAM responder crash disrupts all authentication - but the underlying memory corruption also presents a difficult-to-exploit privilege escalation path. No public exploit code exists at time of analysis, and the CVSS vector (AV:L/AC:H/PR:H) reflects a tightly constrained local attack requiring high privileges and significant complexity, limiting realistic blast radius to insider-threat and physical-access scenarios.

Privilege Escalation Denial Of Service Red Hat Enterprise Linux 10 +8
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in libarchive's RAR5 reader allows remote attackers to crash applications that decompress untrusted RAR5 archives via a double-free (CWE-415) of the stale filtered_buf pointer. Reported by Red Hat and affecting libarchive as shipped across Red Hat Enterprise Linux 6 through 10, OpenShift Container Platform 4, and Red Hat Hardened Images, the flaw is triggered purely by parsing a malicious archive entry. No public exploit has been identified and the issue is not in CISA KEV; impact is limited to availability (CVSS 7.5, A:H only) with no code execution or data exposure claimed.

Denial Of Service Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 6 +7
NVD GitHub VulDB
MEDIUM PATCH This Month

Insufficient data exists to characterize CVE-2026-13606. The sole intelligence signal is a vendor report attributed to Ubuntu, indicating this vulnerability affects a package or component within the Ubuntu ecosystem. No description, CVSS score, vector, CWE classification, or additional references are available - a complete technical characterization is not possible from the provided data.

Information Disclosure Red Hat Suse
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

CSS::Minifier::XS versions before 0.14 for Perl have a memory leak when the entire document is minified away. The minify function has a memory leak when processing a document containing only characters to be removed, such as comments and whitespace.

Information Disclosure Css Suse
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Heap use-after-free read in libblkid (util-linux) enables unauthenticated local attackers to crash udisks or leak root-process heap data by presenting a crafted block device image during nested partition probing. BSD, Minix, Solaris x86, and UnixWare partition table parsers cache raw pointers into a dynamically allocated partition array; when subsequent partition additions trigger array reallocation, those pointers become stale and dereference freed memory. Because udev and udisks invoke libblkid automatically as root on block-device hot-plug events, USB insertion alone is sufficient to trigger the flaw without any user interaction or authentication. No public exploit identified at time of analysis.

Memory Corruption Denial Of Service Use After Free +9
NVD GitHub VulDB
EPSS 1% CVSS 5.5
MEDIUM POC This Month

Path traversal in ANTLR4 up to 4.13.2 exposes arbitrary file read via the tokenVocab grammar option handler. The vulnerable function getImportedVocabFile in TokenVocabParser.java fails to sanitize user-controlled grammar option values, allowing an attacker to supply a crafted .g4 grammar file that causes the tool to read files outside the intended working directory. A publicly available proof-of-concept exploit exists (GitHub issue reference), and no vendor patch has been released - the vendor did not respond to disclosure. No active exploitation is confirmed in CISA KEV, but the CVSS 4.0 E:P flag confirms exploit code is public.

Java Path Traversal Antlr4 +2
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Code injection in ANTLR4's Grammar Action Block Handler allows remote attackers to execute arbitrary code by supplying a crafted grammar file processed by the tool. All versions up to and including 4.13.2 are affected via the OutputFile.java code generation pathway. A public proof-of-concept exploit exists on GitHub (no KEV listing), though the vendor has not acknowledged or patched the issue, leaving users without an official fix.

Code Injection Java RCE +3
NVD VulDB GitHub
CVSS 4.8
MEDIUM PATCH This Month

Apptainer's `limit container paths` security directive in setuid mode fails to enforce path boundaries correctly because it uses string prefix matching rather than full path-component comparison, allowing local users to run containers from sibling directories whose names begin with an allowed path string. A system configured to allow only `/data/safe` will inadvertently also permit `/data/safe-but-unsafe` or any other path sharing that prefix. This affects only installations running Apptainer in setuid mode with the `limit container paths` directive explicitly configured; no public exploit has been identified at time of analysis, and the vendor-confirmed fix is available in version 1.5.1.

Path Traversal Suse
NVD GitHub
EPSS 0% CVSS 4.9
MEDIUM This Month

Network annotation injection in KubeVirt's VirtualMachineInstance API allows authenticated tenants to attach launcher pods to arbitrary network namespaces by writing unsanitized JSON into the Multus CNI default-network annotation. Exploitation is gated on the ExternalNetResourceInjection Beta feature gate being explicitly enabled by a cluster-admin (off by default, first available in OpenShift Virtualization 4.21), which intentionally bypasses the NAD namespace lookup that would otherwise reject malformed annotation values. A successful attack permits cross-namespace network attachment and IP/MAC address impersonation on segments normally segregated from tenant workloads; no public exploit has been identified at time of analysis.

Code Injection Red Hat Openshift Virtualization 4 Suse
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Client-side memory-safety failure in libnfs (through 6.0.2, fixed by commit f0b109d/935b8db) lets a malicious or compromised NFS server trigger an unsigned integer underflow in the RPC record-marker handling of rpc_read_from_socket(). When a victim application using libnfs connects to a crafted server, the server can supply a record marker whose declared xid/pdu length is smaller than the size libnfs expects to read, wrapping the length value and driving an oversized READ_IOVEC read with corresponding heap memory disclosure or corruption. There is no public exploit identified at time of analysis and it is not in CISA KEV; exploitation requires the victim to initiate a connection to an attacker-controlled NFS endpoint.

