15
CVEs
1
Critical
5
High
0
KEV
0
PoC
0
Unpatched C/H
100.0%
Patch Rate
0.0%
Avg EPSS
Severity Breakdown
CRITICAL
1
HIGH
5
MEDIUM
5
LOW
0
Monthly CVE Trend
Affected Products (30)
Ubuntu
992
Linux Kernel
769
Debian Linux
146
Chrome
55
Python
22
Windows
14
Htslib
10
PHP
10
MongoDB
9
Docker
8
Android
8
Juju
7
Lxd
7
Mattermost Server
6
Streaming Media
5
Http Server
5
Nextcloud
5
Django
5
Redis
5
Open Redirect
4
Suricata
4
Freshrss
4
Node.js
4
Enterprise Linux
4
OpenSSL
4
Rlottie
4
Java
4
Mbed Tls
4
Nextcloud Server
4
PostgreSQL
4
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2026-43407 | Integer overflow in Linux kernel's libceph authentication handler enables remote memory corruption and potential system crash against unpatched systems. A malicious Ceph monitor can send a specially crafted CEPH_MSG_AUTH_REPLY message with payload_len exceeding INT_MAX, causing ceph_handle_auth_reply() to underflow a pointer and trigger out-of-bounds memory access. This allows remote unauthenticated attackers to potentially read sensitive kernel memory (high confidentiality impact) or crash the kernel (high availability impact) on systems using Ceph storage. CVSS 9.1 (Critical) reflects network attack vector with no authentication or user interaction required. EPSS score of 0.02% (7th percentile) suggests low observed exploitation likelihood. Vendor patches available for all affected kernel series (5.10.253, 5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, 7.0), but no active exploitation confirmed via CISA KEV. | CRITICAL | 9.1 | 0.0% | 46 |
|
| CVE-2026-44565 | Path traversal in Open WebUI's file upload mechanism allows authenticated attackers to write and subsequently delete arbitrary files on the server filesystem. Discovered by Taylor Pennington of KoreLogic, this vulnerability affects the /ollama/models/upload API endpoint where unsanitized filename parameters enable directory traversal using dot-segments. The vulnerability requires low-privilege authentication (PR:L) and has straightforward exploitation (AC:L), confirmed by a published GitHub security advisory (GHSA-j3fw-wc48-29g3) with working proof-of-concept code. Vendor-released patch available in version 0.6.10. No evidence of active exploitation (not in CISA KEV) at time of analysis. | HIGH | 8.1 | 0.1% | 41 |
|
| CVE-2026-44594 | ### Summary A Local File Inclusion (LFI) vulnerability exists in the esbuild plugin's handling of the `browser` field in `package.json`. An attacker | HIGH | 7.5 | – | 38 |
|
| CVE-2026-47269 | Authentication-context bypass in pam_usb before 0.9.0 lets a person holding an enrolled USB device authenticate over SSH while the module's deny_remote protection wrongly classifies the connection as a local terminal session. The root cause is an incomplete check of the utmpx ut_addr_v6 field that misreads IPv4-mapped IPv6 addresses (::ffff:x.x.x.x) as having no remote address, which is the normal way Debian and Ubuntu record incoming IPv4 SSH connections when sshd listens on the IPv6 wildcard. There is no public exploit identified at time of analysis and the CVE is not in CISA KEV, but the operation needed to trigger it is trivial once the operator possesses a registered token. | HIGH | 7.4 | 0.1% | 37 |
|
| CVE-2026-44567 | # **CONFIDENTIAL** # Vulnerability Disclosure Analysis Documentation --- ## Vulnerability Details | # | Field | Value | |---|-------|-------| | 1 | HIGH | 7.3 | 0.1% | 37 |
|
| CVE-2026-44566 | # **CONFIDENTIAL** # KL-CAN-2024-002 ## Vulnerability Details | # | Field | Value | |---|-------|-------| | 1 | **Discoverer** | Jaggar Henry & Sea | HIGH | 7.3 | 0.1% | 37 |
|