Integer Overflow Information Disclosure Libnfs +1
NVD GitHub VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Cross-site scripting in jupyter/nbconvert versions 7.17.0 and earlier allows any user with notebook write access to inject and execute arbitrary JavaScript in the browsers of users who view HTML-exported notebooks. The flaw stems from the `data_mermaid` rendering block in `share/templates/lab/base.html.j2`, which outputs `text/vnd.mermaid` cell content directly into HTML without escaping, enabling tag breakout from the enclosing `<pre>` element. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog; however, the stored-XSS pattern means any user who views a maliciously crafted HTML export is at risk.

XSS Jupyter Jupyter Suse
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Use after free in AdFilter in Google Chrome on Android prior to 149.0.7827.201 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)

Memory Corruption Google Denial Of Service +4
NVD VulDB
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

Use-after-free memory corruption in Google Chrome's Payments component on Android (prior to 149.0.7827.201) enables a local attacker with physical access to the device to trigger heap corruption, yielding high impact across confidentiality, integrity, and availability. The physical-access requirement (CVSS AV:P) substantially constrains the exploitable population to scenarios such as unattended or stolen devices. No public exploit identified at time of analysis, and no CISA KEV listing exists, indicating this has not been observed in active exploitation campaigns.

Memory Corruption Denial Of Service Use After Free +3
NVD VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Integer overflow in Mojo in Google Chrome prior to 149.0.7827.201 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a malicious file. (Chromium security severity: High)

Buffer Overflow Google Suse +1
NVD VulDB
EPSS 0% CVSS 8.1
HIGH This Week

Heap-based buffer overflow in the vtk-dicom library's vtkDICOMItem::NewDataElement routine allows remote attackers to corrupt heap memory and potentially achieve arbitrary code execution by supplying a maliciously crafted DICOM data element. The flaw affects vtk-dicom (a DICOM I/O module commonly paired with the Visualization Toolkit) and was reported by Cisco Talos (TALOS-2026-2366), carrying a CVSS 3.1 base score of 8.1 with full confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Buffer Overflow Vtk Suse
NVD VulDB
CVSS 7.5
HIGH PATCH This Week

Remote unauthenticated denial of service in Sigstore Rekor (>= 0.3.0, < 1.5.2) allows attackers to crash the transparency log server via a gzip decompression bomb in its Alpine APK parsing path. The Package.Unmarshal() function decompresses the signature and control gzip members of a submitted APK into memory without bounding total decompressed size, so a ~1000:1 compression ratio payload (e.g. 2MB compressed to 2GB) exhausts heap and triggers a fatal Go runtime OOM or OS OOM-kill that the recover() middleware cannot catch. No public exploit identified at time of analysis; it is not in CISA KEV, and the impact is availability-only (no confidentiality or integrity loss).

Denial Of Service Suse
NVD GitHub
CVSS 5.3
MEDIUM PATCH This Month

Unbounded resource consumption in the Rust opentelemetry_sdk's BaggagePropagator::extract_with_context allows unauthenticated remote attackers to cause elevated CPU and heap allocation overhead by sending oversized W3C baggage propagation headers to any service using versions 0.32.0 or earlier. The SDK parsed the full header content before applying storage limits, meaning attacker-supplied data was processed and then discarded - wasting resources on every malicious request. A parallel design-level gap affects the Java (GHSA-rcgg-9c38-7xpx) and Go (GHSA-mh2q-q3fh-2475) OpenTelemetry SDKs, suggesting a cross-ecosystem pattern; no public exploit or active exploitation (KEV) has been identified.

Java Denial Of Service RCE +1
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM POC PATCH This Month

Decompression bomb (zip bomb) in Trivy's Helm chart scanner causes denial of service via OOM kill when processing a crafted .tgz archive. Affected versions prior to 0.71.0 use io.ReadAll without any size cap on tar entries inside Helm chart archives, allowing a small compressed file to expand to gigabytes in memory. An attacker who can place a malicious archive in any path that Trivy is directed to scan can reliably crash the Trivy process. No public exploit or CISA KEV listing at time of analysis.

Denial Of Service Trivy Suse
NVD GitHub VulDB
EPSS 0% CVSS 7.0
HIGH PATCH This Week

Arbitrary file write in Aqua Security's Trivy scanner (prior to 0.71.1) allows an attacker who can make Trivy fetch an attacker-controlled OCI artifact to write layer content anywhere on the host filesystem. Trivy trusts the org.opencontainers.image.title manifest annotation as the output filename without sanitization, so a crafted value containing path-traversal sequences escapes the intended download directory (CWE-22). No public exploit has been identified at time of analysis; the CVSS 4.0 score is 7.0 (high), driven by high integrity and availability impact requiring user interaction.

Path Traversal Trivy Suse
NVD GitHub VulDB
EPSS 0% CVSS 5.7
MEDIUM PATCH This Month

Stack out-of-bounds write in Vim's spell suggestion engine allows a crafted `.spl`/`.sug` file pair to corrupt the call stack and crash the editor when spell suggestions are invoked. All Vim releases prior to 9.2.0653 are affected, with the flaw in `tree_count_words()` and `sug_filltree()` inside `src/spellfile.c`, where three fixed-size MAXWLEN-element stack arrays are indexed by an unbounded depth counter. No public exploit identified at time of analysis (CVSS 4.0 E:U), though the upstream fix commit includes a detailed proof-of-concept test case reproducing the out-of-bounds write.

Memory Corruption Buffer Overflow Vim +1
NVD GitHub VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Out-of-bounds read in Vim's text property subsystem allows a crafted undo file to crash the editor and potentially disclose adjacent heap memory. All Vim releases prior to 9.2.0670 are affected; the vulnerability is reachable whenever a user loads a malicious undo file with the persistent-undo feature compiled in and enabled. No public exploit or CISA KEV listing exists at time of analysis, placing real-world risk in the low-to-medium range despite the local crash severity.

Buffer Overflow Information Disclosure Vim +1
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Vim crashes with an out-of-bounds read when opening a maliciously crafted file encrypted with the xchacha20poly1305 cipher (VimCrypt~04! or VimCrypt~05!) whose body is shorter than a libsodium secretstream header. An unsigned integer underflow in the length calculation inside crypt_sodium_buffer_decode() causes the subsequent crypto_secretstream_xchacha20poly1305_pull() call to read far past the end of the input buffer, resulting in a denial-of-service crash. No public exploit code and no CISA KEV listing have been identified at time of analysis; however, the fix commit includes a concrete reproducer test case confirming the crash path.

Buffer Overflow Information Disclosure Vim +1
NVD GitHub
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Arbitrary command execution in Vim's bundled zip plugin (autoload/zip.vim) affects builds from 9.1.1784 up to the 9.2.0678 fix on systems where the plugin falls back to PowerShell for archive operations. When browsing, reading, extracting, updating or deleting zip entries, the plugin quotes archive entry names for the shell but not for PowerShell, so a crafted entry name escapes the string context and runs attacker-supplied commands with the privileges of the user who merely opened or viewed the archive. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; risk is bounded to Windows/PowerShell-fallback deployments and requires user interaction.

Command Injection Vim Red Hat +1
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

List::SomeUtils::XS versions before 0.59 for Perl have a heap buffer overflow in the pairwise function. pairwise() collects the values returned by the block into a heap buffer sized to the longer input array, then grows the buffer before each copy with a single quadrupling (alloc <<= 2) instead of a loop. A block call that returns more than four times the current allocation in one invocation outgrows that one quadrupling, and the copy writes past the end of the buffer. Any caller of pairwise() whose block returns, for a single pair, more than four times the longer input array's length writes past the buffer and corrupts the heap.

Memory Corruption Buffer Overflow List +1
NVD GitHub VulDB
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

Out-of-bounds heap read in Vim 9.2.0320-9.2.0678 allows a crafted undo or swap file to disclose adjacent heap memory or crash the editor when a victim opens it. The flaw resides in the text property (textprop) subsystem: a maliciously encoded virtual-text property with an oversized tp_text_offset is converted directly to a heap pointer without bounds validation in both the undo-restoration path (um_goto_line) and the display path (get_text_props). The CVSS 4.0 score of 6.8 (Medium) reflects local-only exploitation requiring active user interaction; no public exploit is confirmed at time of analysis, though the fix commit includes detailed test scaffolding constituting a near-complete attack blueprint.

Buffer Overflow Information Disclosure Vim +2
NVD GitHub VulDB
EPSS 0% CVSS 4.0
MEDIUM PATCH This Month

Stack out-of-bounds write in Vim's spell_soundfold_sofo() function (src/spell.c) allows local exploitation when a SOFO-based spell language is active and the soundfold path is triggered with a word exceeding MAXWLEN (254) bytes, corrupting the call frame and crashing the editor with theoretical code execution potential. All Vim releases prior to 9.2.0698 carrying the single-byte SOFO branch are affected; the vendor has released a confirmed fix at v9.2.0698. No public exploit code exists and no CISA KEV listing is present; the CVSS 4.0 E:U supplemental metric confirms exploitation remains unproven at time of analysis.

Memory Corruption Buffer Overflow Vim +1
NVD GitHub
EPSS 0% CVSS 8.4
HIGH PATCH This Week

Arbitrary Python code execution in Vim before 9.2.0699 occurs when a victim triggers Python omni-completion (omnifunc) inside a malicious buffer; the python3complete.vim and legacy pythoncomplete.vim runtime plugins reconstruct in-buffer function and class definitions and run them through Python's exec(), inserting each scope's docstring verbatim between triple quotes. Because the docstring is never escaped, a crafted docstring can close the triple-quoted literal and inject attacker-controlled Python that runs with the user's privileges. There is no public exploit identified at time of analysis and the issue is not in CISA KEV, but a regression test bundled with the fix demonstrates the breakout, confirming exploitability; EPSS data was not provided.

Code Injection Python RCE +2
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Out-of-bounds read in Nokogiri's `NodeSet#[]` method (all versions before 1.19.4) enables an attacker who can supply a large negative integer index to bypass a 32-bit-truncated bounds check and trigger a read outside the node set's allocated memory. On CRuby (MRI Ruby), this typically crashes the process - denial of service - with ancillary potential for heap memory disclosure; on JRuby, the runtime's managed memory prevents memory corruption, but an incorrect node is silently returned. No public exploit or active exploitation has been identified; exploitation requires the target application to forward attacker-controlled integers directly to the `NodeSet#[]` or `#slice` API.

Buffer Overflow Information Disclosure Nokogiri +1
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

DNS response manipulation in PowerDNS Recursor 5.4.x allows network-positioned attackers to inject false DNS records through insufficient validation of answers received from authoritative servers, resulting in low-integrity violations in name resolution for downstream clients. The 5.4.x branch received hardening patches per PowerDNS advisory 2026-08 to close this validation gap. No public exploit has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog.