| CVE-2026-9150 | Stack-based buffer overflow in libsolv's Debian metadata parser allows remote, unauthenticated attackers to cause a denial of service by serving maliciously crafted Debian repository metadata containing SHA384 or SHA512 checksum tags. The root cause, confirmed by the GitHub PR #616 diff, is a statically allocated 65-byte stack buffer in `ext/repo_deb.c` sized only for SHA256 digests, which is overflowed by the larger SHA384 (96 hex chars) and SHA512 (128 hex chars) values. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis; an upstream fix is available as an open pull request. | MEDIUM | 6.5 | 0.0% | 33 |
|
| CVE-2026-43252 | Denial of service via kernel warning in MPTCP path manager occurs when combining endpoint removal with fullmesh and flag-setting operations through netlink in the Linux kernel. A local attacker with low privileges can trigger a WARNING in net/mptcp/pm_kernel.c:1074 by sending a crafted sequence of netlink commands, causing the system to emit a kernel warning and potentially become unstable. No known public exploit code exists, but the low CVSS (5.5) and minimal EPSS (0.03%) indicate this is a local DoS with limited real-world impact. | MEDIUM | 5.5 | 0.0% | 28 |
|
| CVE-2026-43046 | Kernel denial of service via crafted btrfs metadata allowing local attackers to trigger an unguarded BUG_ON() condition during relocation recovery at mount time. The vulnerability arises when a root item on disk contains a non-zero drop_progress with zero drop_level, an invalid state that should not exist but lacks validation on read. CVSS 5.5 reflects local attack vector and availability impact; EPSS 0.02% indicates minimal real-world exploitation likelihood. | MEDIUM | 5.5 | 0.0% | 28 |
|
| CVE-2026-35527 | Blind server-side request forgery in Incus allows authenticated users to trigger arbitrary HEAD requests to internal or external endpoints during image import preflight validation, bypassing the restricted.images.servers project restriction. While the actual image download is blocked by project policies, the preflight HEAD request executes before validation occurs, enabling attackers to probe internal services, cloud metadata endpoints, or unroutable address space reachable from the Incus host. No public exploit code identified at time of analysis, though proof-of-concept reproduction is documented in the advisory. | MEDIUM | 5.3 | 0.0% | 27 |
|
| CVE-2026-47271 | pam_usb prior to 0.9.0 crashes under memory pressure due to assert()-based OOM guards in src/mem.c that are silently stripped by standard distribution build flags, enabling a local denial-of-service against authentication subsystems. Any allocation failure in xmalloc(), xrealloc(), or xstrdup() returns NULL, which every caller then dereferences unconditionally - the intended abort-before-dereference guarantee exists only in debug builds, not in Debian, Fedora, or Arch Linux packages that define -DNDEBUG via CFLAGS. A local attacker who can induce memory pressure at authentication time causes the PAM module to crash, locking all users out of sudo and login for the duration of the crash. No public exploit has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog. | MEDIUM | 5.1 | 0.0% | 26 |
|
| CVE-2026-43080 | In the Linux kernel, the following vulnerability has been resolved: l2tp: Drop large packets with UDP encap syzbot reported a WARN on my patch serie | – | 0.0% | – |
|
|
| CVE-2026-45898 | In the Linux kernel, the following vulnerability has been resolved: RDMA/iwcm: Fix workqueue list corruption by removing work_list The commit e1168f | – | 0.0% | – |
|
|
| CVE-2026-45924 | In the Linux kernel, the following vulnerability has been resolved: ksmbd: call ksmbd_vfs_kern_path_end_removing() on some error paths There are two | – | 0.0% | – |
|
|
| CVE-2026-45965 | In the Linux kernel, the following vulnerability has been resolved: apparmor: fix invalid deref of rawdata when export_binary is unset If the export | – | 0.0% | – |
|