Information Disclosure Recursor Suse
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Denial of service in PowerDNS dnsdist's DNS over HTTP/3 (DoH3) handler allows unauthenticated remote attackers to exhaust server memory by opening high volumes of concurrent QUIC streams carrying crafted queries. Each crafted query triggers an exception that defers buffer deallocation until QUIC connection teardown rather than releasing memory promptly, enabling cumulative memory exhaustion across simultaneous streams. No public exploit code or active exploitation has been identified at time of analysis, and the attack surface is limited to instances with DoH3 explicitly enabled.

Denial Of Service Suse
NVD VulDB
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

dnsdist's SetMacAddrAction handler exposes operators to uninitialized memory leakage in DNS responses and potential service crashes when the action is configured in the ruleset. The flaw is reachable over the network without authentication (AV:N/PR:N), but the high attack complexity (AC:H) constrains real-world impact to deployments that have explicitly enabled SetMacAddrAction - a non-default configuration. No public exploit code exists and no CISA KEV listing is present at time of analysis; the PowerDNS security team (Open-Xchange) reported this internally, suggesting responsible disclosure rather than observed active exploitation.

Buffer Overflow Suse
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

TCP connection resource leak in PowerDNS dnsdist allows remote unauthenticated attackers to exhaust backend TCP connection capacity by sending IXFR (Incremental Zone Transfer) queries. Affected dnsdist instances fail to promptly release outgoing TCP connections to backends after IXFR processing, leaving them open until OS-level timeout; under sustained query volume this can exhaust the backend's concurrent connection limit or the dnsdist process's file descriptor table. No public exploit has been identified at time of analysis, and no CISA KEV listing exists, but the AV:N/AC:L/PR:N attack surface makes the trigger trivially automatable from the internet.

Denial Of Service Suse
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Cache poisoning in PowerDNS Recursor allows a malicious or compromised authoritative DNS server to inject forged records by returning a crafted zone that the resolver ingests through its ZoneToCache feature. Because the poisoned data lands in the shared recursor cache, all downstream clients can be served attacker-controlled answers, enabling traffic redirection and spoofing. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; the CVSS 7.5 (high) rating reflects high integrity impact with a scope change but high attack complexity.

Information Disclosure Suse
NVD
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

DNSSEC validation in PowerDNS Recursor can be silently undermined by network-positioned attackers who spoof DNS replies to trick the Recursor into permanently marking a legitimate authoritative server's IP as EDNS-incapable. Once that state is poisoned, the Recursor is unable to perform proper DNSSEC validation for any zones served by that authoritative server, effectively disabling a critical security layer for downstream clients. No active exploitation has been confirmed by CISA KEV, and no public proof-of-concept has been identified at time of analysis; however, the attack complexity is rated High due to the spoofing prerequisite.

Recursor Authentication Bypass Suse
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

ZONEMD validation bypass in PowerDNS Recursor allows a cryptographically invalid DNS zone to be accepted as legitimate when ZoneToCache is configured with ZONEMD validation enabled. This undermines the integrity guarantee that ZONEMD is designed to provide - an attacker capable of serving a crafted zone to the resolver (e.g., via a rogue authoritative source or network interception) can cause the recursor to cache and serve tampered DNS data. No public exploit code has been identified and exploitation is not confirmed in CISA KEV; real-world risk is constrained by the non-default configuration prerequisite.

Information Disclosure Recursor Suse
NVD VulDB
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

PowerDNS Recursor crashes when processing a malformed SOA record within a catalog zone, resulting in a denial of service for all DNS resolution handled by the affected instance. The CVSS vector (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) confirms network-reachable unauthenticated exploitation, but high attack complexity reflects the non-default catalog zone configuration required. No public exploit identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Denial Of Service Recursor Suse
NVD
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

PowerDNS Recursor crashes when a malicious authoritative DNS server serves a crafted zone via the ZoneToCache function, exploiting insufficient input validation to cause a denial of service. The CVSS vector (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) confirms this is a remotely triggerable availability-only impact, though high attack complexity reflects the prerequisite of controlling or compromising an authoritative name server in the resolution path. No public exploit code has been identified at time of analysis, and no KEV listing exists, but the impact on DNS infrastructure availability makes this a meaningful operational risk for affected deployments.

Denial Of Service Recursor Suse
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Improper packet cache handling in PowerDNS Recursor causes ECS zero-scoped DNS answers to be stored in the cache when they should be discarded or handled as global entries, creating an information disclosure pathway. All Recursor versions (cpe:2.3:a:powerdns:recursor:*:*:*:*:*:*:*:*) are affected, but only deployments with EDNS Client Subnet (ECS) explicitly enabled are exposed. The CVSS score of 5.3 with a network vector and no required privileges reflects that any DNS client can trigger the improper caching behavior, though real-world impact is bounded by the non-default ECS configuration requirement. No public exploit code has been identified and the vulnerability is not listed in the CISA KEV catalog.

Information Disclosure Recursor Suse
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

PowerDNS Authoritative Server's optional internal web server accepts crafted HTTP requests that trigger unbounded memory allocation, exhausting process memory and causing a denial of service against the DNS service. Exploitation requires low-privilege authentication (PR:L per CVSS vector) and the internal web server must be explicitly enabled - it is disabled by default, sharply limiting the real-world attack surface. No public exploit code has been identified and this vulnerability is not listed in CISA KEV.

Denial Of Service Authoritative Suse
NVD VulDB
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Zone-transfer authentication bypass in NLnet Labs NSD allows unauthorized secondaries to obtain full zone contents without presenting the required TLS client certificate. Although a provide-xfr rule specifies a tls-auth-name (mandating client-certificate authentication), NSD only enforces this on the dedicated tls-auth-port; requests arriving over plain TCP on the regular port or over TLS on the regular tls-port are served when the remaining provide-xfr conditions match, defeating mutual-TLS access control. Reported by NLnet Labs with CVSS 4.0 8.2; no public exploit identified at time of analysis and not listed in CISA KEV.

Authentication Bypass Nsd Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Stack buffer overflow in NSD 4.14.0 (NLnet Labs authoritative DNS server) allows a party able to introduce zone data to overwrite up to 111 attacker-controlled bytes on the stack when a specially crafted APL resource record - carrying an adflength larger than the address family permits - is serialized as the zone is written to disk. Per the CVSS 4.0 vector (PR:L), exploitation requires low privileges and yields high integrity and availability impact, consistent with memory corruption leading to crash or potential code execution. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Buffer Overflow Nsd Red Hat +1
NVD VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Remote denial-of-service in NLnet Labs NSD (authoritative DNS name server) version 4.13.0 and later allows an unauthenticated attacker to crash the server process by exploiting a heap use-after-free in the TLS error-logging path. By sending a DNS query over a DNS-over-TLS (DoT) connection and closing the socket before reading the response, an attacker triggers the freed-memory access trivially; no public exploit identified at time of analysis, and the issue is not in CISA KEV. The CVSS 4.0 score of 8.7 reflects high availability impact with no confidentiality or integrity exposure.

Memory Corruption Denial Of Service Use After Free +3
NVD VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Heap overflow in NLnet Labs NSD allows a malicious or compromised zone primary to corrupt memory on a secondary (slave) NSD instance by sending an AXFR transfer containing a crafted SVCB resource record. An rdata size of 65512 causes a uint16_t length variable used for RR allocation to wrap (total size exceeds 65535), producing an undersized buffer and a controlled out-of-bounds write of up to 65509 bytes - an RCE-class primitive (CWE-190 integer overflow leading to heap overflow). No public exploit identified at time of analysis, but the controlled write and remote network vector (CVSS 4.0 base 8.7) make this a high-priority patch for any operator running NSD as a secondary.

Integer Overflow Denial Of Service Nsd +2
NVD VulDB
EPSS 0% CVSS 8.7
HIGH This Week

Denial of service in the shell-quote Node.js library (versions prior to 1.8.5) lets remote attackers stall the single-threaded event loop by passing an attacker-controlled string into any code path that calls parse(). The flaw is purely algorithmic - parse() builds its token list with Array.prototype.concat as a reduce accumulator, giving O(n^2) behavior so even a small payload of plain space-separated words causes disproportionate CPU consumption. There is no public exploit identified at time of analysis and no KEV listing; impact is to availability only with no code execution or data disclosure despite the misleading 'RCE' source tag.

Node.js Denial Of Service RCE +3
NVD GitHub VulDB
EPSS 0% CVSS 8.4
HIGH PATCH This Week

Stack buffer overflow in OpenColorIO's .spi3d LUT parser allows a crafted color-lookup file to corrupt memory in any application that loads it. The flaw in FileFormatSpi3D.cpp reads attacker-controlled data from a 4096-byte line into 64-byte stack buffers via unbounded sscanf %s, permitting an overflow of roughly 4000 bytes on non-Windows platforms. It affects all OCIO 1.x and 2.x releases prior to 2.5.2 and, while no public exploit has been identified, the same unsafe pattern was found across the .spi3d, .spi1d, .cube, and .lut parsers.

Microsoft Buffer Overflow Opencolorio +1
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Out-of-bounds read in ImageMagick's ConnectedComponentsImage() function allows local attackers to trigger access violations by supplying malformed connected-components artifact definitions via the CLI, leading to denial of service or potential arbitrary code execution. All ImageMagick releases before 7.1.2-19 are affected, as are Magick.NET NuGet packages before 14.12.0. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the RCE and information-disclosure tags warrant attention in environments that process untrusted image inputs through automated pipelines.

Denial Of Service RCE Buffer Overflow +4
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Memory exhaustion via unfreed heap allocations in ImageMagick before 7.1.2-15 enables remote denial of service against services that process untrusted images through the affected raw-pixel-data coders. The flaw (CWE-401) causes 160-byte objects to accumulate on the heap with each crafted image processed, progressively starving the host process of memory. No public exploit code has been identified at time of analysis; the CVSS 4.0 score of 6.3 reflects network reachability offset by high attack complexity and partial attack requirements, limiting realistic mass exploitation.

Denial Of Service Imagemagick Red Hat +1
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Out-of-bounds heap read and integer underflow in libslirp's TCP urgent data handler (sosendoob) exposes gigabytes of host process heap memory to a privileged guest VM attacker. All libslirp releases before v4.9.2, as embedded in hypervisors such as QEMU, are affected when guest workloads hold root or CAP_NET_RAW privileges. No public exploit has been identified and the vulnerability is not listed in CISA KEV, but the cross-VM-boundary scope change (S:C) and high confidentiality impact make this a material risk in multi-tenant or shared virtualization environments.

Buffer Overflow Information Disclosure Libslirp +1
NVD VulDB
CVSS 6.2
MEDIUM PATCH This Month

Permanent denial of service in opentelemetry-ebpf-profiler versions 0.0.202527 through 0.0.202621 allows any unprivileged co-located process to halt the agent's ELF analysis goroutine by placing a FIFO or special file at a path the profiler will attempt to open via openat2. Once blocked, the processPIDEvents goroutine never recovers, rendering the profiling agent inoperable for the lifetime of the process. No public exploit has been identified at time of analysis; impact is strictly confined to availability of the profiling agent with no data exposure or privilege escalation possible.

Denial Of Service Suse
NVD GitHub
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Denial of service in CPython's tarfile module allows remote attackers to trigger an infinite loop by supplying a crafted tar archive opened in streaming mode (mode='r|'). The seek() routine fails to detect EOF and keeps requesting bufsize reads of empty data when a TarInfo header declares a size far larger than the actual stream, exhausting CPU on any Python service that parses untrusted tar streams. No public exploit identified at time of analysis, but the upstream fix and a reproducer test case are both published on GitHub.

Denial Of Service Cpython Red Hat +1
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Eager DNS resolution during InetSocketAddress deserialization in jackson-databind (versions 2.0.0 through pre-fix releases across the 2.18, 2.21, and 3.x lines) allows any attacker who can supply untrusted JSON to an affected endpoint to force outbound DNS lookups for attacker-chosen hostnames at readValue() time - before application validation or connect logic can intervene. This DNS-based SSRF (CWE-918) enables internal resolver probing, network topology enumeration, and DNS out-of-band interaction signals against applications that deserialize untrusted JSON into types containing InetSocketAddress fields. No public exploit code and no CISA KEV listing have been identified at time of analysis; EPSS data was not available in the provided intelligence sources.

SSRF Deserialization Jackson Databind +1
NVD GitHub HeroDevs VulDB
EPSS 1% CVSS 8.1
HIGH POC PATCH This Week

PolymorphicTypeValidator bypass in jackson-databind versions 2.10.0 through 2.18.7, 2.19.0 through 2.21.3, and 3.0.0 through 3.1.3 allows attackers controlling JSON type identifiers to smuggle denied gadget classes through allow-listed generic containers, leading to arbitrary class instantiation and potential remote code execution. The flaw stems from DatabindContext._resolveAndValidateGeneric() validating only the raw container class name while skipping all nested generic type arguments. No public exploit identified at time of analysis, but the GHSA advisory includes a proof-of-concept configuration and payload structure.

Canonical Deserialization Jackson Databind +1
NVD GitHub HeroDevs VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Arbitrary file write and command execution in Glances (Python system monitoring tool) versions 4.0.8 through 4.5.4 allows attackers with the ability to modify glances.conf to abuse shell-like operators (`>`, `|`, `&&`) interpreted by the `secure_popen()` function inside AMP module command configuration. The flaw bypasses the `--disable-config-exec` mitigation introduced for CVE-2026-33641, since that flag only blocks backtick execution in `config.get_value()` and not operator parsing in `secure_popen()`. Publicly available exploit code exists in the GitHub Security Advisory (GHSA-3vwc-qwhc-3mj7), but no public exploit identified in active campaigns at time of analysis.

Python Path Traversal Suse
NVD GitHub VulDB
EPSS 0% CVSS 4.1
MEDIUM PATCH This Month

Config file injection in CPython's configparser module allows an attacker who controls multi-line values written via configparser.write() to smuggle arbitrary keys and values into the resulting INI-style configuration file by embedding carriage return (\r) characters. All CPython versions are listed as affected per the NVD CPE wildcard, and any Python application that writes attacker-influenced data to config files via configparser is a candidate target. No public exploit has been identified at time of analysis; CVSS 4.0 scores this at 4.1 (Medium) with high privilege requirements and specific attack conditions.

Code Injection Cpython Red Hat +1
NVD GitHub VulDB
CRITICAL PATCH Act Now

Heap overflow in rsyslog's contributed imhttp module allows remote unauthenticated clients to corrupt the rsyslog process heap by sending an oversized HTTP Basic Authentication header. The root cause is a one-character typo - `calloc(0, len)` instead of `calloc(1, len)` - which allocates zero or minimal bytes before the Base64 decoder writes up to `len` bytes into the buffer. The practical expected impact is denial of service (rsyslog process crash); remote code execution is theoretically possible but depends on heap allocator behavior, compiler hardening, and platform. No public exploit identified at time of analysis, and the vulnerability is not in CISA KEV.

Buffer Overflow Denial Of Service Suse
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Heap use-after-free in ImageMagick's meta coder allows remote attackers to crash the process by submitting a specially crafted image file that triggers a memory allocation failure, causing a single byte write to a stale (freed) pointer. Affected versions are ImageMagick before 7.1.2-15 and 6.9.13-40, as well as Magick.NET NuGet wrapper packages before 14.10.3. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV; the CVSS 4.0 score of 6.3 with AC:H and AT:P reflects that reliable exploitation requires specific memory allocation failure conditions rather than straightforward request-and-crash triggering.

Use After Free Denial Of Service Memory Corruption +3
NVD GitHub VulDB
CVSS 6.5
MEDIUM PATCH This Month

Cache poisoning in python-zeroconf before 0.149.16 allows any unauthenticated adjacent-network attacker to inject attacker-controlled DNS records into the local mDNS cache by multicasting a single crafted UDP packet on port 5353. The parser in `_read_character_string` and `_read_string` advanced its offset by a caller-declared length without validating it against the actual packet buffer size; Python's silent slice truncation meant over-advertised records were accepted and committed to `DNSCache` and `ServiceInfo` intact. The vendor manually downgraded severity to low, noting no RCE or OOM risk, but characterizes this as a building block for higher-impact chains in downstream consumers such as Home Assistant. No public exploit code has been identified and the vulnerability is not in CISA KEV.

Python Information Disclosure Suse
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

DNS rebinding against the Glances XML-RPC server (`glances -s`) allows a network-adjacent or remote attacker to exfiltrate the full system monitoring dataset - including process command lines that routinely contain secrets - from a victim's browser without any authentication. The `GlancesXMLRPCHandler` in `glances/server.py` accepts arbitrary HTTP `Host` headers without validation, an omission that persists while the REST/WebUI server received an equivalent fix (TrustedHostMiddleware, v4.5.2) and the MCP server was protected since v4.5.1. No active exploitation is confirmed (not in CISA KEV), but a detailed proof-of-concept is published in the vendor's GitHub security advisory GHSA-w856-8p3r-p338 and the attack is materially amplified by the companion CORS wildcard issue CVE-2026-46608.

Kubernetes Docker RCE +3
NVD GitHub VulDB
EPSS 0% CVSS 7.4
HIGH PATCH This Week

Cross-origin data exposure in Glances XML-RPC server (versions 4.5.3 through 4.5.4) allows any malicious web page to read full system monitoring data from a victim's browser because the CORS allowlist silently collapses to 'Access-Control-Allow-Origin: *' whenever two or more origins are configured. This is an incomplete fix for CVE-2026-33533: the CORS header is computed once at startup and never validated against the request's Origin. Publicly available exploit code exists in the GHSA advisory, but there is no public exploit identified at time of analysis as actively exploited.

Grafana Docker Python +3
NVD GitHub
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local arbitrary code execution in Glances versions prior to 4.5.5 occurs when the daemon deserializes its version-check cache file via pickle.load() without integrity validation. An attacker with write access to the Glances user's XDG cache directory (~/.cache/glances/glances-version.db) can plant a malicious pickle that executes as the Glances process user - frequently root - on next startup. Publicly available exploit code exists in the GHSA advisory, but no public exploit identified at time of analysis as actively weaponized.

Docker Python Privilege Escalation +3
NVD GitHub VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation via command injection in Glances 4.5.5_dev1 and earlier allows users with libvirt domain-creation rights to execute arbitrary commands as the Glances process owner (typically root on hypervisor hosts). The flaw lives in the KVM/QEMU monitoring plugin, where VM domain names parsed from `virsh list --all` are interpolated into command strings handled by `secure_popen()`, which intentionally treats `&&`, `|`, and `>` as control operators. No public exploit identified at time of analysis, but a detailed PoC accompanies the GHSA-v5r2-qh84-fjx5 advisory.

Command Injection Ubuntu Debian +3
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM POC PATCH This Month

Infinite loop denial-of-service in pypdf prior to 6.13.1 allows an attacker to hang any process that merges a crafted PDF containing cyclic article/thread structures. The vulnerability exists in the `_add_articles_thread()` method of `_writer.py`, which traversed PDF article bead linked-list structures without cycle detection, permitting a self-referential `/N` (Next) pointer chain to create an irrecoverable loop. No public exploit code or CISA KEV listing exists at time of analysis, but the upstream PR diff publicly discloses the precise triggering structure, lowering the bar for exploitation against vulnerable merge pipelines.

Denial Of Service Python Pypdf +2
NVD GitHub VulDB
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Local privilege escalation and denial of service in qSnapper before 1.3.3 stems from path traversal via the configName D-Bus parameter, allowing local attackers to point the snapper backend at attacker-controlled config files. Per the SUSE security review that produced coordinated fixes for CVE-2026-41045 through CVE-2026-41049, exploitation can crash the service or escalate to root through abuse of snapper configuration handling. No public exploit identified at time of analysis, but the upstream advisory and Bugzilla entry document the issue in detail.

Path Traversal Denial Of Service Qsnapper +1
NVD GitHub VulDB
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Use-after-free in libexpat before 2.8.2 arises from the `doCdataSection` function omitting `beforeHandler`/`afterHandler` depth-tracking calls for `XML_TOK_DATA_CHARS` tokens during CDATA section parsing - an incomplete fix for the related CVE-2026-50219. When a policy violation occurs during handler callback invocation in this code path, the parser's internal call-depth counter becomes inconsistent, enabling a use-after-free condition. An attacker supplying specially crafted XML to any libexpat-consuming application may trigger limited memory corruption, information disclosure, or availability impact under high-complexity conditions; no public exploit is identified at time of analysis and no CISA KEV listing exists.

Information Disclosure Use After Free Memory Corruption +3
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Integer overflow in the xmlwf utility bundled with libexpat before 2.8.2 enables heap corruption via XML documents containing an excessive number of NOTATION declarations in a DOCTYPE block. The flaw in endDoctypeDecl allows a crafted XML file to wrap a signed integer counter, producing an undersized heap allocation that can be overflowed with high confidentiality and integrity impact. No confirmed active exploitation (not in CISA KEV) and no public exploit code have been identified at time of analysis; vendor-released patch is available in libexpat 2.8.2.

Integer Overflow Buffer Overflow Libexpat +2
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Integer overflow in libexpat's xmlwf tool allows an attacker supplying a crafted XML file with an excessively long DOCTYPE system identifier to trigger a heap buffer overflow via the resolveSystemId function. All libexpat versions before 2.8.2 are affected; the root cause is an unchecked size_t arithmetic operation - both the addition of string lengths and the subsequent multiplication by sizeof(XML_Char) - before a malloc call. No public exploit has been identified at time of analysis, and exploitation requires local access under high-complexity conditions per the CVSS:3.1/AV:L/AC:H vector.

Integer Overflow Buffer Overflow Libexpat +2
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Integer overflow in the `xmlwf` command-line utility bundled with libexpat before 2.8.2 allows heap buffer overflow when the `-d outputDir` flag is used with extremely long path values. The overflow occurs during malloc size calculation - `(tcslen(outputDir) + tcslen(file) + 2) * sizeof(XML_Char)` - wrapping the size_t to a near-zero value, causing an undersized allocation followed by out-of-bounds write during filename construction. No public exploit has been identified at time of analysis and the vulnerability is absent from CISA KEV, but the heap overflow primitive is well-understood and could yield code execution in automated XML processing pipelines.

Integer Overflow Buffer Overflow Libexpat +1
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Integer overflow in libexpat's copyString function (xmlparse.c) allows heap buffer overflow when processing specially crafted XML input, affecting all libexpat versions before 2.8.2. The missing bounds check on a size multiplication permits an attacker-controlled string length to wrap around SIZE_MAX, producing an undersized heap allocation that is subsequently overwritten - enabling potential memory corruption, arbitrary code execution, or data disclosure in any application consuming the library. No public exploit has been identified at time of analysis; a vendor-released patch is available in libexpat 2.8.2.

Integer Overflow Buffer Overflow Libexpat +1
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Integer overflow in libexpat before 2.8.2 allows heap corruption during XML prolog parsing when accumulated entity value pool length exceeds INT_MAX, yielding high confidentiality and integrity impact per CVSS. The flaw resides in doProlog and the related storeSelfEntityValue path, where poolLength() return values are cast to signed integers without bounds validation - a gap closed in the upstream fix via explicit INT_MAX guards. No public exploit has been identified at time of analysis and this CVE is not listed in CISA KEV, but the widespread use of libexpat as a dependency across system tools, language runtimes, and XML-processing services means the blast radius of a weaponized exploit would be broad.

Integer Overflow Buffer Overflow Libexpat +1
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Integer overflow in libexpat's XML_ParseBuffer function allows potential heap corruption leading to high-confidentiality and high-integrity impact in all libexpat versions before 2.8.2. The overflow occurs because XML_ParseBuffer lacked a bounds check on the byte index accumulator that was already present in the sibling XML_Parse function - a defensive guard omitted asymmetrically between two code paths. Any application that routes XML input through XML_ParseBuffer (a common pattern in incremental parsing) is exposed. No public exploit has been identified at time of analysis and no KEV listing exists, but the high C and I CVSS impact ratings reflect the potential for code execution via heap corruption.

Integer Overflow Buffer Overflow Libexpat +2
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Integer overflow in libexpat's getAttributeId routine exposes any application embedding libexpat before version 2.8.2 to memory corruption with high confidentiality and integrity impact when parsing specially crafted XML documents. The flaw occurs when an internal counter traversing the attribute ID table reaches INT_MAX and wraps, producing an invalid index that can corrupt adjacent heap memory. No public exploit has been identified at time of analysis, and CISA has not listed this in the KEV catalog, but a vendor-released patch is available in libexpat 2.8.2 and upgrade is the recommended remediation.

Integer Overflow Buffer Overflow Libexpat +2
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Integer overflow in libexpat's addBinding function (xmlparse.c) before version 2.8.2 allows memory corruption during XML namespace binding processing, with high confidentiality and integrity impact. All libexpat releases from 0 through 2.8.2-pre are affected (CPE: cpe:2.3:a:libexpat_project:libexpat:*:*:*:*:*:*:*:*), encompassing a significant downstream attack surface given the library's widespread use in Python, PHP, and system utilities. No public exploit or active exploitation has been confirmed at time of analysis; the official CVSS 3.1 score of 6.9 reflects meaningful impact tempered by high attack complexity and a local attack vector.

Integer Overflow Buffer Overflow Libexpat +1
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Integer overflow in libexpat's storeAtts() function before version 2.8.2 allows heap buffer corruption during XML namespace attribute processing. When an XML document contains namespace-qualified attributes whose prefix name or local-part name approaches or exceeds INT_MAX bytes, the combined expanded-name length calculation wraps to a small integer, causing allocation of an undersized heap buffer followed by an out-of-bounds write during the memcpy phase. The vendor CVSS scores this 6.9 with High confidentiality and integrity impact; no public exploit has been identified at time of analysis and the CVE is not listed in the CISA KEV catalog.

Integer Overflow Buffer Overflow Libexpat +2
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Integer overflow in ImageMagick's PSB/PSD v2 RLE decoder (ReadPSDChannelRLE in coders/psd.c) causes a heap out-of-bounds read exclusively on 32-bit builds, enabling information disclosure or process crash when processing attacker-controlled PSB files. Affected versions span ImageMagick below 7.1.2-15 and 6.9.x below 6.9.13-40, with corresponding Magick.NET NuGet packages below 14.10.3 also confirmed vulnerable. No public exploit code has been identified at time of analysis and no CISA KEV listing exists; the CVSS 4.0 score of 6.3 with AC:H and AT:P reflects that exploitation is constrained to 32-bit deployments processing untrusted PSB input.

Information Disclosure Buffer Overflow Imagemagick +2
NVD GitHub VulDB
Prev Page 6 of 104 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy